MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33d4101dc18a5a6ff3fcaf12b38e6b294bfb3ad188d4dc0a7320690de750af7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 8


Intelligence 8 IOCs 2 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33d4101dc18a5a6ff3fcaf12b38e6b294bfb3ad188d4dc0a7320690de750af7d
SHA3-384 hash: 1c935444dc37bf7ee56217c563a0dcfb3406fdc8af49fb89e5cd5089d244818489d94a85ececadce1982896e943f461a
SHA1 hash: 3e7ce589420cc0d7901859fea4fc64a551e1470f
MD5 hash: 2106ad19ac89d02c6e57cd97e2039dce
humanhash: mountain-sodium-speaker-gee
File name:33d4101dc18a5a6ff3fcaf12b38e6b294bfb3ad188d4dc0a7320690de750af7d.ps1
Download: download sample
Signature NetSupport
Create hunting rule
File size:499 bytes
First seen:2025-12-30 19:14:11 UTC
Last seen:2025-12-31 14:10:07 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:ZYL+w+RQ/0wuzDB2cd0JNPT6bB4wKAH+LgyaICQZ2MhA9nCEFoI1kD1:ZYL+H2/bul+16bB4v0+LAQ7hAlPqD1
TLSH T109F005025FB159EACED68146D0454500A45F38693349395135E06E702DCC0FD94360E0
Magika powershell
Reporter JAMESWT_WT
Tags:185-39-19-96 NetSupport ps1 relativegoingplanning-net

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
172.67.173.3:443 https://threatfox.abuse.ch/ioc/1688871/
185.39.19.96:443 https://threatfox.abuse.ch/ioc/1688872/

Intelligence

File Origin
# of uploads :
2
# of downloads :
43
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6954248c7d915bf1778f11a5
Tags:
vmdetect autorun netsup madi
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 obfuscated obfuscated powershell
Link:
https://www.filescan.io/uploads/6954248a8d1aa9829e277242/reports/21c0f9e6-d9f3-4320-92e5-9b5ec75317eb/overview
Verdict:
Suspicious
Labled as:
TrojanDownloader/PS.Agent
Link:
https://www.hybrid-analysis.com/sample/33d4101dc18a5a6ff3fcaf12b38e6b294bfb3ad188d4dc0a7320690de750af7d
Verdict:
Malicious
File Type:
ps1
First seen:
2025-12-30T16:30:00Z UTC
Last seen:
2025-12-30T18:58:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.Win32.Paph.b PDM:Trojan.Win32.Generic Backdoor.RABased.HTTP.C&C RemoteAdmin.NetSup.HTTP.C&C
Link:
https://opentip.kaspersky.com/33d4101dc18a5a6ff3fcaf12b38e6b294bfb3ad188d4dc0a7320690de750af7d/results?tab=lookup
Score:
20%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/33d4101dc18a5a6ff3fcaf12b38e6b294bfb3ad188d4dc0a7320690de750af7d
Verdict:
Malware
YARA:
2 match(es)
Tags:
DeObfuscated PowerShell
Link:
https://app.malva.re/file/2106ad19ac89d02c6e57cd97e2039dce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33d4101dc18a5a6ff3fcaf12b38e6b294bfb3ad188d4dc0a7320690de750af7d/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/33d4101dc18a5a6ff3fcaf12b38e6b294bfb3ad188d4dc0a7320690de750af7d
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gpkbahobrjng7474v4jlhdtlfff7wowrrdknycttebuq3z2qv56q._file
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments