MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dc129be20fa669fc730b8364b83ecad913acd1ad1706b9deb670dbe104fde12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 13

Intelligence 13 IOCs YARA 23 File information Comments

SHA256 hash:	9dc129be20fa669fc730b8364b83ecad913acd1ad1706b9deb670dbe104fde12
SHA3-384 hash:	b5c865df0e703d92cdca5c9d0750de4ccf034c2c6c0aa07ba08aac0e3e2f6d1e752c3f5a77c05e1fa004d84f04b91337
SHA1 hash:	f1c38844b84e957dad31e90a9c59ffe00a9b8ff4
MD5 hash:	49242575f213d665b54b403168fa6828
humanhash:	uranus-virginia-comet-paris
File name:	dfgsdfgbvbb.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	97'944'064 bytes
First seen:	2026-05-19 18:47:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	00670d17960be47fe34b76072bf9faf7 (1 x NetSupport)
ssdeep	98304:kzUrewT2eqGoS5xa6MWYlKn4jTLYaI7aSXxG2OcxVOo:kzUykvqGosVyK4jbShG2lr
TLSH	T1B728C58F1A6A5983E0C2437E10D1A588CB91FB3D56B7C9B4ACC5D09E544E9F8433F39A
TrID	37.0% (.EXE) Win64 Executable (generic) (6522/11/2) 28.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.5% (.EXE) OS/2 Executable (generic) (2029/13) 11.3% (.EXE) Generic Win/DOS Executable (2002/3) 11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
Reporter	Alex_sev
Tags:	djkmgndkjfgndfg-com exe kryptik NetSupport RAT RemoteAdmin skadfjsdijfhsfso9to-com tedy

Intelligence

File Origin

# of uploads :

# of downloads :

200

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

netsupport

ID:

File name:

dfgsdfgbvbb.exe

Verdict:

Malicious activity

Analysis date:

2026-05-19 18:49:01 UTC

Tags:

netsupport rmm-tool auto rat remote tool

Link:

https://app.any.run/tasks/e70e7750-f809-4ff3-8558-50befc9b9a66

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a0cb05c4159ce11f60166cf

Tags:

vmdetect autorun netsup madi

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Launching a process

Creating a process from a recently created file

Creating a window

Searching for the window

Searching for synchronization primitives

DNS request

Connection attempt

Moving of the original file

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug anti-vm crypto evasive evasive microsoft_visual_cc obfuscated packed xor-pe

Link:

https://www.filescan.io/uploads/6a0cb052056ea44c4534db24/reports/4673ae1d-9d3d-43e8-8cc6-25fa62348bc4/overview

Verdict:

Malicious

Labled as:

Tedy.Generic

Link:

https://www.hybrid-analysis.com/sample/9dc129be20fa669fc730b8364b83ecad913acd1ad1706b9deb670dbe104fde12

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-05-19T12:31:00Z UTC

Last seen:

2026-05-21T05:27:00Z UTC

Hits:

~100

Detections:

Trojan.Win64.Agent.sb PDM:Trojan.Win32.Generic PDM:Trojan.Win32.Tasker.cust Backdoor.Win32.RABased.btw Backdoor.RABased.HTTP.C&C not-a-virus:HEUR:RemoteAdmin.Win32.NetSup.gen RemoteAdmin.NetSup.HTTP.C&C

Link:

https://opentip.kaspersky.com/9dc129be20fa669fc730b8364b83ecad913acd1ad1706b9deb670dbe104fde12/results?tab=lookup

Score:

30%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/9dc129be20fa669fc730b8364b83ecad913acd1ad1706b9deb670dbe104fde12

Gathering data

Verdict:

Malicious

Threat:

Backdoor.Win32.HTTP

Link:

https://tip.neiki.dev/file/9dc129be20fa669fc730b8364b83ecad913acd1ad1706b9deb670dbe104fde12

Threat name:

Win64.Trojan.Ravartar

Status:

Malicious

First seen:

2026-05-19 18:28:00 UTC

File Type:

PE+ (Exe)

Extracted files:

129

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=txastpra7jtj7rzqxa3exa7mvwitvti22fygxhplm4g34ecp3yja._file

Verdict:

malicious

Label(s):

netsupportmanagerrat

Similar samples:

error

NetSupport

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport discovery execution persistence rat

Link:

https://tria.ge/reports/260519-xfpcqaa15w/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

System Location Discovery: System Language Discovery

Deletes itself

Executes dropped EXE

Loads dropped DLL

Family: NetSupport

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NetSupportRAT_Config Create hunting rule
Author:	abuse.ch

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Rule name:	MALWARE_Win_NetSupport Create hunting rule
Author:	ditekSHen
Description:	Detects NetSupport client

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NetSupport Create hunting rule
Author:	YungBinary
Description:	Detects NetSupport Manager RAT on disk or in memory

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Suspicious_Process Create hunting rule
Author:	Security Research Team
Description:	Suspicious process creation

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	test_rule_vldslv Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample