MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6d4e6a686547d40a4e00d827bb2d572f7a1f997785af50d6ecd1c1446e7afcf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NetSupport


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6d4e6a686547d40a4e00d827bb2d572f7a1f997785af50d6ecd1c1446e7afcf
SHA3-384 hash: 4ed5b209d8048c7e57ad83abd85f3e7da4ddaebdd18eacf137a0e7b994be922c93e97877eecae8de2f04a86c6cf6443d
SHA1 hash: 8a104c3a7460accaaece318bcc08b82fa4655dda
MD5 hash: 5fd4b4e5660f6fc8732b5202b699e505
humanhash: nitrogen-orange-twelve-jig
File name:HzGTvHpk.ps1
Download: download sample
Signature NetSupport
Create hunting rule
File size:17'568'774 bytes
First seen:2025-05-30 15:00:50 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 49152:drQVdaFEzTMR8tBxB7k1IvGaA1UzZtlzZIAA9jbiKWD+Qd3hoaOtVv729aTd4UPX:R
Threatray 931 similar samples on MalwareBazaar
TLSH T11607AD348B845B4EAEAE190BE07D5B1F22F37F66D0A2B1EC56633707265FD085639C48
Magika powershell
Reporter JAMESWT_WT
Tags:83-222-190-174 beerbadlove-com NetSupport ps1 thanksbadbeer-com

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
83.222.190.174:443 https://threatfox.abuse.ch/ioc/1519795/

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6839c97dacf88f5815e91560
Tags:
vmdetect netsup
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 dropper expired-cert lolbin netsupportmanager obfuscated obfuscated overlay packed persistence remote remoteadmin
Link:
https://www.filescan.io/uploads/6839c8442d1d8b12425e025d/reports/564116d9-a970-47ff-92e6-87df753569e7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e6d4e6a686547d40a4e00d827bb2d572f7a1f997785af50d6ecd1c1446e7afcf
Result
Threat name:
NetSupport RAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1702470
Signature
AI detected malicious Powershell script
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell drops NetSupport RAT client
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
Score:
94%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e6d4e6a686547d40a4e00d827bb2d572f7a1f997785af50d6ecd1c1446e7afcf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6d4e6a686547d40a4e00d827bb2d572f7a1f997785af50d6ecd1c1446e7afcf/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=43konjugkr6ubjhabwbhxmwvol32d6mxpbnpkdlozuobirxhv7hq._file
Verdict:
malicious
Label(s):
netsupportmanagerrat
Create hunting rule
Similar samples:
36347ad88c3fd960152b88022381308c68b39dde29a1e2d471148cb01e76bb3c
NetSupport
63d71439ce3193d8dc6b3ebaaee3ddd9e2b6c81b033c96c662c0d6aa0e70f67c
NetSupport
6ed0e5411c6836ee5caa3e4b6c25c381a648a434bd9948cd135b7c6b5762d76b
NetSupport
8301d30f35705f82c85b56c51fc9f79f9071c3cb3e984b9c55aefe98b830cfc6
NetSupport
8ccff473270017f72b0910ea0404d670cc6c0ebee16977accc7cbcf137ba168b
NetSupport
b4e0ddcf69631a6f24718c6a25ef4eee2c13d56a581ec4f102e9388b39bfb041
NetSupport
error
NetSupport
fdcd9bd20ffdc9dc3df2d28e9c4420bc5042e2c3fde3005e99e7af263a869757
NetSupport
+ 921 additional samples on MalwareBazaar
Result
Malware family:
netsupport
Create hunting rule
Score:
  10/10
Tags:
family:netsupport discovery execution persistence rat
Link:
https://tria.ge/reports/250530-sdyfdscj7w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
NetSupport
Netsupport family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NetSupportManager RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6d4e6a686547d40a4e00d827bb2d572f7a1f997785af50d6ecd1c1446e7afcf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:SUSP_Double_Base64_Encoded_Executable_RID34CC
Create hunting rule
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments