MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 368d74adbbf7fc8398d9bebe64f10275c0caac68703ccdb1c3cbef52fe7db900. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 368d74adbbf7fc8398d9bebe64f10275c0caac68703ccdb1c3cbef52fe7db900
SHA3-384 hash: 2d2dfdd112bcee954e4c87e659d38a332746f828509f4fb6f52dbf385861405d0261a4a51cfbbb9966068cd7e812cfee
SHA1 hash: 2feb9ff2e9ecee632a8ee7edf950dde60f956be6
MD5 hash: 3185d0e0c60786bcbdf7b6f23bc97448
humanhash: fruit-oklahoma-zebra-mobile
File name:file2.ps1
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'217 bytes
First seen:2023-05-17 11:53:07 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 48:gGfKBfS1vmLtvvluC07lyvpPIos/58ElawZFFq4aBM4T/:gGfKBfS1vmvUlyvSog58ElawZFFOMo
Threatray 227 similar samples on MalwareBazaar
TLSH T1FC41DCB9CEBCF9E0037C71E485252D1710986E63D7F59E24E94249D61C78705EF2B28C
Reporter Anonymous
Tags:NetSupport ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Generic.33735175.6613.6308.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6464c05b2fe8bc4707a9b1f9/reports/f5112355-42bf-432c-b834-1fa9f4e6d368/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/368d74adbbf7fc8398d9bebe64f10275c0caac68703ccdb1c3cbef52fe7db900
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Empire PowerShell Request
Detected a base64 encoded Powershell HTTP request that is likely sourced from Empire.
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1235201
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to modify clipboard data
Delayed program exit found
Encrypted powershell cmdline option found
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Powershell drops NetSupport RAT client
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 868192 Sample: file2.ps1 Startdate: 17/05/2023 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Antivirus detection for URL or domain 2->41 43 3 other signatures 2->43 7 powershell.exe 11 2->7         started        10 client32.exe 2->10         started        12 client32.exe 2->12         started        process3 signatures4 51 Very long command line found 7->51 53 Encrypted powershell cmdline option found 7->53 55 Bypasses PowerShell execution policy 7->55 57 Powershell drops PE file 7->57 14 powershell.exe 1 53 7->14         started        17 conhost.exe 7->17         started        process5 file6 23 C:\Users\user\AppData\...\remcmdstub.exe, PE32 14->23 dropped 25 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 14->25 dropped 27 C:\Users\user\AppData\...\client32.exe, PE32 14->27 dropped 29 7 other files (6 malicious) 14->29 dropped 19 client32.exe 17 14->19         started        process7 dnsIp8 31 blahadfurtik.com 176.124.198.7, 49699, 5222 GULFSTREAMUA Russian Federation 19->31 33 geography.netsupportsoftware.com 51.142.119.24, 49700, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 19->33 35 geo.netsupportsoftware.com 19->35 45 Multi AV Scanner detection for dropped file 19->45 47 Contains functionality to modify clipboard data 19->47 49 Delayed program exit found 19->49 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/368d74adbbf7fc8398d9bebe64f10275c0caac68703ccdb1c3cbef52fe7db900/
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-13 04:21:07 UTC
File Type:
Text (Batch)
AV detection:
3 of 24 (12.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2gxjln3676ihggzx27gj4icoxamvldioa6m3modzpxvf7t5xeaa._file
Verdict:
malicious
Similar samples:
07027d28b02d8ec7d093f85a48c18d5f96140eb4006a7071d47c4ffc01473d74
NetSupport
28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8
NetSupport
4689feea371ab0b27c3b7760ad99d3d587e770b36403fcaf795e4a5c17bef173
NetSupport
586e43521ce91313e492debe70701ba243a53de4b107845a898b49d196482b9e
NetSupport
c4841e9b7456e77872f4ac49d68c54d26df696ce090833f4449ae7bf5057eb0f
NetSupport
c5abef1668afbaf378e02a420224ec01850559605143c17f5831b85afe136d5b
NetSupport
c9e6dc44db59f1883e850babac21890e5723d2627a623c47f709e3bb7d073e35
NetSupport
cbbc29510831726c62aa9536660b98f97da422d90d68db61c419967b0d32994d
NetSupport
db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856
NetSupport
fb76386ce3f17a25d59046a70cc05898bcccc7422ab92681777071e46d8943e5
NetSupport
+ 217 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport persistence rat
Link:
https://tria.ge/reports/230517-n2vxysdh81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
NetSupport
Malware Config
Dropper Extraction:
https://obttech.com.vn/bldme.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2631012/
  
URLhaus
https://urlhaus.abuse.ch/url/2636034/

Comments