| File name: | 27022025_1606_AudioCapture.zip |
| Full analysis: | https://app.any.run/tasks/f3df4bd5-a193-4908-bac2-a3bb80a39396 |
| Verdict: | Malicious activity |
| Threats: | NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software. |
| Analysis date: | February 27, 2025, 16:13:22 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | A28C197D5D4F3BAE14C8A67162F15668 |
| SHA1: | 95BE950DE10EB530E90B36E1CF243722E9309B1B |
| SHA256: | 1A37F53F97890B40CCBFAE9F608F0B06FAE001F2146680C96F8E87A06C325C9D |
| SSDEEP: | 98304:aloONpjlACTIQ1ZR9dHblS/UBTXWbanIQQHUdIkanLEzliuUkiKyGH6I6YT8mmUj:6X04a+ |
MALICIOUS
Executing a file with an untrusted certificate
- remcmdstub.exe (PID: 7872)
SUSPICIOUS
Drop NetSupport executable file
- WinRAR.exe (PID: 7760)
Process drops legitimate windows executable
- WinRAR.exe (PID: 7760)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 7760)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 7760)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 7760)
There is functionality for taking screenshot (YARA)
- rundll32.exe (PID: 8044)
INFO
The sample compiled with english language support
- WinRAR.exe (PID: 7760)
Manual execution by a user
- remcmdstub.exe (PID: 7872)
- rundll32.exe (PID: 7948)
- rundll32.exe (PID: 8044)
- rundll32.exe (PID: 8140)
- notepad.exe (PID: 4736)
Checks supported languages
- remcmdstub.exe (PID: 7872)
- MpCmdRun.exe (PID: 2852)
- MpCmdRun.exe (PID: 6192)
Reads security settings of Internet Explorer
- notepad.exe (PID: 4736)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 7760)
Reads the computer name
- MpCmdRun.exe (PID: 2852)
- MpCmdRun.exe (PID: 6192)
Create files in a temporary directory
- MpCmdRun.exe (PID: 2852)
Checks proxy server information
- slui.exe (PID: 5720)
Reads the software policy settings
- slui.exe (PID: 5720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2023:06:21 08:51:24 |
| ZipCRC: | 0x4ef3825a |
| ZipCompressedSize: | 37108 |
| ZipUncompressedSize: | 78840 |
| ZipFileName: | AudioCapture.dll |
Total processes
132
Monitored processes
14
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1672 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2852 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR7760.14574" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4736 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\client32.ini | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5164 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR7760.16866\Rar$Scan46379.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5720 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6032 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR7760.14574\Rar$Scan23653.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6192 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR7760.16866" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7148 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7760 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\27022025_1606_AudioCapture.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 7872 | "C:\Users\admin\Desktop\remcmdstub.exe" | C:\Users\admin\Desktop\remcmdstub.exe | — | explorer.exe | |||||||||||
User: admin Company: NetSupport Ltd Integrity Level: MEDIUM Description: NetSupport Remote Command Prompt Exit code: 0 Version: V12.80 Modules
| |||||||||||||||
Total events
7 048
Read events
7 037
Write events
11
Delete events
0
Modification events
| (PID) Process: | (7760) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (7760) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (7760) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (7760) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\27022025_1606_AudioCapture.zip | |||
| (PID) Process: | (7760) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (7760) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (7760) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (7760) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (7760) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList |
| Operation: | write | Name: | ArcSort |
Value: 32 | |||
| (PID) Process: | (7760) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan |
| Operation: | write | Name: | DefScanner |
Value: Windows Defender | |||
Executable files
52
Suspicious files
18
Text files
37
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7760 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7760.14574\27022025_1606_AudioCapture.zip\ifsutilx.dll | executable | |
MD5:27A7213091CDA31E84967BEAD4D29BD1 | SHA256:42214053995B6188B2E20935CA8C92AF77639F0D5541A132920A5CBA2CFCBDE6 | |||
| 7760 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7760.14574\27022025_1606_AudioCapture.zip\logos\data_2 | binary | |
MD5:0962291D6D367570BEE5454721C17E11 | SHA256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7 | |||
| 7760 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7760.14574\27022025_1606_AudioCapture.zip\logos\devl1.bmp | image | |
MD5:BA8B503CBAA76346E3601E54E2C91CA3 | SHA256:A03BB48E4599C5C1D15554119DB31622A53BB9989E5B51D27F835FF70B40DCC8 | |||
| 7760 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7760.14574\27022025_1606_AudioCapture.zip\logos\chuckskull.bmp | image | |
MD5:39C7B460021042A446BD8BDCA8476A83 | SHA256:88BC2CD2DAC6482C37132B691E2039DC793DA95A1E7A548210682B56B52374C2 | |||
| 7760 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7760.14574\27022025_1606_AudioCapture.zip\logos\data_0 | binary | |
MD5:933CE139B5DC5C39827C1FF1F8D2E8CE | SHA256:3BFEA31EF02006A151F2D11009DAB6F1D8858C6D32F1F3372C10317CA28B92D7 | |||
| 7760 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7760.14574\27022025_1606_AudioCapture.zip\logos\Cookies | binary | |
MD5:F911CC9097CDA666DF4D8B883F56D06B | SHA256:754622ACA7632EC5C73C4FC303DFA8519D79C8560B722ACC940704EAD1DED84F | |||
| 7760 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7760.14574\27022025_1606_AudioCapture.zip\KBDTAM99.DLL | executable | |
MD5:CCC736781CF4A49F42CD07C703B3A18B | SHA256:000C4B5B50966634DF58078511794F83690D693FCCF2ACA5C970C20981B29556 | |||
| 7760 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7760.14574\27022025_1606_AudioCapture.zip\logos\f_000001 | compressed | |
MD5:57BA5E5DD6940B3D032C9B88EC01F218 | SHA256:59C41D744626C89EF55CFBD42BB36C862DA1F0C4E96CE9C38AE12D1F1461BD01 | |||
| 7760 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7760.14574\27022025_1606_AudioCapture.zip\getuname.dll | executable | |
MD5:91C68038BFC064EA8FB6D432ACD38EE0 | SHA256:68DE057C4175D4C94AFA2ACB2ABC1A9CCAC04A3CEB8E84C33F7F414BB8B0EEB6 | |||
| 7760 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7760.14574\27022025_1606_AudioCapture.zip\client32.exe | executable | |
MD5:1C19C2E97C5E6B30DE69EE684E6E5589 | SHA256:312A0E4DB34A40CB95BA1FAC8BF87DEB45D0C5F048D38AC65EB060273B07DF67 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7412 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5720 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |