MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9576867738918a2d065dfa9b78ec9657a2a8a7464d786d836bfdc843d43a812. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	b9576867738918a2d065dfa9b78ec9657a2a8a7464d786d836bfdc843d43a812
SHA3-384 hash:	7d86cdabcde7531b8643a64cc0387c0794db632e4496a5012613178b89909b0ee6ea0d3dd9c0cd4b67eb500df04293c3
SHA1 hash:	5273a810423d27ffee43dcea27aeb6d6d422fde3
MD5 hash:	40a592933c142f7ed0e9fe26f1c2d0a1
humanhash:	october-green-fifteen-beryllium
File name:	VerifierImGui.exe
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	4'744'768 bytes
First seen:	2025-11-11 18:53:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	46ce5c12b293febbeb513b196aa7f843 (15 x GuLoader, 6 x RemcosRAT, 5 x VIPKeylogger)
ssdeep	98304:+GjW4HRD7eWKnxG/oM7CzWTEoYsQr4oPkInb0XTYafLGZ/eh:+0D5N/7GzWvYcoDmF6Z/eh
Threatray	1'440 similar samples on MalwareBazaar
TLSH	T17A263355BC54F552E2E52BF4E8FBC8D3B5133E1214AADB4D82037AC2D6A2D5A181D333
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	SquiblydooBlog
Tags:	185-39-19-233 cromvix-com exe jelaromo-com NetSupport signed

Code Signing Certificate

Organisation:	SMI Consulting GmbH
Issuer:	SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:	sha256WithRSAEncryption
Valid from:	2025-09-29T19:07:20Z
Valid to:	2026-08-19T14:18:52Z
Serial number:	31f2b8df98119016d60a1dfd656fe40e
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	7d42f318c358e4cbefe8c15e487fb1c1100b9a7c542f130d20d3834c912813ed
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

Vendor Threat Intelligence

Malware family:

netsupport

ID:

File name:

VerifierImGui.exe

Verdict:

Malicious activity

Analysis date:

2025-11-11 18:56:34 UTC

Tags:

arcstealer stealer netsupport rmm-tool auto-startup remote auto rat arch-exec tool

Link:

https://app.any.run/tasks/490b71ca-4b19-4d39-a454-79945ea24a28

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NetSupport

Link:

https://www.capesandbox.com/analysis/36963/

Detection(s):

SecuriteInfo.com.Program.RemoteAdmin.837.26913.7397.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.23370.1523.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.936.1626.21597.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.6938.15409.UNOFFICIAL

SecuriteInfo.com.W32.Tool.BZJE-3335.26827.20166.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.837.11410.22550.UNOFFICIAL

PUA.Win.Tool.NetSupport-10022498-8

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69138658e2c9ded75d797988

Tags:

vmdetect autorun netsup

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug base64 blackhole evasive fingerprint installer installer installer-heuristic microsoft_visual_cc nsis overlay packed signed

Link:

https://www.filescan.io/uploads/69138656413b181bff2130bc/reports/7fdc6222-7ed7-41ae-9f92-804b85b8962e/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/b9576867738918a2d065dfa9b78ec9657a2a8a7464d786d836bfdc843d43a812

Verdict:

Adware

File Type:

exe x32

First seen:

2025-11-09T13:44:00Z UTC

Last seen:

2025-11-09T22:38:00Z UTC

Hits:

~10

Detections:

BSS:Trojan.Win32.Generic PDM:Trojan.Win32.Generic not-a-virus:RemoteAdmin.Win32.NetSup.ck not-a-virus:RemoteAdmin.Win32.NetSup.bm not-a-virus:HEUR:RemoteAdmin.Win32.NetSup.gen not-a-virus:VHO:RemoteAdmin.Win32.NetSup.bm RemoteAdmin.NetSup.UDP.C&C

Link:

https://opentip.kaspersky.com/b9576867738918a2d065dfa9b78ec9657a2a8a7464d786d836bfdc843d43a812/results?tab=lookup

Malware family:

Khalesi

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b6f58a1b-ddb9-4caa-8e6f-219f5018f2d8

Score:

82%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b9576867738918a2d065dfa9b78ec9657a2a8a7464d786d836bfdc843d43a812

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/40a592933c142f7ed0e9fe26f1c2d0a1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b9576867738918a2d065dfa9b78ec9657a2a8a7464d786d836bfdc843d43a812/

Verdict:

Malicious

Threat:

Family.NETSUPPORT

Link:

https://tip.neiki.dev/file/b9576867738918a2d065dfa9b78ec9657a2a8a7464d786d836bfdc843d43a812

Threat name:

Win32.Hacktool.NetSupport

Status:

Malicious

First seen:

2025-11-11 09:39:08 UTC

File Type:

PE (Exe)

Extracted files:

477

AV detection:

14 of 23 (60.87%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xflwqz3tremkfudf36u3pdwjmv5cvctumtlynwbwx7oiipkdvaja._file

Verdict:

malicious

Label(s):

netsupportmanagerrat

NetSupport

365caf34915aab7f80a45c6dbbac7637605e81100a2944a4957624567029e41c

NetSupport

545812664008d0b35cf61c15c79526b1d5d05aef886a3f85c9056570fbf13933

NetSupport

966437012d3312230a38ec8b025140a6f55932a60b012e5d0fe649c8a6b71b17

NetSupport

b9576867738918a2d065dfa9b78ec9657a2a8a7464d786d836bfdc843d43a812

NetSupport

error

NetSupport

ff2db923f9b0b3d9122b852b36552c881d26e863f0fa078eefca74f2de11ba57

NetSupport

+ 1'430 additional samples on MalwareBazaar

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport discovery execution rat

Link:

https://tria.ge/reports/251111-xka1ws1mes/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops startup file

Executes dropped EXE

Loads dropped DLL

Command and Scripting Interpreter: PowerShell

NetSupport

Netsupport family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/64c144d9-1ca9-4048-b8cb-1507e279c88d

Unpacked files

SH256 hash:

b9576867738918a2d065dfa9b78ec9657a2a8a7464d786d836bfdc843d43a812

MD5 hash:

40a592933c142f7ed0e9fe26f1c2d0a1

SHA1 hash:

5273a810423d27ffee43dcea27aeb6d6d422fde3

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

098688e08e2caa342e5497a283c7733ad6de383b6dfedcef543e11126f8d7273

MD5 hash:

3631f7089d8e52e1cf5e4ae8c81f22c6

SHA1 hash:

46f19fc8fb97157ed54b7afab09e0a10945ffb0d

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

0e4e1f5f1e8c28cc2929b83f6872244e32bc9aa762043975147519028602004c

MD5 hash:

3cc0d4b82eb73e669b4a7356c543c15b

SHA1 hash:

10ba8db6e9d3bbf7cb095929bb97f3f04c6e26ac

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

29cdc43a6a93eb38bf2a91cf5ee98e9b39f0cf42a9c6a44e6257d3eeec343cc1

MD5 hash:

c18e3b9412695b54ef739a676cd6906a

SHA1 hash:

df7d20519fc6d8cc9c1e152596d30d919eaee3e5

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

34d7972a077f9d1fe89fca3cb3c21ef516fadfcdc472b879e31d3453c36ba2e1

MD5 hash:

1726da743fe6922bf41222c7bbd98783

SHA1 hash:

9153513bfb45f62c7286e862603a31fafebd4ef9

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

3e31977eb7c1ac7cd229fec0843d5eb2139d3287d6bd20c76bb1c900b1ef3de6

MD5 hash:

670c0738de27a0eed6aea5175fb3630d

SHA1 hash:

cb45b448ac7f60ea0f934d7652d5868e1303cde2

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

4ad6a81ba5cfad0cdd2afd6b7da8d9ec3d083833f26bbe5b43a4d902b5809d43

MD5 hash:

675de0b44ee6a1be7ee580b0c108a9c1

SHA1 hash:

097fae4328e5a352b31a598175458e6566aeed4e

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

740a962561516609de02d85a705f7fca52000f566ae18e25194deec7b959a99e

MD5 hash:

89b88c5181e5cc61eee223e6247c2e44

SHA1 hash:

72c473446a0e9cd5b8effc7eddcb4a65960c7014

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

895ff1e9950a027f7c62473960b87811e2adc92d80d3fa2ae16265f38cbbfadd

MD5 hash:

8bfcd4d64b542364b03ec51c57d4e158

SHA1 hash:

532e540a162a19394404efab98bf33184a0e41fb

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c

MD5 hash:

9b38a1b07a0ebc5c7e59e63346ecc2db

SHA1 hash:

97332a2ffcf12a3e3f27e7c05213b5d7faa13735

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

93b2ff0d20f2f54b70bb01e4bfc052ab3e14746315814311a0c1d750e1a12e29

MD5 hash:

705e785d61872af3a150e3d6ed235a42

SHA1 hash:

b67dd053090cd86e3596c9980ebfd54916139a9b

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

a22ef0b3a2cf8963e3569cb465f3e6da8ace668bd7211b78bd7372ec9890f0ab

MD5 hash:

a9e1f094d2902a8595b30d2c0ba5e339

SHA1 hash:

fad7c1cdc01c5c91ffe0d7aea0b34be8c7232b87

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

a786919e445c427f8fd39889a154d0de612621557682dce30af1d9c97ed51f8b

MD5 hash:

8180e4b557af3a527cfaaf960b4506ad

SHA1 hash:

f74accad663059212aadf67d29e9113adcc4898a

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

a8a641fea5a1dda705795826b23fe0a51ee940141ff07a3617c3370dd2712a62

MD5 hash:

e721b1f84750aefa8fbd4efd003f33a1

SHA1 hash:

31353b53de4b427a244a9bd66c8f3a7c3a1417ba

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

af56fa73fe0838429b82b75bfdf78d64785c572e278748446dcb81a5e0d25e0c

MD5 hash:

5f78ef1160b4343c1842f6004fc7ab7d

SHA1 hash:

cb9ca1bae0a11861c79ee41a7acc162ab6ad58bf

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

b214bf1239cbc57decc733eb7bc0c6f84f042eed0f7119fce8c86a9929b8ce36

MD5 hash:

463eb078c62e09cb49fa478eb3c493fd

SHA1 hash:

43ce49abb768907db6828a25a81d38e951dc1431

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

cc0eea264b97dab5b9d98b7b2e83c3c36b236741b7296fd8532465528f1b9c00

MD5 hash:

fef077e99d5e4cbded184a1865d764b6

SHA1 hash:

9f6d6f5f8e0204a4c53019d7735228abd3041a76

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

ccbe6f73f1d9926f23433e0aef29bc061d5aff984381f0b084d1665655f284d4

MD5 hash:

8ca23e646aed2a8485c7186bbadd2a71

SHA1 hash:

93c96fbcd7524b95e48173dbb0400619a61371e7

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

d130a78fe1482b03635f3a85fd8c238bbdab1c8a1c0a67fefa3e43f5f5257943

MD5 hash:

c45c0f21f23863bcc0d4a1bcf9a8ec13

SHA1 hash:

a77892d0979bcc29641d1ab7f3f6eb804ead5783

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

dc41865c40d02515a46159caedf8491298eccfb1c736fe72cc2ee96ca4eeb363

MD5 hash:

ee7495ac540f94fa585ee481f0a72710

SHA1 hash:

0a6c65a3554779562acc459d04a57234b8b7cd4a

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

e0dc3112796dbaa37f25ab54b7fac2fbf791cbc6e36a84fc61c6423b84a3677b

MD5 hash:

e6f30908abfc6f53b7c3c36daec4586d

SHA1 hash:

a9ce4ceb9121c0f4375010438359f564f77506e3

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

SH256 hash:

f7dd5d92adff833ce0de10c4e4b7491135283f7a3fa54ae978a15137f87405ad

MD5 hash:

f4e46a670d903496518f3926e230ca45

SHA1 hash:

6329639df1f014b2cfbe59c7e250905ae3f4509f

Link:

https://www.unpac.me/results/3ef9162f-5dae-450d-9bc4-3b76d67b8edd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b9576867738918a2d065dfa9b78ec9657a2a8a7464d786d836bfdc843d43a812

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/36963/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample