netsupport-inno-dropper: 177bfc84 — Inno Setup 6.7.0 masquerading as Intel Graphics Driver

Executive Summary

PE32 Inno Setup 6.7.0 installer compiled from Delphi (Object Pascal), masquerading as "Intel Graphics Driver Setup" by Intel Corporation. The installer bundles and drops NetSupport Manager Remote Control (legitimate RAT abused as access tool), replacing its config with attacker-controlled gateway settings. Static-only analysis; no CAPE guest available. Attribution to hippamsascom is rejected — this is a different cluster using legitimate software bundling rather than custom loaders.

What It Is

• File type: PE32 executable (GUI) Intel 80386, 11 sections, Windows GUI subsystem ^[file.txt]
• Size: 4.1 MB (4,117,379 bytes) ^[exiftool.json]
• Toolchain: Inno Setup 6.7.0 compiler (Delphi/Object Pascal) — installer framework by Jordan Russell ^[strings.txt:7552], ^[strings.txt:13048]
• Linker: Borland/CodeGear Delphi linker v2.25 (standard for Inno Setup) ^[exiftool.json:LinkerVersion=2.25]
• Compile timestamp: Wed Feb 11 11:40:27 2026 UTC ^[pefile.txt:34], ^[rabin2-info.txt]
• Signing: Unsigned (Authenticode field absent) ^[rabin2-info.txt:signed=false]
• Masquerade: Version info claims "Intel Graphics Driver Setup" by "Intel Corporation", ProductVersion: 34.0.93.1512, with empty LegalCopyright and OriginalFileName fields padded with spaces ^[exiftool.json], ^[strings.txt:386-392]

How It Works

The binary is a legitimate Inno Setup installer repackaged with malicious configuration. Upon execution it extracts embedded files (likely NetSupport Manager binaries + a modified client32.ini or gateway config) to the target system, then launches the NetSupport client configured to connect to an attacker-controlled gateway. The Inno Setup manifest requests asInvoker privileges ^[strings.txt:9451], meaning it does not require UAC elevation unless the bundled NetSupport installer does.

The 3.07 MB overlay (offset 0xDA400) is an encrypted Inno Setup data archive using LZMA(2) compression ^[strings.txt:7053-7056], ^[binwalk.txt:5-11]. The overlay starts with a zlib-like preamble (7a6c621a) but is not standard zlib — Inno Setup uses its own archive format with optional AES-256-CTR or ChaCha20 encryption (TSetupEncryptionKey / TSetupEncryptionNonce visible in strings) ^[strings.txt:7058-7059], ^[strings.txt:9422]. The archive cannot be extracted statically without the runtime decryption key, which is supplied at installation time or embedded in the setup script.

The .rsrc section contains a 256×256 PNG icon masquerading as an Intel driver installer ^[binwalk.txt:12], plus an XML assembly manifest that references JR.Inno.Setup and declares side-by-side DLL dependencies including winhttp.dll, mpr.dll, netapi32.dll, version.dll ^[strings.txt:9469-9475]. The manifest includes standard Windows OS compatibility GUIDs for Vista through Windows 10/11 ^[strings.txt:9462-9466].

Decompiled Behavior

Entry point (entry0) at 0x4B1E60 is standard Inno Setup loader initialization ^[r2:entry0]. It sets up structured exception handling (SEH) frames and calls initialization functions for the Delphi runtime (fcn.0040e6a4), setup messages (fcn.004aa1c8), and the main setup wizard (fcn.004a4b30). The decompiled entry shows no anti-analysis or sandbox-gate logic — this is plain installer bootstrap. No PEB-walking, no hash-based API resolution, no debugger checks. The binary relies entirely on its benign toolchain for evasion.

• fcn.0040e6a4: Delphi RTL initialization (System.InitInstance pattern)
• fcn.004aa1c8: Setup message / language string loading
• fcn.004a4b30: Main setup wizard loop — UI creation, archive extraction, file installation

The standard import table is intact (not zero IAT). Delay imports include GetLogicalProcessorInformation, MessageBoxA, and GetNativeSystemInfo from kernel32.dll / user32.dll ^[pefile.txt:DelayImport], confirming x86 compatibility checks via standard Windows APIs.

C2 Infrastructure

No hardcoded IPs, domains, or URLs in static strings. NetSupport Manager's gateway settings are likely embedded inside the encrypted Inno Setup archive, not visible without runtime decryption or dynamic execution. The winhttp.dll side-by-side dependency suggests the dropped payload may use HTTP/S for gateway communication, but this is inferred from toolchain behavior, not static indicators.

Inference: NetSupport Manager typically connects to a gateway server on port 443 or 5405. The attacker overrides the legitimate gateway string in client32.ini to point to their own infrastructure.

Interesting Tidbits

• The OriginalFileName field is 50 spaces — a deliberate attempt to obscure the true filename ^[exiftool.json].
• Inno Setup 6.7.0 is the current stable release (as of 2025-2026); the actor is using up-to-date toolchain to maximize compatibility and evade outdated signatures.
• The TSetupEncryptionKey and ChaCha20 strings in the binary indicate the overlay archive may be encrypted with ChaCha20-AES-CTR hybrid, a feature added in Inno Setup 6.1+. This prevents static extraction of the payload.
• Co-labeled hippamsascom and sunwukong by OpenCTI — these are false-positives from shared MalwareBazaar tags, not structural similarity. The binary bears no resemblance to the MSVC x64 self-loader family.

How To Mess With It (Homelab Replication)

1. Download Inno Setup 6.7.0 from jrsoftware.org
2. Write a minimal .iss script that bundles NetSupport Manager client installer + a modified client32.ini.
3. Add Encryption=yes and EncryptionKey=<password> to encrypt the archive.
4. Set VersionInfoDescription=Intel Graphics Driver Setup, VersionInfoCompanyName=Intel Corporation, SetupIconFile=intel.ico.
5. Compile to Output.exe. Run capa Output.exe — should hit installer file limitation only, no malicious capa rules.
6. The evasion comes from legitimate software abuse, not binary-level tricks. Detection must target the NetSupport config override or network behavior, not the installer itself.

Deployable Signatures

YARA Rule

rule NetsupportInnoDropper_Masquerade
{
    meta:
        description = "Inno Setup installer masquerading as Intel Graphics Driver, likely NetSupport RAT dropper"
        author = "titus"
        date = "2026-06-15"
        family = "netsupport-inno-dropper"
    strings:
        $inno1 = "Inno Setup Setup Data (6.7.0)" ascii
        $inno2 = "Inno Setup Messages (6.5.0)" ascii
        $intel1 = "Intel Graphics Driver Setup" wide
        $intel2 = "Intel Corporation" wide
        $intel3 = "34.0.93.1512" wide
        $setup_ldr = "SetupLdr.e32" ascii
    condition:
        uint16(0) == 0x5A4D and
        $setup_ldr and
        ($inno1 or $inno2) and
        ($intel1 or $intel2 or $intel3)
}

Behavioral Hunt Query (Sigma)

title: NetSupport Manager Client Installed via Masqueraded Installer
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'client32.exe'
            - 'pcicfg.ini'
            - 'gateway'
    filter_inno:
        ParentImage|endswith:
            - 'IntelGraphicsHelper.exe'
            - 'IntelGraphicsDriver.exe'
            - 'IntelUpdate.exe'
    condition: selection and filter_inno
falsepositives:
    - None; legitimate Intel installers do not drop NetSupport binaries
level: high

IOC List

Behavioral Fingerprint

This binary is a 4.1 MB Inno Setup PE32 installer with standard import table and no anti-analysis. It carries version info masquerading as an Intel graphics driver update, contains a 3.07 MB encrypted LZMA-compressed overlay archive, and drops NetSupport Manager Remote Control software with attacker-controlled gateway configuration. The evasion is toolchain-legitimacy: the installer itself is benign software repurposed to install a legitimate remote-access tool with a hijacked config.

Detection Signatures

• CAPA: installer file limitation triggered; no malicious capabilities detected in the bootstrap binary itself ^[capa.txt]
• FLOSS: CLI mis-invocation — no decoded strings produced ^[floss.txt]
• YARA: PE_File_Generic only ^[yara.txt]

References

• Artifact: 0c7da6e7-01c2-48b0-b76a-f5f75ed37a6a ^[metadata.json]
• Source: OpenCTI / MalwareBazaar (co-tagged hippamsas-com, netsupport, sunwukong)
• Family page: netsupport-inno-dropper
• Related technique: version-info-masquerade
• Related concept: netsupport-manager-abuse (if created)

Provenance

Static analysis performed on IntelGraphicsHelper.exe (SHA-256: 177bfc846a77617931f7e6651a26df92511c7f60c0170001d67b982c09a677d1). Tools: file(1), pefile (Python), strings, radare2 (aaa analysis), binwalk, capa v7, exiftool. No dynamic execution (CAPE skipped — no Windows guest). Overlay archive not extracted (encrypted Inno Setup format, key not recoverable statically).