MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d6c081ac54baaa002cff13ce739d3f7745dc646d021f103a0b59807db5143b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d6c081ac54baaa002cff13ce739d3f7745dc646d021f103a0b59807db5143b7
SHA3-384 hash: cb51dbf090aa6f9ee3cc14a27d91fb909547130b6f960fdc10449d157c268e0bd7ec769a2e3aff7dc92e3e14f7931664
SHA1 hash: 8bbef15eef96bad76b1cf8fb29895191a0d8bb84
MD5 hash: a02ae4594adc3ed2a6160c84f5cb3a9e
humanhash: lemon-wyoming-oxygen-white
File name:file1.ps1
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'229 bytes
First seen:2023-05-12 10:45:04 UTC
Last seen:2023-05-17 11:53:01 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 48:gGfZjFWuJqs9HZNjd+SfprcKyK0hQeJYS1FtfsC5P3RX5ZmpiaoIhSNtM:gGfdFW87jd+SfpbaLJYS1FtfsC5P39Wn
Threatray 208 similar samples on MalwareBazaar
TLSH T13E41CB79CF69F8E0032D719088492E2620D89B57D6B58E34D9574AE92D7C206CF1B19C
Reporter Anonymous
Tags:NetSupport ps1

Intelligence

File Origin
# of uploads :
3
# of downloads :
147
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/645e18eb8723e91f5525db19/reports/603bff42-07f8-4988-8b88-c1c4b7bb7dde/overview
Verdict:
Suspicious
Labled as:
Trojan/PS.ShellLoader
Link:
https://www.hybrid-analysis.com/sample/8d6c081ac54baaa002cff13ce739d3f7745dc646d021f103a0b59807db5143b7
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Empire PowerShell Request
Detected a base64 encoded Powershell HTTP request that is likely sourced from Empire.
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1231515
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Delayed program exit found
Encrypted powershell cmdline option found
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Powershell drops NetSupport RAT client
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Very long command line found
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d6c081ac54baaa002cff13ce739d3f7745dc646d021f103a0b59807db5143b7/
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-12 10:46:06 UTC
File Type:
Text (Batch)
AV detection:
3 of 24 (12.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rvwaqgwfjovkaawp6e6oooot652f3rsg2aq7ca5awwmapw2rio3q._file
Verdict:
malicious
Similar samples:
23ec97b573fa3a2ff88e5689622b8b3b5406e09e77861c50665fd01067e2717e
NetSupport
28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8
NetSupport
4689feea371ab0b27c3b7760ad99d3d587e770b36403fcaf795e4a5c17bef173
NetSupport
c4841e9b7456e77872f4ac49d68c54d26df696ce090833f4449ae7bf5057eb0f
NetSupport
c5abef1668afbaf378e02a420224ec01850559605143c17f5831b85afe136d5b
NetSupport
c9d2a196a3a7209755613e769531990104393b8e96971aa1d757e3ab84696f8b
NetSupport
db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856
NetSupport
fb76386ce3f17a25d59046a70cc05898bcccc7422ab92681777071e46d8943e5
NetSupport
+ 198 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport persistence rat
Link:
https://tria.ge/reports/230512-mty4zacg37/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
NetSupport
Malware Config
Dropper Extraction:
https://centrovetluanda.com/apply.php
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8d6c081ac54b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2630698/
  
URLhaus
https://urlhaus.abuse.ch/url/2630701/
  
URLhaus
https://urlhaus.abuse.ch/url/2630703/

Comments