MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45a06b5df9399d30763bef3a66104bf4ae7ddf37dd031ff47effab20ac321acc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 9


Intelligence 9 IOCs YARA 57 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45a06b5df9399d30763bef3a66104bf4ae7ddf37dd031ff47effab20ac321acc
SHA3-384 hash: 59cb9adbc5b37f7ba8c8225dc3f0d15fa75e0f985ab50c3cd2b0a48a446c01a84e61f2334d41f73f6eac5a2271d566a0
SHA1 hash: 5af307760e936d3a75819fe522a82e8989d46386
MD5 hash: 53ba62ba54922e86f34b58d3574c8401
humanhash: sad-fruit-autumn-fanta
File name:mohs.zip
Download: download sample
Signature NetSupport
Create hunting rule
File size:11'683'381 bytes
First seen:2025-07-16 03:44:14 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 196608:2P6GPDB52TPhK0O39fZBj5JdqJOtdJ/nDUpoXz+7rZkAgul1zcFKDMacwpSwfOdF:2P6eMwfzPdndJ/nDUpm+7a4fcY9pSwUR
TLSH T1D0C6338E5C37F4A5E5516E9B4C882DA4E6B9C8DE0483C8399D31DF06D6E6A103B4CF36
TrID 66.6% (.FB2K-COMPONENT) foobar2000 component (8000/1/2)
33.3% (.ZIP) ZIP compressed archive (4000/1)
Magika zip
Reporter skocherhan
Tags:185-163-45-87 NetSupport sos-atlanta-com zip


Avatar
skocherhan
https://sos-atlanta.com/mohs.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
27
Origin country :
GB GB
File Archive Information

This file archive contains 21 file(s), sorted by their relevance:

File name:nskbfltr.inf
File size:328 bytes
SHA256 hash: d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368
MD5 hash: 26e28c01461f7e65c402bdf09923d435
MIME type:application/x-setupscript
Signature NetSupport
File name:HTCTL32.DLL
File size:328'056 bytes
SHA256 hash: edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
MD5 hash: 2d3b207c8a48148296156e5725426c7f
MIME type:application/x-dosexec
Signature NetSupport
File name:VBoxNetDHCP.dll
File size:381'344 bytes
SHA256 hash: 4acbbe466c6a15e135b3cb9a7b3147f963b6f3a48bb1047b72b965995cf4e215
MD5 hash: e653eab3543913e7b144e846b8afe519
MIME type:application/x-dosexec
Signature NetSupport
File name:TCCTL32.DLL
File size:396'664 bytes
SHA256 hash: 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
MD5 hash: eab603d12705752e3d268d86dff74ed4
MIME type:application/x-dosexec
Signature NetSupport
File name:NSM.ini
File size:6'458 bytes
SHA256 hash: 60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92
MD5 hash: 88b1dab8f4fd1ae879685995c90bd902
MIME type:application/x-wine-extension-ini
Signature NetSupport
File name:VBoxProxyStub.dll
File size:958'800 bytes
SHA256 hash: 9f8e734a4310c26168758ede60a8ac2669f0fd901fad8c239cae64a4cf0c33e1
MD5 hash: 6f32b72f50a3516c05f7bea0ea9f7c91
MIME type:application/x-dosexec
Signature NetSupport
File name:libwavmodapi.dll
File size:5'190'968 bytes
SHA256 hash: f0703a2270707294e907eac19c3314376ad2ce122ef1adfd068f352b54c23074
MD5 hash: 63629604c082664d43d233d479aff447
MIME type:application/x-dosexec
Signature NetSupport
File name:client32.ini
File size:692 bytes
SHA256 hash: 0f995730e19c541b1de516058d6942351cbe1b451f50389606992f2defcb5663
MD5 hash: 2d1da0760ee710cdd697c704125a8b42
MIME type:text/plain
Signature NetSupport
File name:PCICHEK.DLL
File size:18'808 bytes
SHA256 hash: 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
MD5 hash: a0b9388c5f18e27266a31f8c5765b263
MIME type:application/x-dosexec
Signature NetSupport
File name:libwaresource.dll
File size:5'553'464 bytes
SHA256 hash: c32d430fb64082b3fac228e24c533b8925619ca05e54c9c7bf45e473cc92b5e4
MD5 hash: 3ce2fbc4c70cc304795b5f57bf3d2bcd
MIME type:application/x-dosexec
Signature NetSupport
File name:swscale-5.dll
File size:736'104 bytes
SHA256 hash: 45b04e563b3c2cb5a9074de18c80e362b5a1c4808ad86360a88ca873f8d9d429
MD5 hash: 5c77ca38e2dcf01d475443f4080f86d8
MIME type:application/x-dosexec
Signature NetSupport
File name:vccorlib120.dll
File size:356'528 bytes
SHA256 hash: 602add77cbd807d02306de1d0179cb71a908eecb11677116fc206a7e714ab6d6
MD5 hash: bdd8ae768dbf3e6c65d741cb3880b8a7
MIME type:application/x-dosexec
Signature NetSupport
File name:qtwebengine_resources_200p.pak
File size:781'396 bytes
SHA256 hash: deebba302acebfa268b317a57f56ba631325edbf053ff32a8d7832347d1ed44d
MD5 hash: 083950e31e62fd878a63f30d52c8602b
MIME type:application/octet-stream
Signature NetSupport
File name:msvcr100.dll
File size:773'968 bytes
SHA256 hash: 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
MD5 hash: 0e37fbfa79d349d672456923ec5fbbe3
MIME type:application/x-dosexec
Signature NetSupport
File name:VBoxNetNAT.dll
File size:414'912 bytes
SHA256 hash: 5da714ded284362e5e7aae5c87f16e12a49db0f77e76e17cf0c95874d4dc0691
MD5 hash: 9c602cb950df3f168c71aba8f82e947c
MIME type:application/x-dosexec
Signature NetSupport
File name:pcicapi.dll
File size:33'144 bytes
SHA256 hash: 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
MD5 hash: dcde2248d19c778a41aa165866dd52d0
MIME type:application/x-dosexec
Signature NetSupport
File name:VBoxRes.dll
File size:846'688 bytes
SHA256 hash: aa16834c45017cc45b274494ff47771fedfd6c91f5e14490dfc2205c76cc5805
MD5 hash: a99714d613a950029661403f22b39497
MIME type:application/x-dosexec
Signature NetSupport
File name:PCICL32.DLL
File size:3'735'416 bytes
SHA256 hash: 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
MD5 hash: 00587238d16012152c2e951a087f2cc9
MIME type:application/x-dosexec
Signature NetSupport
File name:NSM.LIC
File size:257 bytes
SHA256 hash: ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54
MD5 hash: 390c964070626a64888d385c514f568e
MIME type:text/plain
Signature NetSupport
File name:client32.exe
File size:120'288 bytes
SHA256 hash: 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268
MD5 hash: ee75b57b9300aab96530503bfae8a2f2
MIME type:application/x-dosexec
Signature NetSupport
File name:remcmdstub.exe
File size:77'280 bytes
SHA256 hash: 6558b3307215c4b73fc96dc552213427fb9b28c0cb282fe6c38324f1e68e87d6
MD5 hash: 1768c9971cea4cc10c7dd45a5f8f022a
MIME type:application/x-dosexec
Signature NetSupport
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Program.RemoteAdmin.837.11410.22550.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.RMS.153.29099.23692.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.23370.1523.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.3834.24092.UNOFFICIAL
Create hunting rule

PUA.Win.Tool.NetSupport-10022498-8
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.17585.19372.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.RA.587.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.26913.7397.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.931.832.15069.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6843280507b5e8c1cfe52dfe
Tags:
injection obfusc
Verdict:
Unknown
Threat level:
n/a  -.1.0/10
Confidence:
100%
Tags:
anti-debug expired-cert exploit fingerprint microsoft_visual_cc signed
Link:
https://www.filescan.io/uploads/6877202e7bc45bdee1adc669/reports/edb74521-cc66-4206-a875-c24d7b2a5da6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/45a06b5df9399d30763bef3a66104bf4ae7ddf37dd031ff47effab20ac321acc
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/45a06b5df9399d30763bef3a66104bf4ae7ddf37dd031ff47effab20ac321acc
Score:
85%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/45a06b5df9399d30763bef3a66104bf4ae7ddf37dd031ff47effab20ac321acc
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PDB Path PE (Portable Executable) SVG Zip Archive
Link:
https://app.malva.re/file/53ba62ba54922e86f34b58d3574c8401
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45a06b5df9399d30763bef3a66104bf4ae7ddf37dd031ff47effab20ac321acc/
Verdict:
Malicious
Threat:
Script-INI.Spyware.NetSupportRAT
Link:
https://tip.neiki.dev/file/45a06b5df9399d30763bef3a66104bf4ae7ddf37dd031ff47effab20ac321acc
Threat name:
Win32.Trojan.Suschil
Create hunting rule
Status:
Malicious
First seen:
2025-07-15 23:11:50 UTC
File Type:
Binary (Archive)
Extracted files:
635
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iwqgwxpzhgota5r3545gmecl6sxh3xzx3ubr75d676vsblbsdlga._file
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery rat
Link:
https://tria.ge/reports/250716-ensq1asth1/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45a06b5df9399d30763bef3a66104bf4ae7ddf37dd031ff47effab20ac321acc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NetSupportRAT_Config
Create hunting rule
Author:abuse.ch
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:html_auto_download_b64
Create hunting rule
Author:Tdawg
Description:html auto download
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NetSupport
Create hunting rule
Author:YungBinary
Description:Detects NetSupport Manager RAT on disk or in memory
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

zip 45a06b5df9399d30763bef3a66104bf4ae7ddf37dd031ff47effab20ac321acc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3584577/
  
Delivery method
Distributed via web download

Comments