MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fd1bae6a00bc4f5b4cdae0ddcae52389d337424d6ad035c9cde3b6ea948ffdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



NetSupport


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 12 File information Comments

SHA256 hash: 6fd1bae6a00bc4f5b4cdae0ddcae52389d337424d6ad035c9cde3b6ea948ffdb
SHA3-384 hash: 8ad189b40525c97831d92f062533099216b112a5b0035ea7fecdd5549f46a02223bf6ef8133d024c992d0e3ba2e57736
SHA1 hash: bd8888e30bfab6e8e3d7018c51034abd7b3dbc40
MD5 hash: 16c6af84e16dbb1206fa0e87237b2269
humanhash: leopard-seven-ten-spring
File name:16c6af84e16dbb1206fa0e87237b2269.exe
Download: download sample
Signature NetSupport
File size:10'780'517 bytes
First seen:2026-03-12 04:25:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 608505ff1e7e27ff4a42ea9c4e9f4192 (5 x LummaStealer, 5 x NetSupport, 3 x ValleyRAT)
ssdeep 98304:tr99u4kc8Hao8eRjYBU4UAir2Y5uh4oSTy6kGc3NEj0ayISaBgwjZcI92tLTMc6W:f9upko8Rr6rYyc3Lay+gRHB6MgU6S+W
TLSH T114B69D21B54AC13AE66E51B2592CEB6B61797FB20B7140DB73DC3DAE0B704C21236E17
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.8% (.EXE) Win64 Executable (generic) (6522/11/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4504/4/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 6ded69c7b130b2c0 (13 x ValleyRAT, 12 x CryptBot, 7 x NetSupport)
Reporter abuse_ch
Tags:91-211-251-249 exe jazger-com NetSupport


Avatar
abuse_ch
NetSupport C2:
91.211.251.249:443

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.211.251.249:443 https://threatfox.abuse.ch/ioc/1756971/

Intelligence


File Origin
# of uploads :
1
# of downloads :
186
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
netsupport
ID:
1
File name:
16c6af84e16dbb1206fa0e87237b2269.exe
Verdict:
Malicious activity
Analysis date:
2026-03-12 04:25:42 UTC
Tags:
advancedinstaller auto-startup netsupport rmm-tool remote

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
dropper netsup trojan virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context advanced_installer anti-debug anti-vm base64 expired-cert fingerprint fingerprint installer installer installer-heuristic lolbin microsoft_visual_cc msiexec netsupportmanager obfuscated packed powershell remoteadmin runonce soft-404 strictor unsafe virus
Verdict:
Malicious
File Type:
exe x32
Detections:
HEUR:Trojan.Win32.Blamon.gen HEUR:Trojan.Script.NetSup.gen not-a-virus:HEUR:RemoteAdmin.Win32.NetSup.gen
Malware family:
NetSupport Ltd
Verdict:
Suspicious
Result
Threat name:
NetSupport RAT
Detection:
malicious
Classification:
rans.evad
Score:
92 / 100
Signature
Bypasses PowerShell execution policy
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Drops executables to the windows directory (C:\Windows) and starts them
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1882371 Sample: ezfbnluDli.exe Startdate: 12/03/2026 Architecture: WINDOWS Score: 92 58 jazger.com 2->58 60 geo.netsupportsoftware.com 2->60 62 collect.installeranalytics.com 2->62 70 Suricata IDS alerts for network traffic 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Joe Sandbox ML detected suspicious sample 2->74 8 msiexec.exe 29 68 2->8         started        12 client32.exe 1 16 2->12         started        15 ezfbnluDli.exe 25 2->15         started        17 client32.exe 2->17         started        signatures3 process4 dnsIp5 42 C:\Windows\Installer\MSIE3F8.tmp, PE32 8->42 dropped 44 C:\Users\user\AppData\...\client32.exe, PE32 8->44 dropped 46 C:\Windows\Installer\MSIE513.tmp, PE32 8->46 dropped 54 19 other files (none is malicious) 8->54 dropped 80 Suspicious powershell command line found 8->80 82 Bypasses PowerShell execution policy 8->82 84 Drops executables to the windows directory (C:\Windows) and starts them 8->84 19 msiexec.exe 3 8->19         started        23 msiexec.exe 24 8->23         started        26 powershell.exe 8 16 8->26         started        28 MSIE3F8.tmp 8->28         started        66 jazger.com 91.211.251.249, 443, 49699 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 12->66 68 geo.netsupportsoftware.com 104.26.1.231, 49700, 49701, 49702 CLOUDFLARENETUS United States 12->68 86 Contains functionalty to change the wallpaper 12->86 88 Delayed program exit found 12->88 90 Contains functionality to detect sleep reduction / modifications 12->90 48 C:\Users\user\AppData\Local\...\shi2E38.tmp, PE32+ 15->48 dropped 50 C:\Users\user\AppData\Local\...\MSI3E49.tmp, PE32 15->50 dropped 52 C:\Users\user\AppData\Local\...\MSI303E.tmp, PE32 15->52 dropped 56 2 other files (none is malicious) 15->56 dropped 30 msiexec.exe 15->30         started        file6 signatures7 process8 dnsIp9 34 C:\Users\user\AppData\Local\...\shi3146.tmp, PE32 19->34 dropped 36 C:\Users\user\AppData\Local\...\shi306A.tmp, PE32 19->36 dropped 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->76 78 Query firmware table information (likely to detect VMs) 19->78 64 collect.installeranalytics.com 50.17.175.172, 443, 49703 AMAZON-AESUS United States 23->64 38 C:\Users\user\AppData\Local\...\shi45B8.tmp, PE32 23->38 dropped 40 C:\Users\user\AppData\Local\...\shi453A.tmp, PE32 23->40 dropped 32 conhost.exe 26->32         started        file10 signatures11 process12
Gathering data
Threat name:
Win32.Trojan.Strictor
Status:
Malicious
First seen:
2026-03-09 03:21:00 UTC
File Type:
PE (Exe)
Extracted files:
507
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netsupportmanagerrat
Similar samples:
Result
Malware family:
netsupport
Score:
  10/10
Tags:
family:netsupport discovery execution rat
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates connected drives
Drops startup file
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
NetSupport
Netsupport family
Unpacked files
SH256 hash:
6fd1bae6a00bc4f5b4cdae0ddcae52389d337424d6ad035c9cde3b6ea948ffdb
MD5 hash:
16c6af84e16dbb1206fa0e87237b2269
SHA1 hash:
bd8888e30bfab6e8e3d7018c51034abd7b3dbc40
SH256 hash:
da8f2701a54d7fa72195de146bf221cd3c73dc186f0a2c8a76190f742683585c
MD5 hash:
2bc2c2b6768fe6176c563588b0e4930a
SHA1 hash:
b9ade2f27248cdddc19ad9c49c2c0cb7d6293208
SH256 hash:
d17b50e8ba0ad39688762789966f30de6c16bd84962d3885fbc2d81ff6afd80a
MD5 hash:
4f9ae8563ee043fda29d9136086d8346
SHA1 hash:
056d0e1eccd90c1768d7375290366203af7766fe
SH256 hash:
28adf8bfb6a8a71d757fd424f166d8d176a23ceda98bf7151ce3b5222fdaadbd
MD5 hash:
508b0fe51d9bf5ebdb82834c2dfd1833
SHA1 hash:
1d8c70e12ca201dfbac8ed02ce6cd7d2e68464bf
SH256 hash:
527701da44f402f431604d557a82137591e72628b4955ae1ebad033492040630
MD5 hash:
f283a657131f865c9935ab9056e7d6a6
SHA1 hash:
8bd6c38a8f3cb5152a0a99ad66b6019d35ec4cd0
SH256 hash:
21418bf80d90aec447affaa14917e1e2a52b758719ac979ebd0cccd0d5e199b2
MD5 hash:
e365fa9e604eaddc44276bee15cad681
SHA1 hash:
bec8154029b33e9d8ed9533fa525bb31df9cf28d
SH256 hash:
a7ab5b972a8630f64351e73b8a6b3e095ec8c4bc5f6852aba65efde444054254
MD5 hash:
41f96a3e7cbf0e8d7e387f62e7d1a847
SHA1 hash:
d5fda110a373ec7b217bd52e2d65823f9d839151
SH256 hash:
00f57b9910630a7049df821a39c733ca35763d9b11a58e8c0e52b06066a52643
MD5 hash:
46eacdca48274cc56965e2f11cc63d66
SHA1 hash:
305429533557823d54f1cb1766d080b7249b6d99
SH256 hash:
06a80941ef4d514fc6845f0a82cdae80d5dc23becf53797e45656473aa1e98dc
MD5 hash:
0c8696262850937c0c34da3cd24b2bb0
SHA1 hash:
7dbf638bd24bd19e9d2258f483c7ae244c7b20f1
SH256 hash:
ee4247e2ce3d529ec0e013469467894ff00faf59c632211dc438fba2331ea443
MD5 hash:
5cbabdc06e8034d801ae10b77dc559cb
SHA1 hash:
d275b98afd1d6692f85ab168faee1f85acdcca8f
SH256 hash:
c632a95871871eb8a23cc91ea09a99c04b6c425304955981249740ed9d08b141
MD5 hash:
57e7b5995199ef5f5b0b1a8094b920ab
SHA1 hash:
b3d98c8ff35644073acc194f82ba9b2c12e419db
SH256 hash:
67ff2fc39c6f6c93c3a8237561e254e7ceedbe3da18f0435c7b5528351dd937e
MD5 hash:
62ed50a2c64b9ac5c3bdc2d6f2da805c
SHA1 hash:
cf896586006a8eabd2d5d3a71dea602eea7e0a74
SH256 hash:
f2ff4e42682744b34763c6c78407314281bca1d18e624ae6996d230126e7983c
MD5 hash:
9401ef4e13fdda9c822c015cff6631c9
SHA1 hash:
34daf1c3c072757aeb0a45ae4527c7498680e181
SH256 hash:
1e794382a6e9a65e20a8c5078e3fe0d692fe03fc3f8359e844897f5dfc7394b2
MD5 hash:
5bcc1f8e9e7bc1c141631b02df02bf4f
SHA1 hash:
81cdec7a2c8578dda3c6b3bdddd20f48f5ef2298
SH256 hash:
2e1dbf571c72f7ee0e584486c5441dab16c8c868bdeb86ef24dfebe84fc68d6b
MD5 hash:
0584ff3d92f50d11143d0ea4ba4b3253
SHA1 hash:
0dc56c9d09d2749098c36f2faf88fb966d540166
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments