MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7b46caebba2157fa58f06d9b6571939e4d51882dc8000c8c264a585b5eedf98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7b46caebba2157fa58f06d9b6571939e4d51882dc8000c8c264a585b5eedf98
SHA3-384 hash: 33383da012a09402df17aa0793561acc99f87cd8c2d0fb9446797b1a360e545cbaca8be1e962941208f825ab9f606061
SHA1 hash: 1adcd07caff87ff9b0598ebc2d48bcc86aa89bd6
MD5 hash: 224bcc0a40cc43add82f5b03a11e59e3
humanhash: spring-don-enemy-nevada
File name:KDT.ps1
Download: download sample
Signature NetSupport
Create hunting rule
File size:9'256'542 bytes
First seen:2025-08-26 15:15:07 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 49152:JVI6zqRmxOIMDqH/nXjsmEtVMGOw1tkzneDXqHI8cWiOkiZM/0qZFiSpFOUo:F
Threatray 869 similar samples on MalwareBazaar
TLSH T166968C748B889B5EAE6E1907E0795B1F77F37F66D09271FC46622307266FD082239C48
Magika powershell
Reporter abuse_ch
Tags:194-0-234-17 NetSupport ps1


Avatar
abuse_ch
NetSupport C2:
194.0.234.17:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.0.234.17:443 https://threatfox.abuse.ch/ioc/1567750/

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68adcfabeb163e0ec182cdf1
Tags:
vmdetect autorun netsup
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d7b46caebba2157fa58f06d9b6571939e4d51882dc8000c8c264a585b5eedf98
Verdict:
Adware
File Type:
ps1
First seen:
2025-08-25T18:23:00Z UTC
Last seen:
2025-08-25T18:23:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic not-a-virus:RemoteAdmin.Win32.NetSup.a RemoteAdmin.NetSup.UDP.C&C RemoteAdmin.NetSup.HTTP.C&C
Link:
https://opentip.kaspersky.com/d7b46caebba2157fa58f06d9b6571939e4d51882dc8000c8c264a585b5eedf98/results?tab=lookup
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1765578
Signature
AI detected malicious Powershell script
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Powershell creates an autostart link
Sigma detected: Execution from Suspicious Folder
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1765578 Sample: KDT.ps1 Startdate: 26/08/2025 Architecture: WINDOWS Score: 100 25 geo.netsupportsoftware.com 2->25 33 Suricata IDS alerts for network traffic 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Sigma detected: MSHTA Suspicious Execution 01 2->37 39 7 other signatures 2->39 9 uclient.exe 16 2->9         started        13 powershell.exe 36 2->13         started        15 svchost.exe 1 1 2->15         started        signatures3 process4 dnsIp5 27 194.0.234.17, 443, 49686 EDPNETBE Belgium 9->27 29 geo.netsupportsoftware.com 172.67.68.212, 49687, 49688, 49689 CLOUDFLARENETUS United States 9->29 41 Contains functionalty to change the wallpaper 9->41 43 Delayed program exit found 9->43 45 Found suspicious powershell code related to unpacking or dynamic code loading 13->45 47 Powershell creates an autostart link 13->47 17 cmd.exe 1 13->17         started        19 conhost.exe 13->19         started        31 127.0.0.1 unknown unknown 15->31 signatures6 process7 process8 21 mshta.exe 1 17->21         started        process9 23 uclient.exe 21->23         started       
Score:
82%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d7b46caebba2157fa58f06d9b6571939e4d51882dc8000c8c264a585b5eedf98
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7b46caebba2157fa58f06d9b6571939e4d51882dc8000c8c264a585b5eedf98/
Verdict:
Malicious
Threat:
Family.NETSUPPORT
Link:
https://tip.neiki.dev/file/d7b46caebba2157fa58f06d9b6571939e4d51882dc8000c8c264a585b5eedf98
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=262gzlv3uikx7jmpa3m3mvyzhhsnkgec3saabsgcmssylnpo36ma._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
7831c040565e36128d3f589b734338eb5cf216290dc0c2138d8564689991ae62
NetSupport
c97adcbfb32cd9719b5067c875527e7434409e0bcddeb6b50fc51b255a94c52f
NetSupport
ce15d5dc596387515a6efad0fffa352d1fa10365b223d07cb50019c4c8d23652
NetSupport
ea35797a9556636378031645a48f089087cd258f8e40e1399aa371b2cca3cb7f
NetSupport
error
NetSupport
ff2db923f9b0b3d9122b852b36552c881d26e863f0fa078eefca74f2de11ba57
NetSupport
+ 859 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport defense_evasion discovery execution rat
Link:
https://tria.ge/reports/250826-sn8zwa1k19/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies trusted root certificate store through registry
NetSupport
Netsupport family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7b46caebba2157fa58f06d9b6571939e4d51882dc8000c8c264a585b5eedf98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:SUSP_Double_Base64_Encoded_Executable_RID34CC
Create hunting rule
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NetSupport

PowerShell (PS) ps1 d7b46caebba2157fa58f06d9b6571939e4d51882dc8000c8c264a585b5eedf98

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3601526/
  
Delivery method
Distributed via web download

Comments