MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7cefe78fa66d76523beb05969fc5df2eff2db1512249bbcf9fd8fb2220723de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7cefe78fa66d76523beb05969fc5df2eff2db1512249bbcf9fd8fb2220723de
SHA3-384 hash: 28104e8943baaa5f3b6bd86f536b3e574ff7302bc50fc2f84047563e3155da14a53791bad5116b37061eadf8ec863834
SHA1 hash: 8669b75f72f984e5f71e8881338bfb7567651950
MD5 hash: 5061438f995eb7e0accf5c07fe17a982
humanhash: october-foxtrot-seven-triple
File name:Goodyear_setup.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:8'790'440 bytes
First seen:2025-12-04 20:34:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (58 x BlankGrabber, 26 x Efimer, 22 x NetSupport)
ssdeep 196608:0Cugl7UMTurHmoFP/XRL94GG2NTsj+lOnOM:0CuauCAXH4GZM
Threatray 975 similar samples on MalwareBazaar
TLSH T135963357B2AC03EEF9A59238B5B18471C269BF171B25C583B2E4DD6E0D232CC16363D6
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon ecec889ce6d8e8f0 (40 x Formbook, 23 x AgentTesla, 13 x SnakeKeylogger)
Reporter smica83
Tags:69-164-241-252 exe lucifer-now NetSupport signed

Code Signing Certificate

Organisation:RITZ AND JOHNSON BUILDING PARTNERSHIP, LLC
Issuer:Microsoft ID Verified CS EOC CA 02
Algorithm:sha384WithRSAEncryption
Valid from:2025-12-02T11:25:05Z
Valid to:2025-12-05T11:25:05Z
Serial number: 3300058bd460154028b0e8504e000000058bd4
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: cd70b88e35322ce153ef9b8213caa54c7811e32f8d2bd7b7ea59aa74898449ec
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
69.164.241.252:443 https://threatfox.abuse.ch/ioc/1667783/

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
PyInstaller
Details
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/35be1c7f-5e76-4022-8d0a-90ad422909c4/
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
goodyearlogistic.us
Verdict:
Malicious activity
Analysis date:
2025-12-04 17:33:11 UTC
Tags:
python pyinstaller netsupport rmm-tool remote
Link:
https://app.any.run/tasks/d23d6345-608e-4682-ab61-dd2d7ef98a51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42565/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6931f08d221589dfd96c1a5b
Tags:
installer extens shell
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context expand lolbin microsoft_visual_cc overlay packed pyinstaller short-lived-cert signed
Link:
https://www.filescan.io/uploads/6931f089bba50eaf0421d819/reports/4b581be6-1b27-4986-a5f5-7c4a417a2ab0/overview
Verdict:
Suspicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/c7cefe78fa66d76523beb05969fc5df2eff2db1512249bbcf9fd8fb2220723de
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-12-02T17:03:00Z UTC
Last seen:
2025-12-06T07:46:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Agent.smfanj
Link:
https://opentip.kaspersky.com/c7cefe78fa66d76523beb05969fc5df2eff2db1512249bbcf9fd8fb2220723de/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/20113f65-5d46-446d-b12d-e27755dcac41
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1826779
Signature
Found pyInstaller with non standard icon
Joe Sandbox ML detected suspicious sample
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1826779 Sample: Goodyear_setup.exe Startdate: 04/12/2025 Architecture: WINDOWS Score: 48 68 Suricata IDS alerts for network traffic 2->68 70 Sigma detected: New RUN Key Pointing to Suspicious Folder 2->70 72 Joe Sandbox ML detected suspicious sample 2->72 74 Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder 2->74 9 Goodyear_setup.exe 23 2->9         started        13 svchost.exe 1 2 2->13         started        process3 file4 48 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->48 dropped 50 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 9->50 dropped 52 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 9->52 dropped 54 18 other files (none is malicious) 9->54 dropped 76 Found pyInstaller with non standard icon 9->76 15 Goodyear_setup.exe 13 9->15         started        signatures5 process6 dnsIp7 64 69.10.38.246, 49696, 80 IS-AS-1US United States 15->64 66 127.0.0.1 unknown unknown 15->66 18 chrome.exe 2 15->18         started        21 cmd.exe 1 15->21         started        23 cmd.exe 1 15->23         started        25 5 other processes 15->25 process8 dnsIp9 56 192.168.2.8, 138, 443, 49673 unknown unknown 18->56 58 192.168.2.26 unknown unknown 18->58 27 chrome.exe 18->27         started        30 powershell.exe 15 21->30         started        32 conhost.exe 21->32         started        34 conhost.exe 23->34         started        36 xcopy.exe 1 23->36         started        38 conhost.exe 25->38         started        40 conhost.exe 25->40         started        42 conhost.exe 25->42         started        44 conhost.exe 25->44         started        process10 dnsIp11 60 goodyearlogistic.us 157.250.198.7, 443, 49697 VECTANTARTERIANetworksCorporationJP Japan 27->60 62 www.google.com 142.250.138.104, 443, 49710 GOOGLEUS United States 27->62 46 reg.exe 1 1 30->46         started        process12
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c7cefe78fa66d76523beb05969fc5df2eff2db1512249bbcf9fd8fb2220723de
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/5061438f995eb7e0accf5c07fe17a982
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7cefe78fa66d76523beb05969fc5df2eff2db1512249bbcf9fd8fb2220723de/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/c7cefe78fa66d76523beb05969fc5df2eff2db1512249bbcf9fd8fb2220723de
Threat name:
Win64.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-12-03 04:46:19 UTC
File Type:
PE+ (Exe)
Extracted files:
573
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y7hp46h2m3lwki56wbmwt7c56lx7fwyvcisjxphz7wh3eiqheppa._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
929ecd4f42f496059e77888c8f2604115733bcefdd21ad8563814eb4da65005f
NetSupport
ac111f304d1210d1c5bf283e7fb02fd004a42c4d6e56a11e1118d807c052f15d
NetSupport
d247b3923c621bdbef663c33ff3cf57072da3e207562ef4823d71aa99d976b6c
NetSupport
dd2aa1556e882b63666b680a4768056773719fdb847cc7a525c3a9bd9a915fb8
NetSupport
error
NetSupport
f9f36ab8f6151eb5b18441144ab02984ddc39aa3bdb0fd5ea2014cbdfd820d9a
NetSupport
+ 965 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  4/10
Tags:
discovery pyinstaller
Link:
https://tria.ge/reports/251204-zc6hyadp7z/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/034af44e-a669-4393-a9ff-31839b3e6762
Unpacked files
SH256 hash:
c7cefe78fa66d76523beb05969fc5df2eff2db1512249bbcf9fd8fb2220723de
MD5 hash:
5061438f995eb7e0accf5c07fe17a982
SHA1 hash:
8669b75f72f984e5f71e8881338bfb7567651950
Link:
https://www.unpac.me/results/2b15a74b-8b17-4077-ad94-f14f9d781978/
SH256 hash:
007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe
MD5 hash:
8d4805f0651186046c48d3e2356623db
SHA1 hash:
18c27c000384418abcf9c88a72f3d55d83beda91
Link:
https://www.unpac.me/results/2b15a74b-8b17-4077-ad94-f14f9d781978/
SH256 hash:
052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4
MD5 hash:
32da96115c9d783a0769312c0482a62d
SHA1 hash:
2ea840a5faa87a2fe8d7e5cb4367f2418077d66b
Link:
https://www.unpac.me/results/2b15a74b-8b17-4077-ad94-f14f9d781978/
SH256 hash:
6a99bc0128e0c7d6cbbf615fcc26909565e17d4ca3451b97f8987f9c6acbc6c8
MD5 hash:
c0c0b4c611561f94798b62eb43097722
SHA1 hash:
523f515eed3af6d50e57a3eaeb906f4ccc1865fe
Link:
https://www.unpac.me/results/2b15a74b-8b17-4077-ad94-f14f9d781978/
SH256 hash:
ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7
MD5 hash:
ae5b2e9a3410839b31938f24b6fc5cd8
SHA1 hash:
9f9a14efc15c904f408a0d364d55a144427e4949
Link:
https://www.unpac.me/results/2b15a74b-8b17-4077-ad94-f14f9d781978/
SH256 hash:
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
MD5 hash:
0f8e4992ca92baaf54cc0b43aaccce21
SHA1 hash:
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
Link:
https://www.unpac.me/results/2b15a74b-8b17-4077-ad94-f14f9d781978/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7cefe78fa66d76523beb05969fc5df2eff2db1512249bbcf9fd8fb2220723de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/42565/

Comments