MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48a683e97f9f8cada3cbcc287632ddf8024a708ddb99e54b455b549546073542. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48a683e97f9f8cada3cbcc287632ddf8024a708ddb99e54b455b549546073542
SHA3-384 hash: c4d68124a35f69a74c3366c308d901289969c4c09cf2c12f0c3f2098531cc0a22fcaf2dd59536d056030653e9ff78750
SHA1 hash: 4df88bdd12ac3b926d21bccce6b8501bc0c401d3
MD5 hash: a772f8fc304311f31316c949acd2236a
humanhash: finch-victor-happy-utah
File name:sus.ps1
Download: download sample
Signature NetSupport
Create hunting rule
File size:909 bytes
First seen:2026-02-05 09:35:46 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24:1y2A4s9+NdgXTz3ZP70da2A4Mx2Ag0qGaQH6xvu2AQ2Aau+s:1lI9z3h0bM6JQcn
Threatray 1'089 similar samples on MalwareBazaar
TLSH T1661112ABD1502839E9530EDC6DC66440818F412B050B3A68F79D49812F9BF3DD9B812F
Magika powershell
Reporter smica83
Tags:activatenoda-dev jakkakaskakasj-com jasjdpoekkqwda-com NetSupport osdifbuertosisus-com ps1 trumbinostayu-com

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
87.120.93.67:443 https://threatfox.abuse.ch/ioc/1741471/

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698464938ce611733c0b3022
Tags:
vmdetect autorun netsup madi
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
dropper obfuscated powershell
Link:
https://www.filescan.io/uploads/69846492981ff1d38a499a87/reports/3a1f53c8-83ad-4b26-bf37-7546bd69754f/overview
Verdict:
Suspicious
Labled as:
UDS_TrojanDownloader_PowerShell_Agent
Link:
https://www.hybrid-analysis.com/sample/48a683e97f9f8cada3cbcc287632ddf8024a708ddb99e54b455b549546073542
Verdict:
Malicious
File Type:
ps1
First seen:
2026-02-02T21:55:00Z UTC
Last seen:
2026-02-06T18:12:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Dnoper.sb Backdoor.RABased.HTTP.C&C BSS:Worm.Win32.BSS.ScreenLock BSS:Trojan.Win32.Generic Trojan-Downloader.PowerShell.Agent.sb PDM:Trojan.Win32.Generic NetTool.PowerShellGet.HTTP.C&C not-a-virus:HEUR:RemoteAdmin.Win32.NetSup.gen RemoteAdmin.NetSup.HTTP.C&C NetTool.PowerShellUA.HTTP.C&C Trojan.PowerShell.Agent.azv
Link:
https://opentip.kaspersky.com/48a683e97f9f8cada3cbcc287632ddf8024a708ddb99e54b455b549546073542/results?tab=lookup
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1863850
Signature
AI detected malicious Powershell script
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Powershell drops PE file
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1863850 Sample: sus.ps1 Startdate: 05/02/2026 Architecture: WINDOWS Score: 80 39 validatorxrp.dev 2->39 41 jasjdpoekkqwda.com 2->41 43 jakkakaskakasj.com 2->43 55 Suricata IDS alerts for network traffic 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 AI detected malicious Powershell script 2->59 61 Joe Sandbox ML detected suspicious sample 2->61 7 powershell.exe 15 26 2->7         started        12 neservice.exe 2->12         started        signatures3 process4 dnsIp5 45 jakkakaskakasj.com 87.120.93.69, 443, 49691, 49692 INTERKVMRO Bulgaria 7->45 25 C:\Users\user\AppData\Local\...\7z.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Local\...\7z.dll, PE32 7->27 dropped 63 Powershell drops PE file 7->63 14 7z.exe 32 7->14         started        17 neservice.exe 4 7->17         started        21 7z.exe 2 7->21         started        23 conhost.exe 7->23         started        file6 signatures7 process8 dnsIp9 29 C:\Users\user\AppData\...\remcmdstub.exe, PE32 14->29 dropped 31 C:\Users\user\AppData\Local\...\pcicapi.dll, PE32 14->31 dropped 33 C:\Users\user\AppData\...\remcmdstub.exe, PE32 14->33 dropped 35 15 other files (9 malicious) 14->35 dropped 37 jasjdpoekkqwda.com 87.120.93.67, 443, 49693 INTERKVMRO Bulgaria 17->37 47 Multi AV Scanner detection for dropped file 17->47 49 Contains functionalty to change the wallpaper 17->49 51 Delayed program exit found 17->51 53 Contains functionality to detect sleep reduction / modifications 17->53 file10 signatures11
Score:
1%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/48a683e97f9f8cada3cbcc287632ddf8024a708ddb99e54b455b549546073542
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48a683e97f9f8cada3cbcc287632ddf8024a708ddb99e54b455b549546073542/
Verdict:
Malicious
Threat:
Family.NETSUPPORT
Link:
https://tip.neiki.dev/file/48a683e97f9f8cada3cbcc287632ddf8024a708ddb99e54b455b549546073542
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-02-03 09:31:00 UTC
File Type:
Text (PowerShell)
AV detection:
5 of 23 (21.74%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jctih2l7t6gk3i6lzquhmmw57abeu4en3om6ks2flnkjkrqhgvba._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
1c46675149b0f4d926783c855e860b20548568849cdec941a62abb72534d1e68
NetSupport
1ce4f36e1af6db1cd550d8e59edd093a86f9ec7a38535fab1b3b111f2bb7bd1e
NetSupport
3c5354f43b9d8bdf26b613b947bfac4e6598bcdad3063449551017a5c0939fa1
NetSupport
4c2ad96913b0de2746c7cb2257fed000cf9326673d204adb71aa00f7037e936f
NetSupport
7de5f5f6f3b17c99c97b37c3be788952ce01b7d2437e2139b344318af580d023
NetSupport
error
NetSupport
+ 1'079 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery execution rat
Link:
https://tria.ge/reports/260205-lk2casdt6c/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Drops startup file
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Downloads MZ/PE file
NetSupport
Netsupport family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/48a683e97f9f8cada3cbcc287632ddf8024a708ddb99e54b455b549546073542

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments