MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0383b31ab663412a3a50e9a19032942a4819320055577f583b0831760a8cf12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0383b31ab663412a3a50e9a19032942a4819320055577f583b0831760a8cf12
SHA3-384 hash: 680e214cca52f43f1b31a76e051d47373e81f010fc9bce7b77847624f80f9c8d8bc06bac2acbb32e8af8d0f16bdf406b
SHA1 hash: c59ce8b46b62de783e4321a1dd50bd13d9606866
MD5 hash: 7255bb55572bb9e0db22fabd63cd4043
humanhash: jersey-twenty-fillet-potato
File name:RateConfirmation134G2025.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:6'152'184 bytes
First seen:2025-12-10 19:09:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 573bb7b41bc641bd95c0f5eec13c233b (37 x GuLoader, 21 x RemcosRAT, 16 x VIPKeylogger)
ssdeep 98304:3SOeaDdwT+s/6eqc3QF6sgsUyNopEgD/gp3IFVVnUKRSBKtQlspBA8iol:3XeJRAUxsUyNo1DlVVnVRSQtEs7i
Threatray 1'499 similar samples on MalwareBazaar
TLSH T19C5633F81655A83FEFC3167F22701F23C2A4930672E8255A62A3FB195D7AB41FC89345
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter Anonymous
Tags:exe fastsecurechange-com NetSupport signed storforufisrt-com

Code Signing Certificate

Organisation:Martines Palmeiro Construction, LLC
Issuer:Microsoft ID Verified CS AOC CA 02
Algorithm:sha384WithRSAEncryption
Valid from:2025-12-08T13:47:58Z
Valid to:2025-12-11T13:47:58Z
Serial number: 3300066eaca3015d01fafc05c3000000066eac
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 25ca37174ff5f7870bf1bebc1b4f64584c61b8a864a1725d7f3539cf57e6cd78
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
80.64.19.187:443 https://threatfox.abuse.ch/ioc/1674337/

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/e0e80cd2-7003-410e-b1b6-1e823302e9e3/
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
RateConfirmation134G2025.exe
Verdict:
Malicious activity
Analysis date:
2025-12-10 19:09:43 UTC
Tags:
netsupport rmm-tool auto-startup arch-exec arch-doc
Link:
https://app.any.run/tasks/cbc06967-396a-46b9-ac9c-45cf5fb77520

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44205/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6939c55ebde6a3e5970ff505
Tags:
vmdetect
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm anti-vm blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay revoked-cert short-lived-cert signed
Link:
https://www.filescan.io/uploads/6939c55dcf690d27f3dba01f/reports/ea700b79-476b-4fc6-9a9a-99283f425f38/overview
Verdict:
Malicious
Labled as:
Generik.CWSDDQP trojan
Link:
https://www.hybrid-analysis.com/sample/b0383b31ab663412a3a50e9a19032942a4819320055577f583b0831760a8cf12
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-10T12:12:00Z UTC
Last seen:
2025-12-12T17:03:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.Cobalt.gen Backdoor.RABased.HTTP.C&C Trojan-Dropper.Win32.Agent.sb Trojan.PowerShell.Cobalt.sb BSS:Trojan.Win32.Generic RemoteAdmin.NetSup.HTTP.C&C not-a-virus:HEUR:RemoteAdmin.Win32.NetSup.gen
Link:
https://opentip.kaspersky.com/b0383b31ab663412a3a50e9a19032942a4819320055577f583b0831760a8cf12/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0989c171-e86d-46ff-9a12-9f846ffea8af
Score:
64%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/b0383b31ab663412a3a50e9a19032942a4819320055577f583b0831760a8cf12
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0383b31ab663412a3a50e9a19032942a4819320055577f583b0831760a8cf12/
Verdict:
Malicious
Threat:
Family.NETSUPPORT
Link:
https://tip.neiki.dev/file/b0383b31ab663412a3a50e9a19032942a4819320055577f583b0831760a8cf12
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-12-10 19:10:38 UTC
File Type:
PE (Exe)
Extracted files:
225
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wa4dwmnlmy2bfi5fb2nbsazjiksidezaavkxp5mdwcbroyfiz4ja._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
2a0f495cd25dcbf02b2b0b11032d32a0460c9b7c5ad491afa4060ea3ca675f90
NetSupport
6ed0e5411c6836ee5caa3e4b6c25c381a648a434bd9948cd135b7c6b5762d76b
NetSupport
78e1e350aa5525669f85e6972150b679d489a3787b6522f278ab40ea978dd65d
NetSupport
7d0d90421c693bdce633631ead3b383c79c5661d1bf1b2050d8e6d4bb20e3ebb
NetSupport
9abf5b351dc72198394c4981f2fb1550671ef9d0afc57edc2aa9bc27e9c8561f
NetSupport
b0383b31ab663412a3a50e9a19032942a4819320055577f583b0831760a8cf12
NetSupport
e6d4e6a686547d40a4e00d827bb2d572f7a1f997785af50d6ecd1c1446e7afcf
NetSupport
error
NetSupport
+ 1'489 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport adware discovery execution rat spyware
Link:
https://tria.ge/reports/251210-xtwc7a1kdj/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Drops startup file
NetSupport
Netsupport family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1ab8d6b8-e904-49a8-8975-f3ca551b4ea6
Unpacked files
SH256 hash:
b0383b31ab663412a3a50e9a19032942a4819320055577f583b0831760a8cf12
MD5 hash:
7255bb55572bb9e0db22fabd63cd4043
SHA1 hash:
c59ce8b46b62de783e4321a1dd50bd13d9606866
Link:
https://www.unpac.me/results/4ecc0316-7f74-4dc4-8b1f-48917cad25a8/
SH256 hash:
f4d3d77dc0793755fc0bf053acd912914deea4a95bf9beeecf6a4544527609bc
MD5 hash:
81fb8d835fc6b76ec4966719b92767ae
SHA1 hash:
e365ab7fe0920cbd1f94b88e5600532d141511b6
Link:
https://www.unpac.me/results/4ecc0316-7f74-4dc4-8b1f-48917cad25a8/
SH256 hash:
766bb3e6f46b5d559c2118567f7cf1e4b7a63071b2a5c82b6e2929c3bf1d28dc
MD5 hash:
51bc5dec7a211d822e585b4c47f22c7e
SHA1 hash:
521c251ca80bee2aae35f5357476086fb00d1ec5
Link:
https://www.unpac.me/results/4ecc0316-7f74-4dc4-8b1f-48917cad25a8/
SH256 hash:
8ea6936fc4ca64cf0e7af601f9d0dea2e8af7257cf455d8d59c880ccb7d5b232
MD5 hash:
dbf1858fa0fd27f4de4cabbe39297dcb
SHA1 hash:
8c5c3c00bb6f4afff512b6384aec84d1fb8ef33b
Link:
https://www.unpac.me/results/4ecc0316-7f74-4dc4-8b1f-48917cad25a8/
SH256 hash:
bccb589c606fa224308675b45fe4b7e72c76419f0007566da449092b8f131f72
MD5 hash:
f3bd6274ffd4f575b5dab3fca60f0cf2
SHA1 hash:
2e58d5b247ec0e252dcea3bdef11314231f4fb54
Link:
https://www.unpac.me/results/4ecc0316-7f74-4dc4-8b1f-48917cad25a8/
SH256 hash:
7777d00899458e344f50c85e2c88cd5f7978ebfb12ac15a3e607b0e3a7463a9d
MD5 hash:
2e1c8a09a872943c64b099cae6fff861
SHA1 hash:
59e1eda165c1f4eff5521d0c80cf01b53ed7cc29
Link:
https://www.unpac.me/results/4ecc0316-7f74-4dc4-8b1f-48917cad25a8/
SH256 hash:
10b93b2127ce19a1f905b7e34705d822c95dc021c9db87500d6dbadd999c95a3
MD5 hash:
872709cfc1ffef4557a383c584ede051
SHA1 hash:
c9db604a07aa3567609239feeeef75e508598dab
Link:
https://www.unpac.me/results/4ecc0316-7f74-4dc4-8b1f-48917cad25a8/
SH256 hash:
a79a86f6283079ede23c483e57504dd7c042bc2df483a240256025f770bbc715
MD5 hash:
9b1bc59484930572a0d078c75b8bdaa2
SHA1 hash:
56cb927156d577ed6fdfd34cc7b6d8a7a2511a38
Link:
https://www.unpac.me/results/4ecc0316-7f74-4dc4-8b1f-48917cad25a8/
SH256 hash:
13e54759eb5efe2d8b15ffdeb82b30745b9b59ba0ba84ed26854e419d5688d57
MD5 hash:
8e873016e93093a490a987507bfcf660
SHA1 hash:
46fda50251783ce918a0e9532d18161372dd3b27
Link:
https://www.unpac.me/results/4ecc0316-7f74-4dc4-8b1f-48917cad25a8/
SH256 hash:
c8b3e949d140bbd5b10e70b267a4bd4d417ce4524dcf773d45db8e03422e98a0
MD5 hash:
5d7d98f54670ff0800f205a9d9dd5fe5
SHA1 hash:
6be0d6f067c648fc71c2d98274d2167078736ba0
Link:
https://www.unpac.me/results/4ecc0316-7f74-4dc4-8b1f-48917cad25a8/
SH256 hash:
3c9d8be726c77794c2d1afde424dc325c413cd3c85e340b7a65d4b0749f4dad4
MD5 hash:
a9c7c3febfa682b9c6b34f812f07b24d
SHA1 hash:
14edcf4cbfbfe4ddb5f79ec3ca4c6094955ec6ae
Link:
https://www.unpac.me/results/4ecc0316-7f74-4dc4-8b1f-48917cad25a8/
SH256 hash:
3d40ce41fce50afd9c29ea2dc366f9dc7fe4f6cf6dfe9a24d8405e1e80423ce7
MD5 hash:
45e57d8b72934a868ebf471b28c80493
SHA1 hash:
49acc513cf374498e1f9ea8b9d545787e44e35da
Link:
https://www.unpac.me/results/4ecc0316-7f74-4dc4-8b1f-48917cad25a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0383b31ab663412a3a50e9a19032942a4819320055577f583b0831760a8cf12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/44205/

Comments