MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0672a1f986bf8c8cfe5e33632de86c77e4742f70ae900d1973b6bc3cb436a6dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0672a1f986bf8c8cfe5e33632de86c77e4742f70ae900d1973b6bc3cb436a6dc
SHA3-384 hash: 47e80bea9f37c763c09dc54ad35775c7da5ac011d349f94a8c32adecd6a7166889110d95b896f92f98e8080f3ee3adb0
SHA1 hash: c355dd7656ba489d2c96c8f90ab0b1928b5fe689
MD5 hash: 9f8a52cc7ad3a4a37d588be59255a250
humanhash: beryllium-cup-uncle-rugby
File name:payload_1.ps1
Download: download sample
Signature NetSupport
Create hunting rule
File size:7'272'725 bytes
First seen:2025-12-01 12:10:21 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 49152:TdPmX3AXU+yY/F4+9J5Py/nXOtAT9qN5izc829/EvUw2Z2ORDHHIS8H4l/Tw/b6M:K
Threatray 1'269 similar samples on MalwareBazaar
TLSH T10D768DB284577C37BD6D384B50042FA29E69164B67188E46FB303779B2EC951DE3C8B8
Magika powershell
Reporter smica83
Tags:NetSupport ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
NetSupport
Details
No details
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692d85bcc908fdc697474fad
Tags:
vmdetect netsup madi
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm anti-vm base64 base64 cmd control cscript dropper evasive expired-cert exploit explorer fingerprint fingerprint hh keylogger lolbin netsupportmanager obfuscated overlay packed remoteadmin unsafe wscript
Link:
https://www.filescan.io/uploads/692d85b91b65ca0bb928f208/reports/63bc6394-4927-4272-8c71-7d1eef25251b/overview
Verdict:
Suspicious
Labled as:
Generik.CXVGJUJ trojan
Link:
https://www.hybrid-analysis.com/sample/0672a1f986bf8c8cfe5e33632de86c77e4742f70ae900d1973b6bc3cb436a6dc
Verdict:
Adware
File Type:
ps1
First seen:
2025-12-01T09:37:00Z UTC
Last seen:
2025-12-02T08:25:00Z UTC
Hits:
~10
Detections:
RemoteAdmin.NetSup.UDP.C&C RemoteAdmin.NetSup.HTTP.C&C not-a-virus:RemoteAdmin.Win32.NetSup.a
Link:
https://opentip.kaspersky.com/0672a1f986bf8c8cfe5e33632de86c77e4742f70ae900d1973b6bc3cb436a6dc/results?tab=lookup
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1823534
Signature
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Drops executable to a common third party application directory
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Powershell creates an autostart link
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Powershell drops NetSupport RAT client
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0672a1f986bf8c8cfe5e33632de86c77e4742f70ae900d1973b6bc3cb436a6dc
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Base64 Block Base64 Payload Contains Base64 Block Executable Invalid PE PE (Portable Executable) PowerShell
Link:
https://app.malva.re/file/9f8a52cc7ad3a4a37d588be59255a250
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0672a1f986bf8c8cfe5e33632de86c77e4742f70ae900d1973b6bc3cb436a6dc/
Verdict:
Malicious
Threat:
Family.NETSUPPORT
Link:
https://tip.neiki.dev/file/0672a1f986bf8c8cfe5e33632de86c77e4742f70ae900d1973b6bc3cb436a6dc
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=azzkd6mgx6giz7s6gnrs32dmo7shil3qv2ia2gltw26dznbwu3oa._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
08c1dda71b069e88fa2bfdc7ea05a24c0a60252f19620c70cb5b43f3055d2f0f
NetSupport
106c3f2d167ecbe92838c5f4cea41bae62a4f4621817f297c5046ad6d41c7ff4
NetSupport
418744fa1ade539c280461387df87dda6bf84c7d755ebbbdc6123fd5659f9467
NetSupport
b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad
NetSupport
d39c9278a6f915e3d87e4bdf4bbd820a3fad7b31b696bb05367347541549caa5
NetSupport
db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856
NetSupport
error
NetSupport
+ 1'259 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery execution rat
Link:
https://tria.ge/reports/251201-pcbcpahz6f/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Drops startup file
Executes dropped EXE
Loads dropped DLL
NetSupport
Netsupport family
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NetSupportRAT_Config
Create hunting rule
Author:abuse.ch
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

PowerShell (PS) ps1 0672a1f986bf8c8cfe5e33632de86c77e4742f70ae900d1973b6bc3cb436a6dc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3722919/
  
Delivery method
Distributed via web download

Comments