MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6d8b7c78c298467160914a538f62b301f74d62095240a4c6804946fcb9d7ae6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 10


Intelligence 10 IOCs YARA 54 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6d8b7c78c298467160914a538f62b301f74d62095240a4c6804946fcb9d7ae6
SHA3-384 hash: 3a4c25d27adc829f4245e7461ba743564bb37b54735514338809bdab34b601beb0f19ed2f7fa7e31db8203cce225934d
SHA1 hash: 97e6e79d0fb1e8fd6156a45b461525e17c1be404
MD5 hash: aaf5afd63b231250e82e1b1efc928559
humanhash: east-lithium-jig-high
File name:software.zip
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'234'637 bytes
First seen:2026-02-24 08:06:28 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 49152:TL3OcoOLUZT6N/PQO8uE7eRjRfS6XxrHArLVm3Cu9d4z2TxTxH//ioy:vS0Y6Nwp6Rj1XxrHArLlk4zwf/Dy
TLSH T114A533C9FE04CD19E708B2BAD3C85CEFD9BAF15C4C5C16C0D9A9978A444D9E839BC285
Magika zip
Reporter JAMESWT_WT
Tags:172-86-110-149 client32 ini LIC NetSupport zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
IT IT
File Archive Information

This file archive contains 12 file(s), sorted by their relevance:

File name:nskbfltr.inf
File size:328 bytes
SHA256 hash: d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368
MD5 hash: 26e28c01461f7e65c402bdf09923d435
MIME type:application/x-setupscript
Signature NetSupport
File name:HTCTL32.DLL
File size:328'056 bytes
SHA256 hash: edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
MD5 hash: 2d3b207c8a48148296156e5725426c7f
MIME type:application/x-dosexec
Signature NetSupport
File name:TCCTL32.DLL
File size:396'664 bytes
SHA256 hash: 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
MD5 hash: eab603d12705752e3d268d86dff74ed4
MIME type:application/x-dosexec
Signature NetSupport
File name:Client32.ini
File size:466 bytes
SHA256 hash: d2fe8f45dcc0808cb53b2c0ea09100096778c958e0e8b8e6f6981ab9a9451974
MD5 hash: e77ba4487ec27f890699860fcfac23e6
MIME type:text/plain
Signature NetSupport
File name:NSM.ini
File size:6'458 bytes
SHA256 hash: 60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92
MD5 hash: 88b1dab8f4fd1ae879685995c90bd902
MIME type:application/x-wine-extension-ini
Signature NetSupport
File name:PCICHEK.DLL
File size:18'808 bytes
SHA256 hash: 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
MD5 hash: a0b9388c5f18e27266a31f8c5765b263
MIME type:application/x-dosexec
Signature NetSupport
File name:msvcr100.dll
File size:773'968 bytes
SHA256 hash: 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
MD5 hash: 0e37fbfa79d349d672456923ec5fbbe3
MIME type:application/x-dosexec
Signature NetSupport
File name:pcicapi.dll
File size:33'144 bytes
SHA256 hash: 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
MD5 hash: dcde2248d19c778a41aa165866dd52d0
MIME type:application/x-dosexec
Signature NetSupport
File name:PCICL32.DLL
File size:3'735'416 bytes
SHA256 hash: 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
MD5 hash: 00587238d16012152c2e951a087f2cc9
MIME type:application/x-dosexec
Signature NetSupport
File name:NSM.LIC
File size:257 bytes
SHA256 hash: ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54
MD5 hash: 390c964070626a64888d385c514f568e
MIME type:text/plain
Signature NetSupport
File name:client32.exe
File size:120'288 bytes
SHA256 hash: 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268
MD5 hash: ee75b57b9300aab96530503bfae8a2f2
MIME type:application/x-dosexec
Signature NetSupport
File name:remcmdstub.exe
File size:77'280 bytes
SHA256 hash: 6558b3307215c4b73fc96dc552213427fb9b28c0cb282fe6c38324f1e68e87d6
MD5 hash: 1768c9971cea4cc10c7dd45a5f8f022a
MIME type:application/x-dosexec
Signature NetSupport
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/4f4cb539-38e1-4374-89ba-910c7ebb54ea/
Detection(s):
SecuriteInfo.com.Trojan.RA.587.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.11410.22550.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.RMS.153.29099.23692.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.26913.7397.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.23370.1523.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.3834.24092.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.931.9401.9800.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.837.17585.19372.UNOFFICIAL
Create hunting rule

PUA.Win.Tool.NetSupport-10022498-8
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694e8a7001c7b4a8fe56256c
Tags:
injection netsup virus shell
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-debug expired-cert exploit fingerprint microsoft_visual_cc signed
Link:
https://www.filescan.io/uploads/699d5c3910e80629d4efc673/reports/cd4e842e-9a41-4c4b-a7a9-5fcfa9269da9/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d6d8b7c78c298467160914a538f62b301f74d62095240a4c6804946fcb9d7ae6
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/d6d8b7c78c298467160914a538f62b301f74d62095240a4c6804946fcb9d7ae6
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
zip
Link:
https://opentip.kaspersky.com/d6d8b7c78c298467160914a538f62b301f74d62095240a4c6804946fcb9d7ae6/results?tab=lookup
Score:
85%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/d6d8b7c78c298467160914a538f62b301f74d62095240a4c6804946fcb9d7ae6
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6d8b7c78c298467160914a538f62b301f74d62095240a4c6804946fcb9d7ae6/
Threat name:
Win32.PUA.Netsupportrat
Create hunting rule
Status:
Malicious
First seen:
2026-02-23 09:57:46 UTC
File Type:
Binary (Archive)
Extracted files:
453
AV detection:
14 of 24 (58.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=23mlpr4mfgcgofqjcsstr5rlgapxjvrasusautdiaskg7s45plta._file
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery rat
Link:
https://tria.ge/reports/260224-l3jj7shz9d/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6d8b7c78c298467160914a538f62b301f74d62095240a4c6804946fcb9d7ae6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NetSupportRAT_Config
Create hunting rule
Author:abuse.ch
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NetSupport
Create hunting rule
Author:YungBinary
Description:Detects NetSupport Manager RAT on disk or in memory
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

zip d6d8b7c78c298467160914a538f62b301f74d62095240a4c6804946fcb9d7ae6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3784155/
  
Delivery method
Distributed via web download

Comments