MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a327e8a5d5a9d9a0384555b354d2a7d4532f078dc1884706d2e2b4e524042982. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a327e8a5d5a9d9a0384555b354d2a7d4532f078dc1884706d2e2b4e524042982
SHA3-384 hash: 8957a038601a4d672536873b10bdcd5d7ed2ca5fdf8e9052667edadf84669f575548d43ccdf6f571100c0ae44c879c37
SHA1 hash: d7f97b7dc75f2a81fb521450de41596b71c797a7
MD5 hash: 307d3a6c607858692ae50922a077bc1d
humanhash: social-jupiter-zebra-vegan
File name:64704bebce64f.ps1
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'219 bytes
First seen:2023-05-26 06:05:47 UTC
Last seen:2023-05-26 07:23:26 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 48:LGfEFWuJqs9HZNjd+SfprcKyK0hE6S1FtfsC5P3RX5ZWiaoIhSNte:LGfEFW87jd+Sfpbaq6S1FtfsC5P39Efn
TLSH T1A141CB7CCF29F8E0033DB0A088492E2620949E57D6B58E24D9574EE62D7C24ADF2B19C
Reporter JAMESWT_WT
Tags:NetSupport ps1

Intelligence

File Origin
# of uploads :
2
# of downloads :
193
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.HEUR.Trojan.PowerShell.Generic.24203.31744.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64704c4a3805d8bd9b28d51a/reports/9873cc3e-2a8d-472d-966e-e948d7859445/overview
Verdict:
Suspicious
Labled as:
Trojan.PowerShell
Link:
https://www.hybrid-analysis.com/sample/a327e8a5d5a9d9a0384555b354d2a7d4532f078dc1884706d2e2b4e524042982
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Empire PowerShell Request
Detected a base64 encoded Powershell HTTP request that is likely sourced from Empire.
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243034
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Delayed program exit found
Encrypted powershell cmdline option found
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Powershell drops NetSupport RAT client
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 876044 Sample: 64704bebce64f.ps1 Startdate: 26/05/2023 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for domain / URL 2->42 44 Antivirus detection for URL or domain 2->44 46 3 other signatures 2->46 7 powershell.exe 17 2->7         started        10 client32.exe 2->10         started        12 client32.exe 2->12         started        process3 signatures4 52 Very long command line found 7->52 54 Encrypted powershell cmdline option found 7->54 56 Bypasses PowerShell execution policy 7->56 58 Powershell drops PE file 7->58 14 powershell.exe 1 51 7->14         started        18 conhost.exe 7->18         started        process5 dnsIp6 38 192.168.2.1 unknown unknown 14->38 24 C:\Users\user\AppData\...\remcmdstub.exe, PE32 14->24 dropped 26 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 14->26 dropped 28 C:\Users\user\AppData\...\client32.exe, PE32 14->28 dropped 30 7 other files (6 malicious) 14->30 dropped 20 client32.exe 15 14->20         started        file7 process8 dnsIp9 32 blahadfurtik.com 91.215.85.180, 49710, 5222 PINDC-ASRU Russian Federation 20->32 34 geography.netsupportsoftware.com 51.142.119.24, 49711, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 20->34 36 geo.netsupportsoftware.com 20->36 48 Multi AV Scanner detection for dropped file 20->48 50 Delayed program exit found 20->50 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a327e8a5d5a9d9a0384555b354d2a7d4532f078dc1884706d2e2b4e524042982/
Threat name:
Win32.Trojan.Seheq
Create hunting rule
Status:
Malicious
First seen:
2023-05-26 06:06:03 UTC
File Type:
Text (Batch)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=umt6rjovvhm2aocfkwzvjuvh2rjs6b4nygeeobws4k2okjaefgba._file
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport persistence rat
Link:
https://tria.ge/reports/230526-hqx1aaeg7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
NetSupport
Malware Config
Dropper Extraction:
https://figocoin.it/auth.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a327e8a5d5a9d9a0384555b354d2a7d4532f078dc1884706d2e2b4e524042982

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments