MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2d315cf142f31dfa01d4653f1f1518f040e340e92abfd60ee17278955eba7e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2d315cf142f31dfa01d4653f1f1518f040e340e92abfd60ee17278955eba7e0
SHA3-384 hash: e01884acf58ab9a4818ef11ed9c8d1a8c5271baffa93b070a1b9d3a5ca0342784e9435814ff798b8d449e1f253a9d684
SHA1 hash: d10c942147ebfd18d8317b2507cb5b0d858da4a6
MD5 hash: 31219c985bb7b24b20b02b479e46eb25
humanhash: cup-lamp-mountain-pennsylvania
File name:f2d315cf142f31dfa01d4653f1f1518f040e340e92abfd60ee17278955eba7e0.msi
Download: download sample
Signature NetSupport
Create hunting rule
File size:3'968'000 bytes
First seen:2025-10-28 13:16:45 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:aDz3IGvjINMxGSl/ZC+1BZI9hUXe0DaqevQQ:mz33jzdC/aza5v
Threatray 63 similar samples on MalwareBazaar
TLSH T10806F126BA8FC527D61D0272E42DFE8E6439BE77076140D377E4789A5C318C263B9A43
TrID 77.3% (.MSI) Microsoft Windows Installer (454500/1/170)
10.3% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.5% (.MSP) Windows Installer Patch (44509/10/5)
3.3% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
1.3% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:msi NetSupport sonosnewbh-net sonosnewfq-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34510/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6900c2739942f1282ec9a6a9
Tags:
netsup emotet
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
cmd lolbin obfuscated remote threat wix
Link:
https://www.filescan.io/uploads/6900c3a5c85c5c569738dcac/reports/289f8303-a30d-4789-ac9d-77f5a1df7d9a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f2d315cf142f31dfa01d4653f1f1518f040e340e92abfd60ee17278955eba7e0
Verdict:
Malicious
File Type:
msi
First seen:
2025-10-23T11:32:00Z UTC
Last seen:
2025-10-28T15:48:00Z UTC
Hits:
~10
Detections:
Trojan.Script.NetSup.k Trojan.Script.NetSup.m BSS:Worm.Win32.BSS.ScreenLock Trojan-Banker.ChePro.HTTP.ServerRequest HEUR:Trojan.OLE2.Alien.gen RemoteAdmin.NetSup.UDP.C&C RemoteAdmin.NetSup.HTTP.C&C not-a-virus:HEUR:RemoteAdmin.Win32.NetSup.gen BSS:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/f2d315cf142f31dfa01d4653f1f1518f040e340e92abfd60ee17278955eba7e0/results?tab=lookup
Score:
82%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/f2d315cf142f31dfa01d4653f1f1518f040e340e92abfd60ee17278955eba7e0
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2d315cf142f31dfa01d4653f1f1518f040e340e92abfd60ee17278955eba7e0/
Verdict:
Malicious
Threat:
Family.NETSUPPORT
Link:
https://tip.neiki.dev/file/f2d315cf142f31dfa01d4653f1f1518f040e340e92abfd60ee17278955eba7e0
Threat name:
Win32.Trojan.Suschil
Create hunting rule
Status:
Malicious
First seen:
2025-10-22 06:12:24 UTC
File Type:
Binary (Archive)
Extracted files:
495
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
05c38a73d9a4ea07d9a851a15fd649573835a3b4b62761b4a8b12133bd9e8de8
NetSupport
41efb861dbd52669d69c3fd0ae3cabbf7c993601ff3e88649810487b3e5b997b
NetSupport
a14dc4955ded009e6b905c16f7571705232d55247e87f1a5bd5ca6a1481d37e6
NetSupport
acfa8e673b641ed1be17dff41f52589605abbd3afe305a1580b3c8977e90a7fa
NetSupport
error
NetSupport
f949ee275f209fd614661403425595ac738d1963009231394a43bb85907206b2
NetSupport
+ 53 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery persistence privilege_escalation ransomware rat
Link:
https://tria.ge/reports/251028-qme93agt5h/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Drops startup file
NetSupport
Netsupport family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/58fa70ce-1c13-453f-80db-dda4cac1dac6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2d315cf142f31dfa01d4653f1f1518f040e340e92abfd60ee17278955eba7e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34510/

Comments