MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff2db923f9b0b3d9122b852b36552c881d26e863f0fa078eefca74f2de11ba57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff2db923f9b0b3d9122b852b36552c881d26e863f0fa078eefca74f2de11ba57
SHA3-384 hash: 302abb7396ea393f76574510dd7f657ed21496153019a68c07b0ec11deb0b500c7988da9faf25dd4d4c5cdf126859fa8
SHA1 hash: 29db9464e23e89b74554060e54350ec34c0aa982
MD5 hash: 71f99df14b952623ca084e3da33bf3c5
humanhash: johnny-friend-diet-maine
File name:71f99df14b952623ca084e3da33bf3c5.exe
Download: download sample
Signature NetSupport
Create hunting rule
File size:3'500'736 bytes
First seen:2025-08-13 07:55:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash efd455830ba918de67076b7c65d86586 (59 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep 98304:dxHXsHuDBlC1PZe4pj7ZluJzTEWoXvy9L0DiKvC7B:vsUTSPJ1v4zTEpKF9KvCt
Threatray 799 similar samples on MalwareBazaar
TLSH T1DDF50123B2CB653FF0BE8A364AB6D212593B7A2165128C67D7E4086CCF261D41D3F647
TrID 48.4% (.EXE) Inno Setup installer (107240/4/30)
19.4% (.EXE) InstallShield setup (43053/19/16)
18.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10522/11/4)
2.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:193-24-123-37 exe NetSupport signed

Code Signing Certificate

Organisation:Straight Side Consulting Ltd.
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2025-07-25T14:47:40Z
Valid to:2026-07-26T14:47:40Z
Serial number: 502c9acfe6c45ccda77f9088
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: d2b185c9ef86510163f56bda3b1a344a184698c8b31343b2e9d91a9d5ebddb32
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
NetSupport C2:
193.24.123.37:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.24.123.37:443 https://threatfox.abuse.ch/ioc/1568135/

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
netsupport
Create hunting rule
ID:
1
File name:
_ff2db923f9b0b3d9122b852b36552c881d26e863f0fa078eefca74f2de11ba57.exe
Verdict:
Malicious activity
Analysis date:
2025-08-13 07:58:04 UTC
Tags:
rmm-tool netsupport remote auto-reg
Link:
https://app.any.run/tasks/54a5ce53-18e3-414d-bf76-a15990ca1e13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21062/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689c4508642b4839d1b5aeda
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Searching for the window
Connection attempt
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Suspicious
Labled as:
Trojan.Alien.aiuu
Link:
https://www.hybrid-analysis.com/sample/ff2db923f9b0b3d9122b852b36552c881d26e863f0fa078eefca74f2de11ba57
Malware family:
NetSupport Ltd
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e5835e25-c2c5-45f3-a3ed-d1777523eed8
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
suspicious
Classification:
rans.evad
Score:
38 / 100
Link:
https://www.joesandbox.com/analysis/1755875
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1755875 Sample: zwO0zmy2Km.exe Startdate: 13/08/2025 Architecture: WINDOWS Score: 38 44 geo.netsupportsoftware.com 2->44 50 Suricata IDS alerts for network traffic 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 Multi AV Scanner detection for submitted file 2->54 10 zwO0zmy2Km.exe 2 2->10         started        13 NoMercyp.exe 2->13         started        15 NoMercyp.exe 2->15         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\zwO0zmy2Km.tmp, PE32 10->42 dropped 17 zwO0zmy2Km.tmp 3 4 10->17         started        process6 file7 30 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->30 dropped 20 zwO0zmy2Km.exe 2 17->20         started        process8 file9 32 C:\Users\user\AppData\...\zwO0zmy2Km.tmp, PE32 20->32 dropped 23 zwO0zmy2Km.tmp 6 16 20->23         started        process10 file11 34 C:\Users\user\...\remcmdstub.exe (copy), PE32 23->34 dropped 36 C:\Users\user\AppData\...\pcicapi.dll (copy), PE32 23->36 dropped 38 C:\Users\user\AppData\...\msvcr100.dll (copy), PE32 23->38 dropped 40 14 other files (12 malicious) 23->40 dropped 26 NoMercyp.exe 17 23->26         started        process12 dnsIp13 46 193.24.123.37, 443, 49686 UPM-KYMMENE-ASKuusankoskiFinlandFI Germany 26->46 48 geo.netsupportsoftware.com 172.67.68.212, 49687, 80 CLOUDFLARENETUS United States 26->48 56 Contains functionalty to change the wallpaper 26->56 58 Delayed program exit found 26->58 60 Contains functionality to detect sleep reduction / modifications 26->60 signatures14
Score:
45%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/ff2db923f9b0b3d9122b852b36552c881d26e863f0fa078eefca74f2de11ba57
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/71f99df14b952623ca084e3da33bf3c5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff2db923f9b0b3d9122b852b36552c881d26e863f0fa078eefca74f2de11ba57/
Verdict:
Malicious
Threat:
RemoteAdmin.Win32.NetSup
Link:
https://tip.neiki.dev/file/ff2db923f9b0b3d9122b852b36552c881d26e863f0fa078eefca74f2de11ba57
Threat name:
Win32.Trojan.NetSupport
Create hunting rule
Status:
Malicious
First seen:
2025-08-10 08:44:11 UTC
File Type:
PE (Exe)
Extracted files:
455
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=74w3si7zwcz5serlquvtmvjmraosn2dd6d5apdxpzj2pfxqrxjlq._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
154c606a6781addd71b108cdc62cf45cd1786ba7e7277105d71acedd86d565a5
NetSupport
335c33b110f4ab4097e6e89fde308eaa2dfae279e5238a1301d12df9df13a3f9
NetSupport
4ebc096e18c81b61cf1f79da44ee1e3d3b2719e0b2aaba1c2d4af986c5227289
NetSupport
64356e6b4781925ef940695d869a826dc229e911919faf8729d8dfb34f31e61a
NetSupport
cf079817e64247c675a0590f2ec54188d44866badee5556342047876d3aba8b1
NetSupport
d1c701d984c5e04b42f3cb7165fc8907dd9f46e91e14d582b6d0b6f188306954
NetSupport
error
NetSupport
+ 789 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery persistence rat
Link:
https://tria.ge/reports/250813-jsfpfshn6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
NetSupport
Netsupport family
Verdict:
Malicious
Tags:
RemoteAccessTool
YARA:
n/a
Link:
https://app.threat.zone/submission/a7275fa9-dd86-4953-a898-365ce2f2d79c
Unpacked files
SH256 hash:
9f1c31d154e93821058e7ad2ef14bb00666fe38ae0e0d7208c30536574a29afd
MD5 hash:
a635121b171fefb1222909d023f6499e
SHA1 hash:
24c2707ee98cd250045084b1dae2bb49249b40d2
Link:
https://www.unpac.me/results/cb94b785-ca17-4f36-b31c-397329b2851f/
SH256 hash:
2ec63588f9753aa5a4e269f7a0243d7aeaf3c2e7a2a23a6d44a3a733ba9fa27c
MD5 hash:
6b8dbcb278f30e322e6f753e7836db9a
SHA1 hash:
4f97095abf499ce0ab5352c4a0cfc4232d73b616
Link:
https://www.unpac.me/results/cb94b785-ca17-4f36-b31c-397329b2851f/
SH256 hash:
926d51d2a620299bc2794c735d37322bf9463432d3d91218af8f90050f27793e
MD5 hash:
3523a54577e66e4f16470eecda8055df
SHA1 hash:
6f1060db5543684b80c4513e4cbd01895d577dbf
Link:
https://www.unpac.me/results/cb94b785-ca17-4f36-b31c-397329b2851f/
SH256 hash:
fc627ad158394bbb457deb328b01a00b8a0419a683602a651c2d7dd21da5fccd
MD5 hash:
7559035d2915dd8b3bd5332297328160
SHA1 hash:
71a20a2f06e838a5bc7450583c780a0277a6a50b
Link:
https://www.unpac.me/results/cb94b785-ca17-4f36-b31c-397329b2851f/
SH256 hash:
1b07ef568f410eedfdca59e152f336337afd30f4068d6acc335df2808efdd202
MD5 hash:
f525bd5dcec08be37a94d743d345be14
SHA1 hash:
ed1485111b370e0f75c004c5b253d3bf7ce18cf7
Link:
https://www.unpac.me/results/cb94b785-ca17-4f36-b31c-397329b2851f/
SH256 hash:
a6d17088b2cdf0381c761860f58b60edb0cf74d77bb73d61139554683071674b
MD5 hash:
5837f837e364fbb84d179a034d818abf
SHA1 hash:
f78dced3fa4336f84169a0085066272dbcd48074
Link:
https://www.unpac.me/results/cb94b785-ca17-4f36-b31c-397329b2851f/
SH256 hash:
00f57b9910630a7049df821a39c733ca35763d9b11a58e8c0e52b06066a52643
MD5 hash:
46eacdca48274cc56965e2f11cc63d66
SHA1 hash:
305429533557823d54f1cb1766d080b7249b6d99
Link:
https://www.unpac.me/results/cb94b785-ca17-4f36-b31c-397329b2851f/
SH256 hash:
75344dc2802f3d542c1b00131d44910eb280b1edee116af082cf7ee8afd8f65e
MD5 hash:
c9a1f1b6c18c3212c9cdb2f71a16750b
SHA1 hash:
b25f9e2ebe9375802f94c66e5e2725aea207df97
Link:
https://www.unpac.me/results/cb94b785-ca17-4f36-b31c-397329b2851f/
SH256 hash:
ff2db923f9b0b3d9122b852b36552c881d26e863f0fa078eefca74f2de11ba57
MD5 hash:
71f99df14b952623ca084e3da33bf3c5
SHA1 hash:
29db9464e23e89b74554060e54350ec34c0aa982
Link:
https://www.unpac.me/results/cb94b785-ca17-4f36-b31c-397329b2851f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff2db923f9b0b3d9122b852b36552c881d26e863f0fa078eefca74f2de11ba57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21062/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments