MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47cae3c0b59f0e6a33e7aed184fafd9b978b049a00a88ce1e93ec1ef538fff67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 12

Intelligence 12 IOCs YARA 28 File information Comments

SHA256 hash:	47cae3c0b59f0e6a33e7aed184fafd9b978b049a00a88ce1e93ec1ef538fff67
SHA3-384 hash:	1d2f561c794a9b6dca6eadb68cdbbda2295f92973fa9bcae3d854b110ab9d628846fabb9c91c74f62327a009b40e37ca
SHA1 hash:	2d6784ba31ada56dc6128f38ae14727b3eb3570d
MD5 hash:	2b5d6bb9b0925a8ddae834ed89d4f305
humanhash:	timing-princess-five-rugby
File name:	update.ps1
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	42'731 bytes
First seen:	2026-05-19 18:11:34 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	768:J2ZkfkFjXkk/HD4MrU7SQnppFROQW0Ab1sRuIgTFhx:gkkPD4b7JppmQrKTFX
TLSH	T1A9130E36EA92E88297D83D00C876FC59616426B1CBFBCC5CF78C6AFDB081E115B5469C
Magika	powershell
Reporter	Alex_sev
Tags:	djkmgndkjfgndfg-com Downloader FakeCaptcha NetSupport powershell ps1 runner script skadfjsdijfhsfso9to-com

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a0ca8104f2b29ce04016963

Tags:

vmdetect autorun netsup madi

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

base64 crypto packed powershell

Link:

https://www.filescan.io/uploads/6a0ca80defbd399b39bbe979/reports/147ec2a6-89d9-4b67-9d3b-f06ea6883dcd/overview

Verdict:

Suspicious

Labled as:

Trojan/PS.Runner

Link:

https://www.hybrid-analysis.com/sample/47cae3c0b59f0e6a33e7aed184fafd9b978b049a00a88ce1e93ec1ef538fff67

Verdict:

Malicious

File Type:

ps1

First seen:

2026-05-19T15:33:00Z UTC

Last seen:

2026-05-20T22:06:00Z UTC

Hits:

~10

Detections:

Backdoor.Win32.RABased.btw not-a-virus:HEUR:RemoteAdmin.Win32.NetSup.gen

Link:

https://opentip.kaspersky.com/47cae3c0b59f0e6a33e7aed184fafd9b978b049a00a88ce1e93ec1ef538fff67/results?tab=lookup

Score:

94%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/47cae3c0b59f0e6a33e7aed184fafd9b978b049a00a88ce1e93ec1ef538fff67

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/47cae3c0b59f0e6a33e7aed184fafd9b978b049a00a88ce1e93ec1ef538fff67/

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/47cae3c0b59f0e6a33e7aed184fafd9b978b049a00a88ce1e93ec1ef538fff67

Threat name:

Script-PowerShell.Trojan.Powload

Status:

Malicious

First seen:

2026-05-19 18:12:36 UTC

File Type:

Text (PowerShell)

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=i7fohqfvt4hgum7hv3iyj6x5tolywbe2acuizypjh3a66u4p75tq._file

Verdict:

suspicious

Label(s):

netsupportmanagerrat

Similar samples:

error

NetSupport

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport discovery execution persistence rat

Link:

https://tria.ge/reports/260519-ws4gqscw9m/

Behaviour

Scheduled Task/Job: Scheduled Task

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

Downloads MZ/PE file

Family: NetSupport

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/47cae3c0b59f0e6a33e7aed184fafd9b978b049a00a88ce1e93ec1ef538fff67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_NetSupportRAT_Config Create hunting rule
Author:	abuse.ch

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Rule name:	MALWARE_Win_NetSupport Create hunting rule
Author:	ditekSHen
Description:	Detects NetSupport client

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NetSupport Create hunting rule
Author:	YungBinary
Description:	Detects NetSupport Manager RAT on disk or in memory

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Suspicious_Process Create hunting rule
Author:	Security Research Team
Description:	Suspicious process creation

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	test_rule_vldslv Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample