netsupport

General

Target

58f5dca5_ao7RvibCDp
Size

381KB
Sample

210823-w4mpmgzp3n
MD5

58f5dca577a49a38ea439b3dc7b5f8d6
SHA1

175dc7a597935b1afeb8705bd3d7a556649b06cf
SHA256

857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98
SHA512

3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

40.1

Botnet

916

C2

https://eduarroma.tumblr.com/

Attributes

profile_id
916

Extracted

Family

redline

Botnet

allsup

C2

188.124.36.242:25802

Extracted

Family

redline

Botnet

3

C2

deyrolorme.xyz:80

xariebelal.xyz:80

anihelardd.xyz:80

Targets

- Target
  
  58f5dca5_ao7RvibCDp
- Size
  
  381KB
- MD5
  
  58f5dca577a49a38ea439b3dc7b5f8d6
- SHA1
  
  175dc7a597935b1afeb8705bd3d7a556649b06cf
- SHA256
  
  857dd46102aea53f0cb7934b96410ebbc3e7988d38dcafdc8c0988f436533b98
- SHA512
  
  3c75c0cbbbc14bd25b4feb141fd1595ce02469da50432fb48400eb089d6150fe87831ccc775d921eeec697af7aad33a35fadcfd2ec775aeee1ce34355af7338a
Score

10^/10

redline socelars vidar 3 916 allsup discovery infostealer stealer suricata netsupport evasion rat spyware themida trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2