MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8222775ca74ca2bfc222e6c22e10b7945be56506cd8f5baf5237fe0c57ffbf7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8222775ca74ca2bfc222e6c22e10b7945be56506cd8f5baf5237fe0c57ffbf7e
SHA3-384 hash: 42a3e22941ff4babe82febb84195e7c138844f61b981c3259cbb4273a06db9fb1c0496a0acde939a2318c7960f1ba0a6
SHA1 hash: 9d4e773daa0daba7b278de9ff3f7ba51511a786b
MD5 hash: 29a247f5d040a8f71716c181c70bfa46
humanhash: louisiana-tango-johnny-zebra
File name:29a247f5d040a8f71716c181c70bfa46.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:5'909'011 bytes
First seen:2026-04-06 09:55:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 31f01382ba761e6e741d4f20d6d399eb (2 x NetSupport)
ssdeep 98304:5YuHiEuPNUYEi1xoo33w3NPvNTIVtC8dsHJFdKm:OiiEuNUs1eo33GtyGHJDF
Threatray 5 similar samples on MalwareBazaar
TLSH T148565A8F329BB671C55CA5377C8A555A3441CBB6339647780CFC4BB808BF69A8B0861F
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:94-26-83-20 exe lusnyak-xyz NetSupport


Avatar
abuse_ch
NetSupport C2:
94.26.83.20:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
94.26.83.20:443 https://threatfox.abuse.ch/ioc/1781678/

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
NL NL
Vendor Threat Intelligence
Gathering data
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
29a247f5d040a8f71716c181c70bfa46.exe
Verdict:
Malicious activity
Analysis date:
2026-04-06 09:56:06 UTC
Tags:
anti-evasion auto-startup netsupport rmm-tool tool
Link:
https://app.any.run/tasks/502557a0-3414-4d75-a15a-8f2087a1802c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60591/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop36.42381.27225.30781.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69d383416a61012f6acf4d97
Tags:
vmdetect autorun netsup
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Connection attempt
Sending a custom TCP request
Сreating synchronization primitives
Creating a window
Searching for the window
Searching for synchronization primitives
DNS request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug crypto krypt overlay packed packed unsafe
Link:
https://www.filescan.io/uploads/69d3833e00ad3636940ca6f4/reports/fbed5fe8-8c3d-40a3-9881-d57ac5c8b3a9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8222775ca74ca2bfc222e6c22e10b7945be56506cd8f5baf5237fe0c57ffbf7e
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-03T14:30:00Z UTC
Last seen:
2026-04-07T23:45:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Badex.d Backdoor.RABased.HTTP.C&C HEUR:Trojan.Script.NetSup.gen Backdoor.Win32.RABased.bri BSS:Trojan.Win32.Generic not-a-virus:HEUR:RemoteAdmin.Win32.NetSup.gen RemoteAdmin.NetSup.HTTP.C&C VHO:Backdoor.Win32.RABased.gen
Link:
https://opentip.kaspersky.com/8222775ca74ca2bfc222e6c22e10b7945be56506cd8f5baf5237fe0c57ffbf7e/results?tab=lookup
Malware family:
NetSupport Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fd8b6e72-939f-4bbf-82bc-d8b838b06cdd
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1893929
Signature
Contain functionality to detect virtual machines
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
Score:
67%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/8222775ca74ca2bfc222e6c22e10b7945be56506cd8f5baf5237fe0c57ffbf7e
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/29a247f5d040a8f71716c181c70bfa46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8222775ca74ca2bfc222e6c22e10b7945be56506cd8f5baf5237fe0c57ffbf7e/
Verdict:
Malicious
Threat:
Family.NETSUPPORT
Link:
https://tip.neiki.dev/file/8222775ca74ca2bfc222e6c22e10b7945be56506cd8f5baf5237fe0c57ffbf7e
Threat name:
Win64.Backdoor.Ravartar
Create hunting rule
Status:
Malicious
First seen:
2026-04-03 19:24:20 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qirhoxfhjsrl7qrc43bc4efxsrn6kzigzwhvxl2sg77ayv77x57a._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
07b1b7a1b39dc241cdb9d2253db5b92443710696bab2448e6c99b2704d3099bb
NetSupport
8222775ca74ca2bfc222e6c22e10b7945be56506cd8f5baf5237fe0c57ffbf7e
NetSupport
ab6f1cc233c95d3026df95944cbf57e50a57d3f37ffcb65f9ea42c8e7723f0d4
NetSupport
error
NetSupport
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport defense_evasion discovery rat
Link:
https://tria.ge/reports/260406-lyfyhscz2l/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Looks for VMWare services registry key.
Enumerates VirtualBox registry keys
NetSupport
Netsupport family
Unpacked files
SH256 hash:
8222775ca74ca2bfc222e6c22e10b7945be56506cd8f5baf5237fe0c57ffbf7e
MD5 hash:
29a247f5d040a8f71716c181c70bfa46
SHA1 hash:
9d4e773daa0daba7b278de9ff3f7ba51511a786b
Link:
https://www.unpac.me/results/8c2010e3-7530-4bf8-8fc0-ba12410709dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8222775ca74ca2bfc222e6c22e10b7945be56506cd8f5baf5237fe0c57ffbf7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/60591/

Comments