MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bab6b29d9e2d11ea8a68eecdb569f9848b755e2bb3b93a737ef42a9b67d4d579. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 10

Intelligence 10 IOCs YARA 42 File information Comments

SHA256 hash:	bab6b29d9e2d11ea8a68eecdb569f9848b755e2bb3b93a737ef42a9b67d4d579
SHA3-384 hash:	46392393043b0ce0bc07119d9ac33270cd03ca4f7e95d88b4023a72fda98ec1897385ba7998158ff9ffd36e3a1b1d2a2
SHA1 hash:	4dfda2719e57aaa3f15c10cff9e74e72ab0e7311
MD5 hash:	e14d1504f25e303635c36b88955d8373
humanhash:	johnny-hydrogen-six-ceiling
File name:	at.zip
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	2'214'659 bytes
First seen:	2026-03-17 06:54:58 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	49152:rvWKcquaZYrp7RnWVnJTmm3F+WVcBdj3b2+3bw/0JBAThAnM1N9G:rSqukStW/VYj3b2+30/wBiVG
TLSH	T159A5339A990D899FC54B4F74C10B5E1AD33E3A41F25E7080F6728252CC89B9F5BB871D
Magika	zip
Reporter	JAMESWT_WT
Tags:	152-89-244-70 bkng-updt-com booking client32 FakeCaptcha ini LIC NetSupport zip

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

File Archive Information

This file archive contains 14 file(s), sorted by their relevance:

File name:	nskbfltr.inf
File size:	328 bytes
SHA256 hash:	d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368
MD5 hash:	26e28c01461f7e65c402bdf09923d435
MIME type:	application/x-setupscript
Signature	NetSupport

File name:	HTCTL32.DLL
File size:	323'912 bytes
SHA256 hash:	6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269
MD5 hash:	051cdb6ac8e168d178e35489b6da4c74
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	TCCTL32.DLL
File size:	387'400 bytes
SHA256 hash:	6ffe12cdfe0a36dec4b4a40ecdafb4097b1af7c340b0fcecf9f5c67b7fa8b299
MD5 hash:	1e6e804ca71eaf5bef0abef95c578cf0
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	NSM.ini
File size:	6'099 bytes
SHA256 hash:	e0ed36c897eaa5352fab181c20020b60df4c58986193d6aaf5bf3e3ecdc4c05d
MD5 hash:	99f493dce7fab330dc47f0cab8fe6172
MIME type:	text/plain
Signature	NetSupport

File name:	Service.exe
File size:	120'256 bytes
SHA256 hash:	56ebaf8922749b9a9a7fa2575f691c53a6170662a8f747faeed11291d475c422
MD5 hash:	0e660f7e5a6621a9185a7b8080364500
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	client32.ini
File size:	784 bytes
SHA256 hash:	b61a9fe03c1eaf48f1edb89f5933ca0a62c79f88810c9f5d5fa02538409b0ccf
MD5 hash:	42925e7e1f24c9941be3a8c02827c310
MIME type:	text/plain
Signature	NetSupport

File name:	AudioCapture.dll
File size:	89'416 bytes
SHA256 hash:	2cc8ebea55c06981625397b04575ed0eaad9bb9f9dc896355c011a62febe49b5
MD5 hash:	7629af8099b76f85d37b3802041503ee
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	PCICHEK.DLL
File size:	14'664 bytes
SHA256 hash:	0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f
MD5 hash:	3aabcd7c81425b3b9327a2bf643251c6
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	msvcr100.dll
File size:	773'968 bytes
SHA256 hash:	8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
MD5 hash:	0e37fbfa79d349d672456923ec5fbbe3
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	pcicapi.dll
File size:	108'944 bytes
SHA256 hash:	2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689
MD5 hash:	67c53a770390e8c038060a1921c20da9
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	PCICL32.DLL
File size:	3'490'632 bytes
SHA256 hash:	b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80
MD5 hash:	e7b92529ea10176fe35ba73fa4edef74
MIME type:	application/x-dosexec
Signature	NetSupport

File name:	NSM.LIC
File size:	251 bytes
SHA256 hash:	e09980d1b1c508eb29d2931ac92f8d0a7e49ca5fe6ab6277fabf097a0b033b63
MD5 hash:	5d7445efa8a5560842c868369127cd79
MIME type:	text/plain
Signature	NetSupport

File name:	nsm_vpro.ini
File size:	46 bytes
SHA256 hash:	4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b
MD5 hash:	3be27483fdcdbf9ebae93234785235e3
MIME type:	text/plain
Signature	NetSupport

File name:	remcmdstub.exe
File size:	59'728 bytes
SHA256 hash:	b11380f81b0a704e8c7e84e8a37885f5879d12fbece311813a41992b3e9787f2
MD5 hash:	5be6fb8f28544d4f83c25a2b76ff7890
MIME type:	application/x-dosexec
Signature	NetSupport

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/b09cfe36-7f9c-4830-ba84-339c2622f834/

Detection(s):

SecuriteInfo.com.Program.RemoteAdmin.840.7376.24721.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.840.6705.12909.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.840.26785.29824.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.840.29128.13096.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.840.24227.28946.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.840.21425.23064.UNOFFICIAL

SecuriteInfo.com.Trojan.RA.587.UNOFFICIAL

SecuriteInfo.com.Program.RemoteAdmin.840.305.6900.UNOFFICIAL

PUA.Win.Tool.NetSupport-10022498-8

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=698c340338c84aca0d32d145

Tags:

injection netsup obfusc virus

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

anti-debug expired-cert exploit fingerprint microsoft_visual_cc signed

Link:

https://www.filescan.io/uploads/69b8fadd493cb7d62d01791b/reports/854ae7af-d210-4f63-a1fe-9a3aea811b9b/overview

Verdict:

Suspicious

Labled as:

Risk.RemoteAdmin

Link:

https://www.hybrid-analysis.com/sample/bab6b29d9e2d11ea8a68eecdb569f9848b755e2bb3b93a737ef42a9b67d4d579

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/bab6b29d9e2d11ea8a68eecdb569f9848b755e2bb3b93a737ef42a9b67d4d579

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Adware

File Type:

zip

Link:

https://opentip.kaspersky.com/bab6b29d9e2d11ea8a68eecdb569f9848b755e2bb3b93a737ef42a9b67d4d579/results?tab=lookup

Score:

82%

Verdict:

Malware

File Type:

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NetSupportRAT_Config Create hunting rule
Author:	abuse.ch

Rule name:	Armadillov1xxv2xx Create hunting rule
Author:	malware-lu

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NetSupport Create hunting rule
Author:	YungBinary
Description:	Detects NetSupport Manager RAT on disk or in memory

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Suspicious_Process Create hunting rule
Author:	Security Research Team
Description:	Suspicious process creation

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample