File name:

client32.exe

Full analysis: https://app.any.run/tasks/688050bf-1a66-4ddf-8a16-75e11a0aca86
Verdict: Malicious activity
Threats:

NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.

Malware Trends Tracker     >>>
Analysis date: March 20, 2024, 03:35:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
netsupport
unwanted
remote
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7EAA25DDEA13F9B96CCCCBFF8D5AAE1D

SHA1:

23E78C41D8F4C30A37D9FDE66CA601D233572325

SHA256:

0F93FBEB64A21B8C2E979CCFAE3B960AD4DA5C01DBAF783AF9AE2F3C27C7D801

SSDEEP:

768:/RVrrOJu7e52ts+StyiNA8ts+StcJiNx29:/3rxK52mhtD+8mhtcQ729

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • client32.exe (PID: 1696)

    • NETSUPPORT has been detected (SURICATA)

      • client32.exe (PID: 2756)

    • Connects to the CnC server

      • client32.exe (PID: 2756)

  • SUSPICIOUS

    • Reads the Internet Settings

      • client32.exe (PID: 2756)

    • Reads security settings of Internet Explorer

      • client32.exe (PID: 2756)

    • Connects to the server without a host name

      • client32.exe (PID: 2756)

  • INFO

    • Manual execution by a user

      • client32.exe (PID: 2756)

    • Drop NetSupport executable file

      • client32.exe (PID: 1696)

    • Checks supported languages

      • client32.exe (PID: 2756)

    • Reads the computer name

      • client32.exe (PID: 2756)

    • Reads the machine GUID from the registry

      • client32.exe (PID: 2756)

    • Checks proxy server information

      • client32.exe (PID: 2756)

    • Creates files or folders in the user directory

      • client32.exe (PID: 2756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:06:06 09:40:57+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 512
InitializedDataSize: 95232
UninitializedDataSize: -
EntryPoint: 0x1020
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 12.70.5.339
ProductVersionNumber: 12.70.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
Comments: -
CompanyName: NetSupport Ltd
FileDescription: NetSupport Client Application
FileVersion: V12.70
InternalName: client32
LegalCopyright: Copyright (c) 2019, NetSupport Ltd
LegalTrademarks: -
OriginalFileName: client32.exe
PrivateBuild: V12.70
ProductName: NetSupport Manager
ProductVersion: V12.70
SpecialBuild: -
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start client32.exe no specs #NETSUPPORT client32.exe

Process information

PID
CMD
Path
Indicators
Parent process
1696"C:\Users\admin\Desktop\client32.exe" C:\Users\admin\Desktop\client32.exeexplorer.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Exit code:
3221225781
Version:
V12.70
Modules
Images
c:\users\admin\desktop\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
2756"C:\Users\admin\Desktop\client32.exe" C:\Users\admin\Desktop\client32.exe
explorer.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Exit code:
0
Version:
V12.70
Modules
Images
c:\users\admin\desktop\client32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\pcicl32.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
Total events
1 329
Read events
1 290
Write events
30
Delete events
9

Modification events

(PID) Process:(2756) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2756) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(2756) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(2756) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(2756) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(2756) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2756) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2756) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2756) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2756) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2756client32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\loca[1].htmtext
MD5:07F8082094A3129D77CC276E56078E09
SHA256:FE2EF9A510FD83DCB610DE594AB58D0970A2BBFA9B30CB2DEFE2F88AC125864A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
6
DNS requests
3
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2756
client32.exe
GET
200
172.67.68.212:80
http://geo.netsupportsoftware.com/location/loca.asp
unknown
text
15 b
unknown
2756
client32.exe
POST
49.13.77.253:443
http://49.13.77.253/fakeurl.htm
unknown
unknown
2756
client32.exe
POST
49.13.77.253:443
http://49.13.77.253/fakeurl.htm
unknown
unknown
2756
client32.exe
POST
2.57.149.227:443
http://2.57.149.227/fakeurl.htm
unknown
unknown
2756
client32.exe
POST
49.13.77.253:443
http://49.13.77.253/fakeurl.htm
unknown
unknown
2756
client32.exe
POST
2.57.149.227:443
http://2.57.149.227/fakeurl.htm
unknown
unknown
2756
client32.exe
POST
49.13.77.253:443
http://49.13.77.253/fakeurl.htm
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
whitelisted
2756
client32.exe
172.67.68.212:80
geo.netsupportsoftware.com
CLOUDFLARENET
US
unknown
2756
client32.exe
2.57.149.227:443
kokosinka1.com
networkers.pl Sp. z o.o.
PL
unknown
2756
client32.exe
49.13.77.253:443
kokosinka2.com
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
geo.netsupportsoftware.com
  • 172.67.68.212
  • 104.26.1.231
  • 104.26.0.231
unknown
kokosinka1.com
  • 2.57.149.227
unknown
kokosinka2.com
  • 49.13.77.253
unknown

Threats

PID
Process
Class
Message
2756
client32.exe
Potential Corporate Privacy Violation
ET POLICY NetSupport GeoLocation Lookup Request
2756
client32.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2756
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
2756
client32.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2756
client32.exe
A Network Trojan was detected
ET MALWARE NetSupport RAT with System Information
2756
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
2756
client32.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2756
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
2756
client32.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2756
client32.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
client32.exe