| File name: | Teleram.zip |
| Full analysis: | https://app.any.run/tasks/4061a855-6523-46a0-b2bc-84f8aef38a51 |
| Verdict: | Malicious activity |
| Threats: | NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software. |
| Analysis date: | April 26, 2025, 11:00:12 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 47C7EA0D3F6DC97C9AD16A91821D5D95 |
| SHA1: | F281A91FD22194F5C9E9C19A4DA2CAB2B7B5540D |
| SHA256: | 672242B4E95C0BC76D0B2447F01D662A3B677E7F69629CA699D2EEF15E35A162 |
| SSDEEP: | 98304:URjSAdyvGDkRHoeXuxXcTZKXh0qk0XIiBbz1SMR9+AHiZIDsVqht6uZViWXe7+7d:uYW6wT |
MALICIOUS
Executing a file with an untrusted certificate
- client32.exe (PID: 8136)
NETSUPPORT has been detected (YARA)
- client32.exe (PID: 8136)
SUSPICIOUS
Drop NetSupport executable file
- WinRAR.exe (PID: 7752)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 7752)
Process drops legitimate windows executable
- WinRAR.exe (PID: 7752)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 7752)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 7752)
INFO
The sample compiled with english language support
- WinRAR.exe (PID: 7752)
Manual execution by a user
- OpenWith.exe (PID: 8184)
- OpenWith.exe (PID: 4932)
- client32.exe (PID: 8136)
- OpenWith.exe (PID: 6032)
Reads Microsoft Office registry keys
- OpenWith.exe (PID: 4932)
- OpenWith.exe (PID: 8184)
- OpenWith.exe (PID: 6032)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 7752)
Create files in a temporary directory
- MpCmdRun.exe (PID: 4724)
Checks proxy server information
- slui.exe (PID: 2656)
Checks supported languages
- MpCmdRun.exe (PID: 4724)
Reads the computer name
- MpCmdRun.exe (PID: 4724)
Reads the software policy settings
- slui.exe (PID: 2656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2023:06:21 08:51:24 |
| ZipCRC: | 0x4ef3825a |
| ZipCompressedSize: | 37676 |
| ZipUncompressedSize: | 78840 |
| ZipFileName: | AudioCapture.dll |
Total processes
130
Monitored processes
9
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2656 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4560 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4724 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR7752.10064" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4932 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\800_arrowup.tga | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5056 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR7752.10064\Rar$Scan68003.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6032 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\DUState.dat | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7752 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Teleram.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 8136 | "C:\Users\admin\Desktop\client32.exe" | C:\Users\admin\Desktop\client32.exe | explorer.exe | ||||||||||||
User: admin Company: NetSupport Ltd Integrity Level: MEDIUM Description: NetSupport Client Application Exit code: 3221225781 Version: V11.30 Modules
| |||||||||||||||
| 8184 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\lc.dat | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
6 672
Read events
6 662
Write events
10
Delete events
0
Modification events
| (PID) Process: | (7752) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (7752) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (7752) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (7752) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\Teleram.zip | |||
| (PID) Process: | (7752) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (7752) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (7752) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (7752) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (7752) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList |
| Operation: | write | Name: | ArcSort |
Value: 32 | |||
| (PID) Process: | (7752) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan |
| Operation: | write | Name: | DefScanner |
Value: Windows Defender | |||
Executable files
30
Suspicious files
11
Text files
8
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7752.10064\Teleram.zip\HTCTL32.DLL | executable | |
MD5:3EED18B47412D3F91A394AE880B56ED2 | SHA256:13A17F2AD9288AAC8941D895251604BEB9524FA3C65C781197841EE15480A13F | |||
| 7752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7752.10064\Teleram.zip\client32.exe | executable | |
MD5:FCE17B987F321DCE852C8A52116E7EB6 | SHA256:AFC45CC0DF7F7E481BFF45C6F62A6418B6AE4C8B474EC36113E05AB7CA7E2743 | |||
| 7752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7752.10064\Teleram.zip\PCICHEK.DLL | executable | |
MD5:E311935A26EE920D5B7176CFA469253C | SHA256:0038AB626624FA2DF9F65DD5E310B1206A9CD4D8AB7E65FB091CC25F13EBD34E | |||
| 7752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7752.10064\Teleram.zip\WiaExtensionHost64.dll | executable | |
MD5:5D084613C0E5C8C3022D9E0F316B0E23 | SHA256:07BC4DC48D5D9BCC2CE52CA8A0F925CA021092DC34CB811E183CBC0D32E576BA | |||
| 7752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7752.10064\Teleram.zip\Mss32.dll | executable | |
MD5:18A082AD2C18DF2556FEAC3E1055423F | SHA256:B59148EEB9CD967F6D69857A60FE384F881A2BF8E4F26183D0D4ED4679D42518 | |||
| 7752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7752.10064\Teleram.zip\NSM.LIC | text | |
MD5:866C96BA2823AC5FE70130DFAAA08531 | SHA256:6A7C99E4BD767433C25D6DF8DF81BAA99C05DD24FA064E45C306FF4D954E1921 | |||
| 7752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7752.10064\Teleram.zip\TsUsbRedirectionGroupPolicyExtension.dll | executable | |
MD5:D89CDA3FF8427DA82DE6CCE39008C5BC | SHA256:F44CC1E23D0D192DCFD84069B27704CD0B2A8E7720EEE43656F57CB474433762 | |||
| 7752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7752.10064\Teleram.zip\PCICL32.DLL | executable | |
MD5:1274CCA13CC5E37CA94D35E5B0673E89 | SHA256:CD5510C8BC7EA60BE77AD4AAB502EE02D871BF4E917AEEB6921C20EEBD9693DD | |||
| 7752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7752.10064\Teleram.zip\AudioCapture.dll | executable | |
MD5:2A82792F7B45D537EDFE58EB758C1197 | SHA256:05AA13A6C1D18F691E552F04A996960917202A322D0DACFD330E553AD56978ED | |||
| 7752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR7752.10064\Teleram.zip\KBDTAM99.DLL | executable | |
MD5:CCC736781CF4A49F42CD07C703B3A18B | SHA256:000C4B5B50966634DF58078511794F83690D693FCCF2ACA5C970C20981B29556 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
42
DNS requests
13
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 304 | 20.109.210.53:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | unknown |
7956 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
7956 | SIHClient.exe | GET | 200 | 23.216.77.42:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
7956 | SIHClient.exe | GET | 200 | 23.216.77.42:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
7956 | SIHClient.exe | GET | 200 | 23.216.77.42:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
7956 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
7956 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
7956 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 20.3.187.198:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | unknown |
— | — | GET | 200 | 20.109.210.53:443 | https://slscr.update.microsoft.com/sls/ping | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
7956 | SIHClient.exe | 20.109.210.53:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7956 | SIHClient.exe | 23.216.77.42:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
7956 | SIHClient.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
7956 | SIHClient.exe | 20.3.187.198:443 | fe3cr.delivery.mp.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7396 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
login.live.com |
| whitelisted |