MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 868c78f267862af83cf94c9d21615d9c01afe3dbd0da02dc96bbc3a956ccc48d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 868c78f267862af83cf94c9d21615d9c01afe3dbd0da02dc96bbc3a956ccc48d
SHA3-384 hash: 9db192c99a3c0cdeea3c108a0ad26cd9f2f03671804a7e3fbe32832d13b9298d99185c1f81108b0e8db1871efac7f055
SHA1 hash: 1785a081523553690d110c4153e3b3c990c08d45
MD5 hash: 79a51197969dadee0226635f5977f6ab
humanhash: princess-muppet-fanta-mountain
File name:file
Download: download sample
Signature NetSupport
Create hunting rule
File size:13'693'983 bytes
First seen:2025-03-25 21:00:46 UTC
Last seen:2025-03-26 04:13:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 393216:VCdGMNhAJsP37+vetxpBhr2CxptGlknzOqChChb824:Ed1HAJ6tTzlyknyzh7
Threatray 885 similar samples on MalwareBazaar
TLSH T18BD6334435E9D9F1C97609360318EE5134BEFA20B72A98DDB312DE0BDE31651BB303A6
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10522/11/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter jstrosch
Tags:108-61-198-38 exe NetSupport


Avatar
jstrosch
Found at hxxp://176.113.115[.]7/files/151334531/3qRi3qK.exe by #subcrawl

Intelligence

File Origin
# of uploads :
2
# of downloads :
418
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
a910f73ee1f155ed585016e76cf5532c.exe
Verdict:
Malicious activity
Analysis date:
2025-03-25 18:01:44 UTC
Tags:
amadey botnet stealer opendir loader themida rdp auto generic gcleaner netsupport remote rmm-tool obfuscated-js telegram lumma
Link:
https://app.any.run/tasks/7d7ff887-e58e-4219-b132-fa9b574f4a52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.DarkKomet-10027799-0
Create hunting rule

SecuriteInfo.com.LuheRARDropper.19200.30796.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e2fc07cb6d38a89f3e0e89
Tags:
vmdetect netsup
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Running batch commands
Launching a process
Creating a process from a recently created file
Connection attempt
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm anti-vm cmd control cscript evasive expired-cert exploit explorer fingerprint fingerprint hh installer keylogger lolbin microsoft_visual_cc netsupport netsupportmanager overlay packed packed packer_detected redcap remote remoteadmin sfx unsafe wscript
Link:
https://www.filescan.io/uploads/67e3199df274bf2d8e215d5b/reports/eb0fca41-26d3-4fd9-80ee-a477e0d30bf3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/868c78f267862af83cf94c9d21615d9c01afe3dbd0da02dc96bbc3a956ccc48d
Result
Verdict:
MALICIOUS
Malware family:
NetSupport Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7073265f-8528-4153-b42a-6b8364083ee7
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1648525
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648525 Sample: file.exe Startdate: 25/03/2025 Architecture: WINDOWS Score: 88 39 geo.netsupportsoftware.com 2->39 45 Suricata IDS alerts for network traffic 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 3 other signatures 2->51 10 file.exe 19 2->10         started        13 bild.exe 2->13         started        15 bild.exe 2->15         started        signatures3 process4 file5 31 C:\Users\Public31etstat\remcmdstub.exe, PE32 10->31 dropped 33 C:\Users\Public33etstat\pcicapi.dll, PE32 10->33 dropped 35 C:\Users\Public35etstat\msvcr100.dll, PE32 10->35 dropped 37 8 other files (4 malicious) 10->37 dropped 17 cmd.exe 1 10->17         started        process6 process7 19 bild.exe 16 17->19         started        23 conhost.exe 17->23         started        25 reg.exe 1 1 17->25         started        dnsIp8 41 108.61.198.38, 443, 49723 AS-CHOOPAUS United States 19->41 43 geo.netsupportsoftware.com 104.26.0.231, 49724, 49726, 49727 CLOUDFLARENETUS United States 19->43 53 Multi AV Scanner detection for dropped file 19->53 55 Contains functionalty to change the wallpaper 19->55 57 Delayed program exit found 19->57 59 Contains functionality to detect sleep reduction / modifications 19->59 27 MpCmdRun.exe 1 23->27         started        signatures9 process10 process11 29 conhost.exe 27->29         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/868c78f267862af83cf94c9d21615d9c01afe3dbd0da02dc96bbc3a956ccc48d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/868c78f267862af83cf94c9d21615d9c01afe3dbd0da02dc96bbc3a956ccc48d/
Threat name:
Win32.Trojan.NetSupport
Create hunting rule
Status:
Malicious
First seen:
2025-03-25 18:55:06 UTC
File Type:
PE (Exe)
Extracted files:
2918
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q2ghr4thqyvpqphzjsoscyk5tqa27y632dnafxewxpb2svwmysgq._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
33b22fce68d5d7bd08e86b8506c50bdfcd38c26db5983864e8d33bdf62f53272
NetSupport
6a8f94da45c0b3b791bbfb71b2e9a7cc6bd5dd777da0655ebc3137ad4070c72f
NetSupport
bf2165a4bdafb0945c8b370758e6d0b9ab145147e7ddab448a01b3b25c2ad8a7
NetSupport
d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d582b6d0b6f188306954
NetSupport
error
NetSupport
+ 875 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery persistence rat
Link:
https://tria.ge/reports/250325-ztw1tswl18/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
NetSupport
Netsupport family
Verdict:
Malicious
Tags:
Win.Trojan.DarkKomet-10027799-0 remoteaccesstool
YARA:
n/a
Link:
https://app.threat.zone/submission/755c2354-1a10-4799-8fa6-7f537da11d01
Unpacked files
SH256 hash:
868c78f267862af83cf94c9d21615d9c01afe3dbd0da02dc96bbc3a956ccc48d
MD5 hash:
79a51197969dadee0226635f5977f6ab
SHA1 hash:
1785a081523553690d110c4153e3b3c990c08d45
Link:
https://www.unpac.me/results/750d8b83-9730-469f-936f-96e02b48a305/
SH256 hash:
2943dddc8e20f6d6e2782768ae6dc550acdd6caa809e55856f8536f87776c483
MD5 hash:
db2a53e686b1f5bfcdcbf504de58e255
SHA1 hash:
afcd706069a6200995860e471aa78fdb754c8ebd
Link:
https://www.unpac.me/results/750d8b83-9730-469f-936f-96e02b48a305/
SH256 hash:
aeb93b68044d917b3d318988310e10eef840cc542f569deb60c39c97de07bb5a
MD5 hash:
31ee6b4e9ad0ef02226790a7278c7f71
SHA1 hash:
9214a030a5be501c9dc9873c261a3cf872c20e40
Link:
https://www.unpac.me/results/750d8b83-9730-469f-936f-96e02b48a305/
SH256 hash:
fdaa60c116c933c3249b9c7ba4b1ff06f6d714ae94fdc8c059b2791ce70f23f3
MD5 hash:
8099e418aea43ab95655a076ef1b8d68
SHA1 hash:
961778f23b1dd84325bbbdb3d23ea11159951809
Link:
https://www.unpac.me/results/750d8b83-9730-469f-936f-96e02b48a305/
SH256 hash:
1b07ef568f410eedfdca59e152f336337afd30f4068d6acc335df2808efdd202
MD5 hash:
f525bd5dcec08be37a94d743d345be14
SHA1 hash:
ed1485111b370e0f75c004c5b253d3bf7ce18cf7
Link:
https://www.unpac.me/results/750d8b83-9730-469f-936f-96e02b48a305/
SH256 hash:
00f57b9910630a7049df821a39c733ca35763d9b11a58e8c0e52b06066a52643
MD5 hash:
46eacdca48274cc56965e2f11cc63d66
SHA1 hash:
305429533557823d54f1cb1766d080b7249b6d99
Link:
https://www.unpac.me/results/750d8b83-9730-469f-936f-96e02b48a305/
SH256 hash:
1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069
MD5 hash:
ecae8b9c820ce255108f6050c26c37a1
SHA1 hash:
42333349841ddcec2b5c073abc0cae651bb03e5f
Link:
https://www.unpac.me/results/750d8b83-9730-469f-936f-96e02b48a305/
SH256 hash:
26dbb528c270c812423c3359fc54d13c52d459cc0e8bc9b0d192725eda34e534
MD5 hash:
325b65f171513086438952a152a747c4
SHA1 hash:
a1d1c397902ff15c4929a03d582b09b35aa70fc0
Link:
https://www.unpac.me/results/750d8b83-9730-469f-936f-96e02b48a305/
SH256 hash:
457e9434e87e1bbd305b2ea0d37bca0b324410bfeeff107449e6388fdb2cc183
MD5 hash:
62e1232e4260b0c2a894d00bbb7faf77
SHA1 hash:
8813ff92afb55d0c7ba50741f99f9e54020c3b83
Link:
https://www.unpac.me/results/750d8b83-9730-469f-936f-96e02b48a305/
SH256 hash:
4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
MD5 hash:
1d8f01a83ddd259bc339902c1d33c8f1
SHA1 hash:
9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
Link:
https://www.unpac.me/results/750d8b83-9730-469f-936f-96e02b48a305/
SH256 hash:
6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
MD5 hash:
eab603d12705752e3d268d86dff74ed4
SHA1 hash:
01873977c871d3346d795cf7e3888685de9f0b16
Link:
https://www.unpac.me/results/750d8b83-9730-469f-936f-96e02b48a305/
SH256 hash:
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
MD5 hash:
4add245d4ba34b04f213409bfe504c07
SHA1 hash:
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
Link:
https://www.unpac.me/results/750d8b83-9730-469f-936f-96e02b48a305/
SH256 hash:
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c
MD5 hash:
d095b082b7c5ba4665d40d9c5042af6d
SHA1 hash:
2220277304af105ca6c56219f56f04e894b28d27
Link:
https://www.unpac.me/results/750d8b83-9730-469f-936f-96e02b48a305/
SH256 hash:
c99fe1fd9891196d87c554a673184f46a457af422a9e85e217cae411868db52a
MD5 hash:
8486dc6e7554f0bbd7b4c68678d5f4af
SHA1 hash:
901a2a361d6e58ca62acf3e0b6a31f5aaebe9f6e
Link:
https://www.unpac.me/results/750d8b83-9730-469f-936f-96e02b48a305/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/868c78f267862af83cf94c9d21615d9c01afe3dbd0da02dc96bbc3a956ccc48d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

Executable exe 868c78f267862af83cf94c9d21615d9c01afe3dbd0da02dc96bbc3a956ccc48d

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments