MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5780d51463906b400b6759e06f01b60d1223c752594adf6801673e0562d4551b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5780d51463906b400b6759e06f01b60d1223c752594adf6801673e0562d4551b
SHA3-384 hash: e566131fc13de8e7f47383eb3ef4a72df38253a5e99c9c6f71123969b206638a15e0a9e3b45504daaecb29c76a6c6709
SHA1 hash: 4f1b7be7e6cf39ec2fb5212791bc5be97a2da2a1
MD5 hash: e93e9f575206636551460115655e39bc
humanhash: solar-ack-ack-orange
File name:file
Download: download sample
Signature NetSupport
Create hunting rule
File size:6'944'539 bytes
First seen:2025-10-08 04:04:35 UTC
Last seen:2025-10-09 04:09:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 196608:oP4mPjNSqQvj8kH2kE9L9afgYq+r/o97pSzGlW:oP4CNSBvj1FE9gYQ7SpK
Threatray 891 similar samples on MalwareBazaar
TLSH T1DE6633A29F86D687F1232C7994EBEBF137333EC92E9D026358ED3E178825A5D46D4014
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:200-107-207-38 dropped-by-amadey exe NetSupport


Avatar
Bitsight
url: http://178.16.55.189/files/7782139129/0XKMCfK.exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
170
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-10-07 23:15:03 UTC
Tags:
amadey botnet stealer themida rdp auto loader golang generic github telegram evasion arcstealer gcleaner netsupport rmm-tool arch-exec anti-evasion autoit remote xworm miner pastebin darkvision winring0-sys vuln-driver stealc vidar rustystealer purecrypter arch-doc rat socks5systemz proxybot websocket phishing
Link:
https://app.any.run/tasks/318beed9-a767-4da8-bfe2-3b8963013b8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31079/
Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e5e31f277c2bd8bc5db7b5
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Moving a recently created file
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Searching for the window
Searching for synchronization primitives
Connection attempt
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context amadey anti-debug blackhole crypto fingerprint hacktool installer microsoft_visual_cc netsupport netsupportmanager nsis overlay packed remoteadmin unsafe
Link:
https://www.filescan.io/uploads/68e5e34ad4a0085473c392f5/reports/477247c6-b2d1-4419-86e6-d766caed49d2/overview
Verdict:
Malicious
Labled as:
Malware_50.6
Link:
https://www.hybrid-analysis.com/sample/5780d51463906b400b6759e06f01b60d1223c752594adf6801673e0562d4551b
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-07T14:55:00Z UTC
Last seen:
2025-10-09T23:37:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/5780d51463906b400b6759e06f01b60d1223c752594adf6801673e0562d4551b/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf41b2cc-4684-474f-a427-cb4e969510ca
Score:
34%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/5780d51463906b400b6759e06f01b60d1223c752594adf6801673e0562d4551b
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/e93e9f575206636551460115655e39bc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5780d51463906b400b6759e06f01b60d1223c752594adf6801673e0562d4551b/
Verdict:
Malicious
Threat:
Family.NETSUPPORT
Link:
https://tip.neiki.dev/file/5780d51463906b400b6759e06f01b60d1223c752594adf6801673e0562d4551b
Threat name:
Win32.Trojan.Suschil
Create hunting rule
Status:
Malicious
First seen:
2025-10-07 17:38:02 UTC
File Type:
PE (Exe)
Extracted files:
465
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k6ankfddsbvuac3hlhqg6anwbujchr2slffn62abm47akywukunq._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
236d0788e4f5491cf67749cc4a5e56118d98f4254c047c36c98153375b2b6e5a
NetSupport
40de2b1e2d70c836435e2e28d27e880b531cb67ea6e2b8e11802157b0af43e8c
NetSupport
65219d70f5c46785626f4bc9c88ea20ba4dd533c7e9af5cb166eeee07d4753ff
NetSupport
97d5769bbbe9d025f9bc5544bf5d916a1087dd078bf4ad371eea0c678bb612d1
NetSupport
ce7748b3014f5349856cd5a588e5cdaabdfac83ca9639f425ac1fdbcd54a9703
NetSupport
error
NetSupport
f949ee275f209fd614661403425595ac738d1963009231394a43bb85907206b2
NetSupport
+ 881 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery execution installer persistence rat
Link:
https://tria.ge/reports/251008-enrhyawmx4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
NetSupport
Netsupport family
Verdict:
Malicious
Tags:
RemoteAccessTool
YARA:
n/a
Link:
https://app.threat.zone/submission/754d70f1-0724-4fed-b1e5-cd4ae2a5138b
Unpacked files
SH256 hash:
5780d51463906b400b6759e06f01b60d1223c752594adf6801673e0562d4551b
MD5 hash:
e93e9f575206636551460115655e39bc
SHA1 hash:
4f1b7be7e6cf39ec2fb5212791bc5be97a2da2a1
Link:
https://www.unpac.me/results/2e0d8f88-4d17-4d05-89b2-9eb7740b93a0/
SH256 hash:
19d8f1928cc8eabbd5783c7a68a14b0ff5c5b3a5081fd1ead5dec04eef7cea65
MD5 hash:
dea27ecee32b9fe1572482307d4fc28b
SHA1 hash:
50ba71067a8254744e4412ddf36b0530af2ac2a9
Link:
https://www.unpac.me/results/2e0d8f88-4d17-4d05-89b2-9eb7740b93a0/
SH256 hash:
289767b49dc8525bce262ea06fee4ef9fced2e131a55b25654ce871c1f0498b2
MD5 hash:
1a7544f942a9a9de9354e7a0f9060e3a
SHA1 hash:
fe86bc104eaaa01357d98db905711e9c73d437ce
Link:
https://www.unpac.me/results/2e0d8f88-4d17-4d05-89b2-9eb7740b93a0/
SH256 hash:
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824
MD5 hash:
e54eb27fb5048964e8d1ec7a1f72334b
SHA1 hash:
2b76d7aedafd724de96532b00fbc6c7c370e4609
Link:
https://www.unpac.me/results/2e0d8f88-4d17-4d05-89b2-9eb7740b93a0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5780d51463906b400b6759e06f01b60d1223c752594adf6801673e0562d4551b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

Executable exe 5780d51463906b400b6759e06f01b60d1223c752594adf6801673e0562d4551b

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3662804/
Cape
Cape
https://www.capesandbox.com/analysis/31079/

Comments