MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ee5e113340daa420bc7e34cdfa52dbdb6569e65111110655a257f56297a0e6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 9

Intelligence 9 IOCs YARA 21 File information Comments

SHA256 hash:	7ee5e113340daa420bc7e34cdfa52dbdb6569e65111110655a257f56297a0e6e
SHA3-384 hash:	2c2c7b97cb0f2afcb4f1976e0218ae1cef8926734fc3dde590eee8d4f394df2d2bfebbe2931e12c71ac6b7c703453df4
SHA1 hash:	f06a2b0b9562e60daf220988ae9ffd0393782738
MD5 hash:	85f092d2d2fe58869756963e227b9602
humanhash:	red-michigan-jupiter-ink
File name:	verification.google
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	2'500'096 bytes
First seen:	2026-03-26 12:27:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3271ee162568f50a6810be9b8973807f (9 x NetSupport)
ssdeep	24576:kJQXYFzLzBnzkVt6PkUJcefArbC+1J9oA7oJNjE9LrE8cWD/QvUSgby8cZLj:kJe0LNkVt+kUJcdrb31J9oWo7jGQc36
Threatray	27 similar samples on MalwareBazaar
TLSH	T18EC56C77FCA318F5E4AAA2358523A1527A717C446F3153CB2A90F3282F73BE05A79714
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	juroots
Tags:	exe Google NetSupport

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

http://web-captcha.cc/verification.google

Verdict:

No threats detected

Analysis date:

2026-03-25 10:51:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/978236f2-5b50-4d5d-ab6e-ed4359a68b11

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69c5263e390b99647413f307

Tags:

malware

Result

Verdict:

Clean

Maliciousness:

Behaviour

Connection attempt

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/7ee5e113340daa420bc7e34cdfa52dbdb6569e65111110655a257f56297a0e6e

Verdict:

Clean

File Type:

dll x64

First seen:

2026-03-24T18:07:00Z UTC

Last seen:

2026-03-25T13:14:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/7ee5e113340daa420bc7e34cdfa52dbdb6569e65111110655a257f56297a0e6e/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/664f05a9-65e4-4fc2-bbf2-1b243ac00ada

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7ee5e113340daa420bc7e34cdfa52dbdb6569e65111110655a257f56297a0e6e

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7ee5e113340daa420bc7e34cdfa52dbdb6569e65111110655a257f56297a0e6e/

Verdict:

Malicious

Threat:

Family.NETSUPPORT

Link:

https://tip.neiki.dev/file/7ee5e113340daa420bc7e34cdfa52dbdb6569e65111110655a257f56297a0e6e

Threat name:

Win64.Trojan.Qwexlafiba

Status:

Malicious

First seen:

2026-03-22 19:35:19 UTC

File Type:

PE+ (Dll)

AV detection:

19 of 36 (52.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=p3s6cezubwveec6h4ngn7jjnxw3fnhtfceirazk2ev7vmkl2bzxa._file

Verdict:

malicious

Label(s):

amaterastealer

NetSupport

34af4409264d852ba0c694c1b63c7a60daafed958e4f3f32cbf243e0e17e15ad

NetSupport

497c5c734751280105a6320271fa1830a861e6976086484511fc0d8f02040929

NetSupport

54744fa7f773915658777694e2284c1e1f5ed63334afe3f8fc4471c5e9e1cd96

NetSupport

73edb1d8637b28113a1ba04fa4aa64d3020a9eaaf8a3024b978b362a4cce6238

NetSupport

7ffb2ecf73b536a4fc3b529363347aa5752bf32838a46ecf71c2f00c75cc284a

NetSupport

80c16135a33e213bfa1cb8bb6cdbfdec0a654ba143b9377b7372f851a4841e1e

NetSupport

ecc49e07ab6e6b4b57f6a7e952ace8c217f22a1746ed390d06348915e2372d63

NetSupport

+ 17 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

discovery spyware

Link:

https://tria.ge/reports/260326-pmz4ssh19y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Unpacked files

SH256 hash:

7ee5e113340daa420bc7e34cdfa52dbdb6569e65111110655a257f56297a0e6e

MD5 hash:

85f092d2d2fe58869756963e227b9602

SHA1 hash:

f06a2b0b9562e60daf220988ae9ffd0393782738

Link:

https://www.unpac.me/results/969c6a99-78c6-4011-beed-2dce6a25e78b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7ee5e113340daa420bc7e34cdfa52dbdb6569e65111110655a257f56297a0e6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	Detect_Go_GOMAXPROCS Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	Golang_Find_CSC846_Simple Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Suspicious_Golang_Binary Create hunting rule
Author:	Tim Machac
Description:	Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)