netsupport

General

Target

d4359d5d0bbe9828a1340fb1d8537a74
Size

6.7MB
Sample

210825-b52wfpj8qe
MD5

d4359d5d0bbe9828a1340fb1d8537a74
SHA1

5c8805bd3c08d9866748ac033d9e0497bb84761c
SHA256

57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5
SHA512

3ea8565784f17f44f1236d4176146e335e409f84514fff3c8d3a0099d8e7fe02dde340319e910b04296010df5e050835aa68bb62b40c1d18cd2c985ab23c2751

Score

10^/10

netsupport redline vidar 3 allsup discovery infostealer rat stealer suricata

Malware Config

Extracted

Family

redline

Botnet

3

C2

deyrolorme.xyz:80

xariebelal.xyz:80

anihelardd.xyz:80

Extracted

Family

redline

Botnet

allsup

C2

188.124.36.242:25802

Targets

- Target
  
  d4359d5d0bbe9828a1340fb1d8537a74
- Size
  
  6.7MB
- MD5
  
  d4359d5d0bbe9828a1340fb1d8537a74
- SHA1
  
  5c8805bd3c08d9866748ac033d9e0497bb84761c
- SHA256
  
  57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5
- SHA512
  
  3ea8565784f17f44f1236d4176146e335e409f84514fff3c8d3a0099d8e7fe02dde340319e910b04296010df5e050835aa68bb62b40c1d18cd2c985ab23c2751
Score

10^/10

redline vidar 3 allsup discovery infostealer stealer suricata netsupport rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

RedLine

RedLine Payload

Vidar

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Vidar Stealer

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2