SYMBOLCOMMON_NAMEaka. SYNONYMS
win.netsupportmanager_rat (Back to overview)

NetSupportManager RAT

aka: NetSupport
VTCollection     URLhaus    

Enigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty years ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or provide remote computer assistance. However, cyber crooks have hijacked this useful application and misappropriated it to use it in their harmful campaigns. The name of the modified version of the NetSupport Manager has been labeled the NetSupport Manager RAT.

References
2024-12-02Kaspersky LabsArtem Ushkov
Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT
NetSupportManager RAT RMS
2024-07-25SymantecSymantec
Growing Number of Threats Leveraging AI
Broomstick DBatLoader NetSupportManager RAT Rhadamanthys
2024-07-02SekoiaQuentin Bourgue
Exposing FakeBat loader: distribution methods and adversary infrastructure
BlackCat Royal Ransom EugenLoader Carbanak Cobalt Strike DICELOADER Gozi IcedID Lumma Stealer NetSupportManager RAT Pikabot RedLine Stealer SectopRAT Sliver SmokeLoader Vidar
2024-06-17ProofpointProofpoint
From Clipboard to Compromise: A PowerShell Self-Pwn
DarkGate HijackLoader Lumma Stealer Matanbuchus NetSupportManager RAT TA571
2024-05-10Rapid7 LabsEvan McCann, Thomas Elkins, Tyler McGraw
Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
Black Basta Black Basta Cobalt Strike NetSupportManager RAT
2024-03-18Perception PointAriel Davidpur, Peleg Cabra
Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT
NetSupportManager RAT
2024-02-26Twitter (@embee_research)Embee_research
Advanced CyberChef Techniques for Configuration Extraction - Detailed Walkthrough and Examples
NetSupportManager RAT
2024-02-25YouTube (Embee Research)Embee_research
My Longest CyberChef Recipe Ever - 22 Operation Configuration Extractor
NetSupportManager RAT
2024-01-23Medium ad12347Ariel Davidpur
NetSupport RAT hits again with new IOCs
NetSupportManager RAT
2023-12-30Rewterz Information SecurityRewterz Information Security
Rewterz Threat Alert – Widely Abused MSIX App Installer Disabled by Microsoft – Active IOCs
EugenLoader POWERTRASH BATLOADER DarkGate FlawedGrace NetSupportManager RAT SectopRAT Storm-0506
2023-11-20vmwareAbe Schneider, Alan Ngo, Alex Murillo, Fae Carlisle, Nikki Benoit
NetSupport RAT: The RAT King Returns
NetSupportManager RAT
2023-10-27ElasticJoe Desimone, Salim Bitam
GHOSTPULSE haunts victims using defense evasion bag o' tricks
HijackLoader Lumma Stealer NetSupportManager RAT Rhadamanthys SectopRAT Vidar
2023-10-26Medium walmartglobaltechJonathan Mccay
SmartApeSG
NetSupportManager RAT
2023-09-06MalwarebytesJérôme Segura
Mac users targeted in new malvertising campaign delivering Atomic Stealer
AMOS NetSupportManager RAT
2023-08-10TrellixAntonio Ribeiro, Jonell Baltazar
Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAT
NetSupportManager RAT
2023-03-29Trend MicroJaromír Hořejší, Joseph C Chen
New OpcJacker Malware Distributed via Fake VPN Malvertising
NetSupportManager RAT OpcJacker
2023-01-06AhnLabASEC
Distribution of NetSupport RAT Malware Disguised as a Pokemon Game
NetSupportManager RAT
2022-09-15SekoiaThreat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-05-25Medium walmartglobaltechJason Reaves, Joshua Platt
SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT
2022-04-11eSentireeSentire Threat Response Unit (TRU)
Fake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer
Mars Stealer NetSupportManager RAT
2022-04-07Bleeping ComputerBill Toulas
Malicious web redirect service infects 16,500 sites to push malware
NetSupportManager RAT
2022-04-07Avast DecodedJan Rubín, Pavel Novák
Parrot TDS takes over web servers and threatens millions
FAKEUPDATES Parrot TDS Parrot TDS WebShell NetSupportManager RAT
2020-11-02SUCURIDenis Sinegubko
CSS-JS Steganography in Fake Flash Player Update Malware
magecart NetSupportManager RAT
2020-05-22Positive TechnologiesPT ESC Threat Intelligence
Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.
NetSupportManager RAT ServHelper
2020-03-19PrevailionPrevailion
The Curious Case of the Criminal Curriculum Vitae
LALALA Stealer NetSupportManager RAT Rekt Loader
2017-09-01Palo Alto Networks Unit 42Brad Duncan
EITest: HoeflerText Popups Targeting Google Chrome Users Now Push RAT Malware
NetSupportManager RAT
2016-09-30Bleeping ComputerLawrence Abrams
Hacked Steam accounts spreading Remote Access Trojan
NetSupportManager RAT
2013-01-01NetSupport ManagerNetSupport Manager
NetSupport Manager Website
NetSupportManager RAT
Yara Rules
[TLP:WHITE] win_netsupportmanager_rat_auto (20241030 | Detects win.netsupportmanager_rat.)
rule win_netsupportmanager_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.netsupportmanager_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8b9630010000 6a00 52 e8???????? 8b4614 83c420 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b9630010000         | mov                 edx, dword ptr [esi + 0x130]
            //   6a00                 | push                0
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   83c420               | add                 esp, 0x20

        $sequence_1 = { f6868000000002 745a f6868402000007 7451 8b4e68 8b3d???????? 6a03 }
            // n = 7, score = 100
            //   f6868000000002       | test                byte ptr [esi + 0x80], 2
            //   745a                 | je                  0x5c
            //   f6868402000007       | test                byte ptr [esi + 0x284], 7
            //   7451                 | je                  0x53
            //   8b4e68               | mov                 ecx, dword ptr [esi + 0x68]
            //   8b3d????????         |                     
            //   6a03                 | push                3

        $sequence_2 = { e8???????? eb4b 894508 894e1c 8945f0 85c0 c645fc05 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb4b                 | jmp                 0x4d
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   894e1c               | mov                 dword ptr [esi + 0x1c], ecx
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   85c0                 | test                eax, eax
            //   c645fc05             | mov                 byte ptr [ebp - 4], 5

        $sequence_3 = { e8???????? e9???????? 8b06 8d4d08 51 8bce ff9098000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8d4d08               | lea                 ecx, [ebp + 8]
            //   51                   | push                ecx
            //   8bce                 | mov                 ecx, esi
            //   ff9098000000         | call                dword ptr [eax + 0x98]

        $sequence_4 = { e8???????? c705????????01000000 8b15???????? 52 ff15???????? 5f 5e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c705????????01000000     |     
            //   8b15????????         |                     
            //   52                   | push                edx
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_5 = { e8???????? 8b45fc 8b4df4 8bd0 2bd1 52 8b55f8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8bd0                 | mov                 edx, eax
            //   2bd1                 | sub                 edx, ecx
            //   52                   | push                edx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]

        $sequence_6 = { ff15???????? 8b4e28 6810200000 57 8d8500ffffff 6aff 50 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8b4e28               | mov                 ecx, dword ptr [esi + 0x28]
            //   6810200000           | push                0x2010
            //   57                   | push                edi
            //   8d8500ffffff         | lea                 eax, [ebp - 0x100]
            //   6aff                 | push                -1
            //   50                   | push                eax

        $sequence_7 = { ff15???????? eb03 8b5de0 c745fcffffffff e8???????? 33c0 8b8d60ffffff }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   eb03                 | jmp                 5
            //   8b5de0               | mov                 ebx, dword ptr [ebp - 0x20]
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   8b8d60ffffff         | mov                 ecx, dword ptr [ebp - 0xa0]

        $sequence_8 = { ff5008 8d4ddc e8???????? 8b45dc 8d4ddc ff10 84c0 }
            // n = 7, score = 100
            //   ff5008               | call                dword ptr [eax + 8]
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   e8????????           |                     
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   ff10                 | call                dword ptr [eax]
            //   84c0                 | test                al, al

        $sequence_9 = { f3a5 8bc8 83e103 f3a4 81fa03000d00 750d 8d55c4 }
            // n = 7, score = 100
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bc8                 | mov                 ecx, eax
            //   83e103               | and                 ecx, 3
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   81fa03000d00         | cmp                 edx, 0xd0003
            //   750d                 | jne                 0xf
            //   8d55c4               | lea                 edx, [ebp - 0x3c]

    condition:
        7 of them and filesize < 4734976
}
Download all Yara Rules