Extracted

• • Target

    c2c6e13f08cd8b5bf721576ca1372b72cdf0c33d8aafac2e529f3aa3c73a6a80

  • Size

    3.2MB

  • MD5

    c3e6ed24af33b5ea3f971939749cb6a1

  • SHA1

    b0f6eb6d427ca251790dc74d2f82d6943d0376a0

  • SHA256

    c2c6e13f08cd8b5bf721576ca1372b72cdf0c33d8aafac2e529f3aa3c73a6a80

  • SHA512

    79eff14ee676eb2f3d0f6274ed246177a2015c6beff2b6924bf48914ef022b83ccaa8cc0804da77d714615aed7aeb869ae3b35b21cc76f73ed4e7cb3df7d5a54

  • SSDEEP

    98304:kr9uY//nZ+dvt9bOqDzKHVBEu4SsJnFQyluV3knhfq6pO:o9//Z+dv/OM21CrSrVYq6pO

  Score

  10^/10

  netsupportredline2discoveryexecutioninfostealerpersistencerat

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport

  • Netsupport family

    netsupport

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Powershell Invoke Web Request.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Registers new Windows logon scripts automatically executed at logon.

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1behavioral2

• • Target

    $PLUGINSDIR/7OUH1A.dll

  • Size

    6KB

  • MD5

    293165db1e46070410b4209519e67494

  • SHA1

    777b96a4f74b6c34d43a4e7c7e656757d1c97f01

  • SHA256

    49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

  • SHA512

    97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

  • SSDEEP

    96:4BNbUVOFvfcxEAxxxJzxLp+eELeoMEskzYzeHd0+uoyVeNSsX4:EUVOFvf9ABJFHE+FkEad0PLVeN

  Score

  3^/10

  discovery
  behavioral3behavioral4

• • Target

    $TEMP/Ordurous.exe

  • Size

    537KB

  • MD5

    caf008515453f4d6a222c966356831eb

  • SHA1

    0496a3587fc272e8b7ebecd91aac4a10800be5c0

  • SHA256

    4b6b0a34ad73552d204aaeef9cbd0fb6dfef1029e6edec1a1788de872f4a306b

  • SHA512

    34ab48b4799d05b757a7620f15a4124edd8fe1820ba5da410d6fdded021346cb5e26dace3c760b8635071221ee8ff5d25db896f1c14e77b38233f8200afc9ae9

  • SSDEEP

    12288:ejxd4go0QkA+RJZOUA24F3CUaHgn/n3b5Y/pRESOToA:ezwkAuLrTUR/tY/pOSOTo

  Score

  10^/10

  redline2discoveryinfostealer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Redline family

    redline

  • Suspicious use of SetThreadContext

  behavioral5behavioral6

• • Target

    $TEMP/eng.exe

  • Size

    2.5MB

  • MD5

    e8ba3cd3e42a1fcab093ff7a6deb796b

  • SHA1

    f0da57a878afcf71fdbf26042f33821fbd139d6c

  • SHA256

    ed8692011421fdd2560ade9a0812c1ec0f11e48e8781ba0c9fd11d4f169d0c32

  • SHA512

    ab43521b7ea1b766405bdb65af97152281dc76063e6aba3c18fbd9ce2c70e48d4c31441a391a1ad9f6e86160d2caa7af7256c8a3dbf7ae0348822ac892ef5c7d

  • SSDEEP

    49152:qeRvnwK61a7hg/WdK+pgqx8HFF6iKabwS6zbv6rijnw3MAmkphUKO+q27XoS:qeRvnJ61a9guhV6HFF6UwSM6rirwGkph

  Score

  10^/10

  netsupportdiscoverypersistencerat

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport

  • Netsupport family

    netsupport

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Registers new Windows logon scripts automatically executed at logon.

    persistence
  behavioral7behavioral8