MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7b0e2d3354a350f9652e570b3bc0a5223dbf7f250dd772900beddecdb749929. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7b0e2d3354a350f9652e570b3bc0a5223dbf7f250dd772900beddecdb749929
SHA3-384 hash: 554f59f49bf21c0d7816d0be0fd39a677b0bddd60a02089052752d870f69b26ec0d6a3014bc3e46869504b41202110e0
SHA1 hash: 10c65de1edd53a9187ad877702b43587c36abef1
MD5 hash: 887852b971351bacd528d47a68f2e9ea
humanhash: india-apart-cup-mockingbird
File name:file3.ps1
Download: download sample
Signature NetSupport
Create hunting rule
File size:2'233 bytes
First seen:2023-05-12 12:25:55 UTC
Last seen:2023-05-12 13:53:26 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 48:gGfwTURYjOqgfS1vmLtvvluC07lyvpPIos/58ElawZFFq4aBM4T/:gGfwOfS1vmvUlyvSog58ElawZFFOMo
Threatray 211 similar samples on MalwareBazaar
TLSH T1A241CBB9CEBCF5E0037C71E485152A1B10946E23D7F59E20E90248E61C78705EF2B28C
Reporter Anonymous
Tags:NetSupport ps1

Intelligence

File Origin
# of uploads :
2
# of downloads :
167
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67009120.28039.24672.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/645e305b8723e91f5525e101/reports/8014f5c4-6891-4388-947a-a711c42b5c30/overview
Verdict:
Suspicious
Labled as:
Trojan/PS.ShellLoader
Link:
https://www.hybrid-analysis.com/sample/a7b0e2d3354a350f9652e570b3bc0a5223dbf7f250dd772900beddecdb749929
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Empire PowerShell Request
Detected a base64 encoded Powershell HTTP request that is likely sourced from Empire.
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1231583
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Multi AV Scanner detection for dropped file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Powershell drops NetSupport RAT client
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Very long command line found
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7b0e2d3354a350f9652e570b3bc0a5223dbf7f250dd772900beddecdb749929/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6yofuzvji2q7fss4vylhpakkir5x57skdoxokiax3o6zw3uteuq._file
Verdict:
malicious
Similar samples:
23ec97b573fa3a2ff88e5689622b8b3b5406e09e77861c50665fd01067e2717e
NetSupport
28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8
NetSupport
4689feea371ab0b27c3b7760ad99d3d587e770b36403fcaf795e4a5c17bef173
NetSupport
c4841e9b7456e77872f4ac49d68c54d26df696ce090833f4449ae7bf5057eb0f
NetSupport
c5abef1668afbaf378e02a420224ec01850559605143c17f5831b85afe136d5b
NetSupport
c9d2a196a3a7209755613e769531990104393b8e96971aa1d757e3ab84696f8b
NetSupport
db001e5eed23e82bc4bdd96f95d6db26e8209a087a6a09ea5434346b3d7e7856
NetSupport
fb76386ce3f17a25d59046a70cc05898bcccc7422ab92681777071e46d8943e5
NetSupport
+ 201 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport persistence rat
Link:
https://tria.ge/reports/230512-pl6vysda79/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
NetSupport
Malware Config
Dropper Extraction:
https://stackapk.com/pages/apostrk.php
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a7b0e2d3354a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2630696/
  
URLhaus
https://urlhaus.abuse.ch/url/2631008/

Comments