MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e058d7231f3988e107157842935db6b35b3079baf30cedee7bff0fc9544c9f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e058d7231f3988e107157842935db6b35b3079baf30cedee7bff0fc9544c9f9
SHA3-384 hash: 9fb30aa2af41863fbcadf4d030d008169fb5dd9091ac6fccb681ced0d685064c40afbc2fd43bbadb7fc28783abe3704d
SHA1 hash: 1446250f8e36b3a40c4e5c7a63a3f0de05a19d04
MD5 hash: cc041c5e1070bd8447d3abdacda41334
humanhash: december-california-muppet-quebec
File name:n2qa1_19072022_085327.vbs
Download: download sample
Signature NetSupport
Create hunting rule
File size:20'768 bytes
First seen:2022-07-19 18:17:25 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:xFcE38pJdCZNRhsfqTpj/zjHuG+oY05Ad/iII5sltlgG:hLqBjljgG
Threatray 82 similar samples on MalwareBazaar
TLSH T1F6927C6D034FA4E89773ACC88AD5AC57FB7486264A2CCAC89F70FEF62410174A4F551D
Reporter abuse_ch
Tags:NetSupport vbs


Avatar
abuse_ch
Payload URL:
https://a2p2pulsepower.org/wp-content/plugins/index.html

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291969/
Detection(s):
SecuriteInfo.com.ISB.Downloadergen80.19688.8848.UNOFFICIAL
Create hunting rule

Result
Verdict:
SUSPICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036802
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Malicious sample detected (through community Yara rule)
PowerShell case anomaly found
Powershell drops PE file
Suspicious powershell command line found
Uses known network protocols on non-standard ports
VBScript performs obfuscated calls to suspicious functions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 669306 Sample: n2qa1_19072022_085327.vbs Startdate: 19/07/2022 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 Yara detected Powershell download and execute 2->50 52 Uses known network protocols on non-standard ports 2->52 8 wscript.exe 1 2->8         started        11 presentationhost.exe 2->11         started        13 presentationhost.exe 2->13         started        process3 signatures4 56 VBScript performs obfuscated calls to suspicious functions 8->56 58 Wscript starts Powershell (via cmd or directly) 8->58 60 PowerShell case anomaly found 8->60 15 cmd.exe 1 8->15         started        process5 signatures6 62 Suspicious powershell command line found 15->62 64 Wscript starts Powershell (via cmd or directly) 15->64 66 Encrypted powershell cmdline option found 15->66 68 2 other signatures 15->68 18 powershell.exe 15 33 15->18         started        23 conhost.exe 15->23         started        process7 dnsIp8 36 a2p2pulsepower.org 85.234.143.107, 443, 49722 SIMPLYTRANSITGB United Kingdom 18->36 38 192.168.2.1 unknown unknown 18->38 28 C:\Users\user\AppData\...\remcmdstub.exe, PE32 18->28 dropped 30 C:\Users\user\...\presentationhost.exe, PE32 18->30 dropped 32 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 18->32 dropped 34 6 other malicious files 18->34 dropped 54 Powershell drops PE file 18->54 25 presentationhost.exe 18->25         started        file9 signatures10 process11 dnsIp12 40 pinustamilbe10.com 151.236.14.69, 2940, 49723 NFORCENL European Union 25->40 42 geography.netsupportsoftware.com 62.172.138.35, 49724, 80 BTGB United Kingdom 25->42 44 geo.netsupportsoftware.com 25->44
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e058d7231f3988e107157842935db6b35b3079baf30cedee7bff0fc9544c9f9/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dycy24rr6omi4edrk6ccsno3nm23gb43v4ym5xxhx7ypzfkezh4q._file
Verdict:
unknown
Similar samples:
23c5fd678c02a42319b75ce0c9eb6c7e8da260aff6bbc658d8bc53f268c08401
NetSupport
3d47aa3f5d36514cf264d75f75774318f4a00f8258c73f61631f995613f7290d
NetSupport
5109678b00c6140a7f3183450dd0020be13d38f4ed8adcc820c2c12aa1d66ac3
NetSupport
60c43df102c498b3c295c0c02327a94141f127d076c0a493dcc9cedc02a0b8fb
NetSupport
61076154b44e1f08103e894a49846e3bed31b229d9bb8f3ab255654293d393a2
NetSupport
996004853edac15918294b18cc8f7145b2e4f230f83fc90314c8253a9eb3772f
NetSupport
a60f3cfa331d387f6c6f704f97320d7743d28fa3499eae89422bba890036e2a1
NetSupport
ba9dbb2b898adf2758437959eddda224bcc46b48a31c0eed57f5517cfe68f68d
NetSupport
f2efc8376672bf6b9835f05bb88ab7e742c9d35144ef24c4d963f0e1ae1af783
NetSupport
+ 72 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport persistence rat
Link:
https://tria.ge/reports/220719-wxlgqafhe5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
NetSupport
Malware Config
Dropper Extraction:
https://a2p2pulsepower.org/wp-content/plugins/index.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e058d7231f3988e107157842935db6b35b3079baf30cedee7bff0fc9544c9f9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/2259060/
Cape
Cape
https://www.capesandbox.com/analysis/291969/

Comments