Extracted

Extracted

• • Target

    Setup_Installer_1.3.6_x64.exe

  • Size

    49.3MB

  • MD5

    29fa71fab96724091fdf7a66dca09c67

  • SHA1

    15fcb631fa6cc825639cd4e15d37d844faac6fdd

  • SHA256

    882759dd0f306ab06f597c2db3011e82eff5bb7515de5d28a20b6913fe7f5626

  • SHA512

    12acf8548f03d230b28d7b5c1eb9009e2ebd7abb06f781c38c15f0d04bae32aded9e692ade4541c2b89e27398de4da853a2a00e94637fea67db4174f710d8a04

  • SSDEEP

    1572864:NwfwuNI9XY9hQtPkGKTD85uMWW7z0PbYF:NCu9oAdETgu3f8F

  Score

  10^/10

  netsupportvidar721d3f29688b3d8f568f99a7d2115582credential_accessdiscoveryexecutionpersistenceratspywarestealer

  • Detect Vidar Stealer

    stealer

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport

  • Netsupport family

    netsupport

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar family

    vidar

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Uses browser remote debugging

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1