ANYRUN Obfuscated BAT Dropper Delivers Net Support RAT Post
Query
// ANY.RUN Obfuscated BAT Dropper Delivers NetSupport RAT post
// https://www.linkedin.com/posts/any-run_obfuscated-virustotal-powershell-activity-7336393368698028034-cayg/
let QueryLookup = 1h;
let ObfuscatedBAT =
DeviceProcessEvents
| where Timestamp > ago(QueryLookup)
| where InitiatingProcessFileName =~ "cmd.exe" and
InitiatingProcessCommandLine has ".bat"
| where FileName =~ "powershell.exe" and
ProcessCommandLine has "-WindowsStyle Hidden" and
ProcessCommandLine has "Invoke-WebRequest"
| distinct DeviceName;
DeviceRegistryEvents
| where Timestamp > ago(QueryLookup)
| where ActionType == "RegistryValueSet"
| where RegistryKey has "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
| where RegistryValueData has "client32.exe"
| where DeviceName has_any(ObfuscatedBAT)Explanation
This query is designed to detect a specific type of malicious activity on devices within the last hour. Here's a simplified breakdown of what it does:
-
Identify Suspicious Processes:
- It looks for processes initiated by "cmd.exe" that involve a batch file (".bat").
- It further filters these processes to find instances where "powershell.exe" is used with specific command line arguments:
- "-WindowsStyle Hidden" (indicating the process runs without a visible window).
- "Invoke-WebRequest" (suggesting a network request is made, often used in downloading or executing scripts).
-
Track Registry Changes:
- It checks for registry changes within the same time frame, specifically looking for modifications in the registry key path associated with programs that run at startup.
- It searches for entries where "client32.exe" is set to run at startup, which could indicate persistence mechanisms of malware.
-
Cross-Reference Devices:
- The query cross-references devices identified in the first step (running the suspicious batch and PowerShell commands) with those making the registry changes.
Overall, this query aims to detect devices that might be compromised by an obfuscated batch script that downloads and potentially installs a remote access tool (RAT) like NetSupport, by observing both process execution patterns and registry modifications.
Details

Steven Lim
Released: June 6, 2025
Tables
DeviceProcessEventsDeviceRegistryEvents
Keywords
DeviceProcessEventsRegistryTimestampInitiatingFileNameCommandLineActionTypeKeyValueData
Operators
let=>ago()=~andhasdistinct==has_any()