download:

ldrmgan18011.exe

Full analysis: https://app.any.run/tasks/f64884ff-e947-4929-9d9d-101a2de7340d
Verdict: Malicious activity
Threats:

NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.

Malware Trends Tracker     >>>
Analysis date: January 21, 2022, 01:01:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
unwanted
netsupport
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

46FA5C3B6FDF73BEFE0A50031999ECB2

SHA1:

0EDE58F3CFF351439B94E2E81B2E4495340FEED3

SHA256:

3DFD99F196890BA6195F1ED90DA2F3263B5A2F001D313741DF764E7F14606B40

SSDEEP:

49152:PyIWGBEq+uzjqlofFg3/YVrS5zjYOD/bw8mkUuZerutyHBY:PyhGJ+uzjqWtAoW5oOCkLZe0yHBY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • ldrmgan18011.exe (PID: 2068)

    • Writes to a start menu file

      • ldrmgan18011.exe (PID: 2068)

    • Loads dropped or rewritten executable

      • client32.exe (PID: 1456)

    • Application was dropped or rewritten from another process

      • client32.exe (PID: 1456)

    • Connects to CnC server

      • client32.exe (PID: 1456)

  • SUSPICIOUS

    • Drops a file that was compiled in debug mode

      • ldrmgan18011.exe (PID: 2068)

    • Checks supported languages

      • ldrmgan18011.exe (PID: 2068)
      • client32.exe (PID: 1456)

    • Reads the computer name

      • ldrmgan18011.exe (PID: 2068)
      • client32.exe (PID: 1456)

    • Creates files in the user directory

      • ldrmgan18011.exe (PID: 2068)

    • Executable content was dropped or overwritten

      • ldrmgan18011.exe (PID: 2068)

    • Executed via COM

      • DllHost.exe (PID: 2120)

  • INFO

    • Checks supported languages

      • DllHost.exe (PID: 2120)

    • Reads the computer name

      • DllHost.exe (PID: 2120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x9aca
UninitializedDataSize: -
InitializedDataSize: 218624
CodeSize: 52224
LinkerVersion: 9
PEType: PE32
TimeStamp: 2011:03:02 08:40:33+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 02-Mar-2011 07:40:33
Detected languages:
  • English - United States
  • Process Default Language
Debug artifacts:
  • d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 02-Mar-2011 07:40:33
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000CB8B
0x0000CC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.53498
.rdata
0x0000E000
0x00001B75
0x00001C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.9646
.data
0x00010000
0x0001D9D8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.31952
.CRT
0x0002E000
0x00000010
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.213101
.rsrc
0x0002F000
0x000335C0
0x00033600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.38085

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.20816
1464
Latin 1 / Western European
English - United States
RT_MANIFEST
2
4.70489
67624
Latin 1 / Western European
Process Default Language
RT_ICON
3
5.06499
38056
Latin 1 / Western European
Process Default Language
RT_ICON
4
5.11564
26600
Latin 1 / Western European
Process Default Language
RT_ICON
5
5.09564
21640
Latin 1 / Western European
Process Default Language
RT_ICON
6
4.82288
16936
Latin 1 / Western European
Process Default Language
RT_ICON
7
3.24143
556
Latin 1 / Western European
English - United States
RT_STRING
8
3.26996
974
Latin 1 / Western European
English - United States
RT_STRING
9
3.04375
530
Latin 1 / Western European
English - United States
RT_STRING
10
3.16254
776
Latin 1 / Western European
English - United States
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start ldrmgan18011.exe client32.exe DllHost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1456"C:\Users\admin\AppData\Roaming\WinSupUpdate\client32.exe" C:\Users\admin\AppData\Roaming\WinSupUpdate\client32.exe
ldrmgan18011.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Exit code:
0
Version:
V12.50
2068"C:\Users\admin\AppData\Local\Temp\ldrmgan18011.exe" C:\Users\admin\AppData\Local\Temp\ldrmgan18011.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2120C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
4
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
2120DllHost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
MD5:
SHA256:
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\client32.initext
MD5:
SHA256:
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\AudioCapture.dllexecutable
MD5:771E97F76E213ED2D2B0B7C6639E1C68
SHA256:8AF1DD14B521D96D711B0EC5E1651D961B5F0D6AC18FBEE3EF66E065E9766F72
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\client32.exeexecutable
MD5:F76954B68CC390F8009F1A052283A740
SHA256:63315DF7981130853D75DC753E5776BDF371811BCFCE351557C1E45AFDD1EBFB
2120DllHost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.logbinary
MD5:
SHA256:
2120DllHost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.chkbinary
MD5:
SHA256:
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\HTCTL32.DLLexecutable
MD5:2D3B207C8A48148296156E5725426C7F
SHA256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\nskbfltr.infbinary
MD5:26E28C01461F7E65C402BDF09923D435
SHA256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\NSM.inibinary
MD5:88B1DAB8F4FD1AE879685995C90BD902
SHA256:60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\pcicapi.dllexecutable
MD5:DCDE2248D19C778A41AA165866DD52D0
SHA256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
2
DNS requests
3
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1456
client32.exe
POST
200
23.108.57.114:1998
http://23.108.57.114/fakeurl.htm
US
binary
159 b
suspicious
1456
client32.exe
POST
23.108.57.114:1998
http://23.108.57.114/fakeurl.htm
US
suspicious
1456
client32.exe
POST
23.108.57.114:1998
http://23.108.57.114/fakeurl.htm
US
suspicious
1456
client32.exe
GET
200
62.172.138.35:80
http://geo.netsupportsoftware.com/location/loca.asp
GB
text
17 b
suspicious
1456
client32.exe
POST
200
23.108.57.114:1998
http://23.108.57.114/fakeurl.htm
US
binary
61 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1456
client32.exe
23.108.57.114:1998
Jalalymola17.com
Nobis Technology Group, LLC
US
suspicious
1456
client32.exe
62.172.138.35:80
geo.netsupportsoftware.com
British Telecommunications PLC
GB
suspicious

DNS requests

Domain
IP
Reputation
Jalalymola11.com
unknown
Jalalymola17.com
  • 23.108.57.114
suspicious
geo.netsupportsoftware.com
  • 62.172.138.35
  • 195.171.92.116
suspicious

Threats

PID
Process
Class
Message
1456
client32.exe
Potential Corporate Privacy Violation
ET POLICY NetSupport GeoLocation Lookup Request
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ldrmgan18011.exe