MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db51d42599c4f8b76c585753fc6594334c74351ea917f6e482d285df7f2b0045. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 11


Intelligence 11 IOCs YARA 42 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db51d42599c4f8b76c585753fc6594334c74351ea917f6e482d285df7f2b0045
SHA3-384 hash: 75ae53dd76a1dcf5ea0893da9ac4392e1c29086fc08b9f79d6b87eaf58b8bc6d5b5ae361c46fa9c76f1b7d0d85c826a2
SHA1 hash: 29362661b2f6543c94796202683546699266f5f4
MD5 hash: 6f02c97a1ce32547e5b6d0bf6d0482e4
humanhash: jersey-autumn-salami-bulldog
File name:FXYAGKCS.zip
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'266'945 bytes
First seen:2026-03-17 10:25:12 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 49152:EWZN6na5Ft9CTBVQ82e5GAJyiRQYsgUtLQD1+FfO3zUUREv:EWZrTiBVQ8J5ByiRQvtSCf7ky
TLSH T146A533EF407ADD2BCC27F06F4C1494BE724A978113BB4A91C1DAC327B4B70592ACD969
Magika zip
Reporter JAMESWT_WT
Tags:client32 ini LIC NetSupport newtxdlol-com yanewtxdlol-com zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
IT IT
File Archive Information

This file archive contains 14 file(s), sorted by their relevance:

File name:nskbfltr.inf
File size:328 bytes
SHA256 hash: d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368
MD5 hash: 26e28c01461f7e65c402bdf09923d435
MIME type:application/x-setupscript
Signature NetSupport
File name:HTCTL32.DLL
File size:323'912 bytes
SHA256 hash: 6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269
MD5 hash: 051cdb6ac8e168d178e35489b6da4c74
MIME type:application/x-dosexec
Signature NetSupport
File name:TCCTL32.DLL
File size:387'400 bytes
SHA256 hash: 6ffe12cdfe0a36dec4b4a40ecdafb4097b1af7c340b0fcecf9f5c67b7fa8b299
MD5 hash: 1e6e804ca71eaf5bef0abef95c578cf0
MIME type:application/x-dosexec
Signature NetSupport
File name:sysinfo.exe
File size:120'256 bytes
SHA256 hash: 56ebaf8922749b9a9a7fa2575f691c53a6170662a8f747faeed11291d475c422
MD5 hash: 0e660f7e5a6621a9185a7b8080364500
MIME type:application/x-dosexec
Signature NetSupport
File name:NSM.ini
File size:6'099 bytes
SHA256 hash: e0ed36c897eaa5352fab181c20020b60df4c58986193d6aaf5bf3e3ecdc4c05d
MD5 hash: 99f493dce7fab330dc47f0cab8fe6172
MIME type:text/plain
Signature NetSupport
File name:client32.ini
File size:779 bytes
SHA256 hash: 4e2b1eaaee8baebcc399a4fc68d0ab9a35fe6365354c7188da2ee5bd86a7fb31
MD5 hash: 248104f004071874d8b63c083946dad7
MIME type:text/plain
Signature NetSupport
File name:AudioCapture.dll
File size:89'416 bytes
SHA256 hash: 2cc8ebea55c06981625397b04575ed0eaad9bb9f9dc896355c011a62febe49b5
MD5 hash: 7629af8099b76f85d37b3802041503ee
MIME type:application/x-dosexec
Signature NetSupport
File name:PCICHEK.DLL
File size:14'664 bytes
SHA256 hash: 0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f
MD5 hash: 3aabcd7c81425b3b9327a2bf643251c6
MIME type:application/x-dosexec
Signature NetSupport
File name:msvcr100.dll
File size:773'968 bytes
SHA256 hash: 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
MD5 hash: 0e37fbfa79d349d672456923ec5fbbe3
MIME type:application/x-dosexec
Signature NetSupport
File name:pcicapi.dll
File size:108'944 bytes
SHA256 hash: 2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689
MD5 hash: 67c53a770390e8c038060a1921c20da9
MIME type:application/x-dosexec
Signature NetSupport
File name:PCICL32.DLL
File size:3'501'384 bytes
SHA256 hash: abd28aecb2d57660bcd9455333b84d289aa883eaf5cf15def1bf0feb35833aa2
MD5 hash: 91c51ac9c50c26ad3e4249cc7cba5d59
MIME type:application/x-dosexec
Signature NetSupport
File name:NSM.LIC
File size:251 bytes
SHA256 hash: e09980d1b1c508eb29d2931ac92f8d0a7e49ca5fe6ab6277fabf097a0b033b63
MD5 hash: 5d7445efa8a5560842c868369127cd79
MIME type:text/plain
Signature NetSupport
File name:nsm_vpro.ini
File size:46 bytes
SHA256 hash: 4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b
MD5 hash: 3be27483fdcdbf9ebae93234785235e3
MIME type:text/plain
Signature NetSupport
File name:remcmdstub.exe
File size:59'728 bytes
SHA256 hash: b11380f81b0a704e8c7e84e8a37885f5879d12fbece311813a41992b3e9787f2
MD5 hash: 5be6fb8f28544d4f83c25a2b76ff7890
MIME type:application/x-dosexec
Signature NetSupport
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/49addc32-e632-43fd-bf04-9ebbb9854241/
Detection(s):
SecuriteInfo.com.Program.RemoteAdmin.840.7376.24721.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.840.6705.12909.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.840.26785.29824.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.840.29128.13096.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.840.21425.23064.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.RA.587.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Program.RemoteAdmin.840.305.6900.UNOFFICIAL
Create hunting rule

PUA.Win.Tool.NetSupport-10022498-8
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698c340338c84aca0d32d145
Tags:
injection netsup obfusc virus
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-debug expired-cert exploit fingerprint microsoft_visual_cc signed
Link:
https://www.filescan.io/uploads/69b92c454ec2f522cc4c50f2/reports/bae864c8-8ddd-4fef-92f4-134df8514d1a/overview
Verdict:
Suspicious
Labled as:
Risk.RemoteAdmin
Link:
https://www.hybrid-analysis.com/sample/db51d42599c4f8b76c585753fc6594334c74351ea917f6e482d285df7f2b0045
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/db51d42599c4f8b76c585753fc6594334c74351ea917f6e482d285df7f2b0045
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Adware
File Type:
zip
Link:
https://opentip.kaspersky.com/db51d42599c4f8b76c585753fc6594334c74351ea917f6e482d285df7f2b0045/results?tab=lookup
Score:
82%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/db51d42599c4f8b76c585753fc6594334c74351ea917f6e482d285df7f2b0045
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Zip Archive
Link:
https://app.malva.re/file/6f02c97a1ce32547e5b6d0bf6d0482e4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db51d42599c4f8b76c585753fc6594334c74351ea917f6e482d285df7f2b0045/
Threat name:
Win32.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2026-03-17 10:08:17 UTC
File Type:
Binary (Archive)
Extracted files:
455
AV detection:
10 of 22 (45.45%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ni5ijmzyt4lo3cyk5j7yzmugnghini6vel7nzec2kc567zlabcq._file
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery rat
Link:
https://tria.ge/reports/260317-qhesqscy5y/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db51d42599c4f8b76c585753fc6594334c74351ea917f6e482d285df7f2b0045

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NetSupportRAT_Config
Create hunting rule
Author:abuse.ch
Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NetSupport
Create hunting rule
Author:YungBinary
Description:Detects NetSupport Manager RAT on disk or in memory
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments