MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65219d70f5c46785626f4bc9c88ea20ba4dd533c7e9af5cb166eeee07d4753ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65219d70f5c46785626f4bc9c88ea20ba4dd533c7e9af5cb166eeee07d4753ff
SHA3-384 hash: 5cb16f137cd5aa841dcfd70922f816c8cfdec8febb017e2f070356b2e36b2939e0fa13d56a48e7871ffed37cae0c42c7
SHA1 hash: 0f668c743ae0326ccff97681e1f177b520d7813b
MD5 hash: b7380d2e9c03619246fe6b1b14f7a219
humanhash: lion-hydrogen-social-timing
File name:b7380d2e9c03619246fe6b1b14f7a219.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:3'005'952 bytes
First seen:2025-09-13 23:20:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6a91eb82bfd19d2706c7d43c46f7064e (1 x njrat, 1 x NetSupport)
ssdeep 49152:cdpK1bEG3eZUoQx5nKva7M7/PiclLutfouSa6FmAfS/ix89ZEu4opa5Yw7rQcNyA:c81RH5KaM7/PPLmgfnQAfS/ix8/lVa5X
Threatray 878 similar samples on MalwareBazaar
TLSH T109D52347B285C4F4E5B3A63448711D02BB73BC4A57A05BCF2788E6A63E326914D3BB71
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:51-89-107-105 exe NetSupport


Avatar
abuse_ch
NetSupport C2:
51.89.107.105:9191

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
51.89.107.105:9191 https://threatfox.abuse.ch/ioc/1589724/

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
b7380d2e9c03619246fe6b1b14f7a219.exe
Verdict:
Malicious activity
Analysis date:
2025-09-13 23:20:42 UTC
Tags:
netsupport remote rmm-tool auto-reg
Link:
https://app.any.run/tasks/d01dcc9d-4fe8-4c4a-b3db-894d6dfe4137

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27377/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c5fc5ed49ea3f1e4b556ed
Tags:
vmdetect madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Launching a process
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Searching for the window
Searching for synchronization primitives
Connection attempt
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug dotnet lolbin microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/68c5fc717328794829293a27/reports/000e0366-43a7-4477-bb60-87ddaa87ef22/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/65219d70f5c46785626f4bc9c88ea20ba4dd533c7e9af5cb166eeee07d4753ff
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-09T12:02:00Z UTC
Last seen:
2025-09-09T12:02:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/65219d70f5c46785626f4bc9c88ea20ba4dd533c7e9af5cb166eeee07d4753ff/results?tab=lookup
Malware family:
NetSupport Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9ab75191-ab5a-412a-ae7d-3a0f292dc339
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1777133
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Drops executable to a common third party application directory
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1777133 Sample: CUaseu1YuL.exe Startdate: 14/09/2025 Architecture: WINDOWS Score: 100 59 geo.netsupportsoftware.com 2->59 65 Suricata IDS alerts for network traffic 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->69 71 4 other signatures 2->71 8 CUaseu1YuL.exe 20 2->8         started        12 cmd.exe 1 2->12         started        14 cmd.exe 1 2->14         started        16 Calculator.exe 2 2->16         started        signatures3 process4 file5 51 C:\ProgramData\Adobe\...\pcicapi.dll, PE32 8->51 dropped 53 C:\ProgramData\Adobe\...\msvcr100.dll, PE32 8->53 dropped 55 C:\ProgramData\Adobe\...\adobe.exe, PE32 8->55 dropped 57 5 other files (2 malicious) 8->57 dropped 83 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->83 85 Drops executable to a common third party application directory 8->85 18 cmd.exe 1 8->18         started        20 cmd.exe 1 8->20         started        23 cmd.exe 1 8->23         started        25 adobe.exe 12->25         started        27 conhost.exe 12->27         started        29 calc.exe 12 12->29         started        31 adobe.exe 14->31         started        33 conhost.exe 14->33         started        35 calc.exe 12 14->35         started        signatures6 process7 signatures8 37 adobe.exe 17 18->37         started        41 conhost.exe 18->41         started        73 Uses cmd line tools excessively to alter registry or file data 20->73 43 conhost.exe 20->43         started        45 reg.exe 1 20->45         started        47 conhost.exe 23->47         started        49 reg.exe 1 1 23->49         started        process9 dnsIp10 61 51.89.107.105, 49692, 9191 OVHFR France 37->61 63 geo.netsupportsoftware.com 172.67.68.212, 49693, 80 CLOUDFLARENETUS United States 37->63 75 Multi AV Scanner detection for dropped file 37->75 77 Contains functionalty to change the wallpaper 37->77 79 Delayed program exit found 37->79 81 Contains functionality to detect sleep reduction / modifications 37->81 signatures11
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/b7380d2e9c03619246fe6b1b14f7a219
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65219d70f5c46785626f4bc9c88ea20ba4dd533c7e9af5cb166eeee07d4753ff/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-09 17:06:15 UTC
File Type:
PE+ (Exe)
Extracted files:
16
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=muqz24hvyrtykytpjpe4rdvcbosn2uz4p2nplsywn3xoa7khkp7q._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
NetSupport
97d5769bbbe9d025f9bc5544bf5d916a1087dd078bf4ad371eea0c678bb612d1
NetSupport
ce7748b3014f5349856cd5a588e5cdaabdfac83ca9639f425ac1fdbcd54a9703
NetSupport
d7b46caebba2157fa58f06d9b6571939e4d51882dc8000c8c264a585b5eedf98
NetSupport
error
NetSupport
ff2db923f9b0b3d9122b852b36552c881d26e863f0fa078eefca74f2de11ba57
NetSupport
+ 868 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250913-3b21xahm2t/
Verdict:
Malicious
Tags:
RemoteAccessTool
YARA:
n/a
Link:
https://app.threat.zone/submission/7363237a-a00a-4e24-a726-8cc67f3d9a0a
Unpacked files
SH256 hash:
65219d70f5c46785626f4bc9c88ea20ba4dd533c7e9af5cb166eeee07d4753ff
MD5 hash:
b7380d2e9c03619246fe6b1b14f7a219
SHA1 hash:
0f668c743ae0326ccff97681e1f177b520d7813b
Link:
https://www.unpac.me/results/52257977-1d21-4548-aef0-60efae457cde/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65219d70f5c46785626f4bc9c88ea20ba4dd533c7e9af5cb166eeee07d4753ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27377/

Comments