Gh0stRAT / Farfli — "WisemanSupport" Campaign
Classification: Remote Access Trojan (RAT) | Gh0stRAT variant (Farfli/Venik) Threat Level: HIGH Campaign ID: WisemanSupport Report Date: 2026-03-14 Analyst: GHOST — Breakglass Intelligence
Executive Summary
A 657840-byte PE32 executable masquerading as Microsoft's wininet.dll (Internet Extensions for Win32) was submitted to VirusTotal on 2026-03-14, achieving 55/76 malicious detections. The sample is a fully functional Gh0stRAT Remote Access Trojan, variant lineage tracked as Farfli by Chinese antivirus vendors and Venik by Western engines.
The malware is protected with ASPack/HidePE anti-analysis packing, uses a multi-stage drop chain with self-deletion for stealth, and establishes dual HKCU Run key persistence. The primary C2 server is 107.163.56.251:6658 (bulletproof-hosted on Federal Online Group LLC, AS395776), backed by the campaign domain wisemansupport.com (registered June 2025 with identity-shielded WHOIS via ShieldWhois). The campaign reuses a consistent "WisemanSupport" naming motif across dropped files, registry keys, mutex strings, and C2 domain — a deliberate operator branding pattern.
What it does: Full RAT capability including reverse shell, keylogging, screen capture, drive enumeration, cookie theft, and system reconnaissance. Communicates with operator C2 on TCP/6658 using Gh0stRAT's ZLIB-compressed binary protocol.
Who's behind it: Attribution leans toward a Chinese-nexus threat actor or MaaS operator based on: (1) Farfli nomenclature originating from Chinese AV ecosystems, (2) WHOIS NOC contact "Liu Lin" on the hosting ASN, (3) use of Federal Online Group LLC — a bulletproof host with documented Chinese-linked APT tenants, and (4) MFC 4.2 library targeting consistent with historical Gh0stRAT campaigns from Chinese operators (2010s–present).
Why it matters: This sample was first seen the same day it was submitted (2026-03-14), suggesting an active deployment. The C2 infrastructure was live but unresponsive during sandbox analysis. The domain infrastructure was prepped months in advance (June 2025 registration), indicating deliberate campaign staging.
Sample Metadata
| Field | Value |
|---|---|
| SHA256 | 58802bf282ec84421a1a1d64d676cf1c5b189843dc7bb11db3e449ed16d3da30 |
| SHA1 | 30c82cac1e1b8bd7b8e75311500945d929ef95bc |
| MD5 | d9c552dc9912c63d66501ff57e134817 |
| File Name | wininet.dll (submitted as .exe) |
| File Type | PE32 executable (GUI) Intel 80386, Windows |
| File Size | 657,840 bytes (642 KB) |
| First Seen | 2026-03-14 08:37:38 UTC |
| Last Scanned | 2026-03-14 10:35:20 UTC |
| VT Detections | 55/76 malicious |
| Reported By | SamBurchmann |
| Tags (VT) | overlay, anorganix, peexe, long-sleeps, detect-debug-environment |
| SSDEEP | 6144:PQJf3uMxrbLgEN6S7KzA5x3S5+y3D82oC0UdkgxgfOqG:4J130ENL7kArI+y3XipfOR |
| TLSH | T130E422F12A64D42FE09841B2E74DE43276E0DCC278A10B3297E57A1DB3C940BFA79635 |
| Authentihash | 019d7356092dbe1eecf26e8e2bed8e5306792291c875f0b2a4264d48124aceb1 |
VirusTotal Detection Labels
| Engine | Detection |
|---|---|
| Lionic | Hacktool.Win32.Farfli.x!c |
| CAT-QuickHeal | Trojan.Ghanarava.1773473271134817 |
| CrowdStrike | win/malicious_confidence_100% |
| BitDefender | Trojan.GenericKD.77751876 |
| MicroWorld-eScan | Trojan.GenericKD.77751876 |
| ALYac | Trojan.GenericKD.77751876 |
| VIPRE | Trojan.GenericKD.77751876 |
| K7AntiVirus | Trojan (005ce0171) |
| VirIT | Trojan.Win32.Genus.YTK |
| Sangfor | Suspicious.Win32.Save.ins |
Suggested threat label: trojan.farfli/venik
Top family names (AV consensus): farfli (8), venik (5), pepatch (3)
Static Analysis
PE Header
| Field | Value |
|---|---|
| Architecture | PE32 / Intel 80386 |
| Subsystem | GUI (Windows) |
| Number of Sections | 7 |
| PE Header Offset | 0xE0 |
| Protector | ASPack 0.1 / HidePE by BGCorp (Anorganix) |
| Runtime Library | MFC 4.2 |
PE Sections
| Section | VA | Raw Offset | Raw Size | Entropy | Notes |
|---|---|---|---|---|---|
.text | 0x1000 | 0x1000 | 16,384 | 3.93 | Low entropy stub |
.rdata | 0x5000 | 0x5000 | 8,192 | 2.63 | Import table |
.data | 0x7000 | 0x7000 | 4,096 | 1.40 | Initialized data |
.rsrc | 0x8000 | 0x8000 | 581,632 | 3.91 | Huge resource section — compressed payload |
.vr | 0x96000 | 0x96000 | 28,672 | 5.39 | ASPack decompressor |
.adata | 0x9D000 | 0x9D000 | 4,096 | 0.00 | ASPack data marker |
mmyma | 0x9E000 | 0x9E000 | 27 | 2.11 | Tiny executable code stub |
Key observation: The .rsrc section at 581,632 bytes (88% of total file size) is abnormally large. This section contains the compressed/encrypted Gh0stRAT payload stored as a Windows resource — a classic HidePE technique. The actual PE payload is decompressed at runtime by the ASPack decompressor in .vr.
The .adata section (all zeros, entropy 0.00) is a tombstone marker for ASPack that CAPA uses as a detection signature. Section name mmyma is a randomly-generated 5-character name used by ASPack variants to defeat static section-name detection.
Import Table (Stub — IAT Hidden by ASPack)
The visible import table is deliberately minimal. Real API imports are resolved at runtime:
| DLL | Imported Function | Purpose |
|---|---|---|
kernel32.dll | GetModuleHandleA, GetProcAddress, LoadLibraryA | Dynamic API resolution |
mfc42.dll | Ord(3262) | MFC runtime bootstrap |
msvcrt.dll | _except_handler3 | Exception handler |
user32.dll | IsIconic | Window state check |
gdi32.dll | CreateSolidBrush | GUI context |
ws2_32.dll | setsockopt | Network C2 communication |
shlwapi.dll | PathFileExistsA | File existence check |
The presence of setsockopt in a stub import list is a significant indicator — it's the only network function imported, confirming TCP-based C2 even before behavioral analysis.
Fake Signature / Version Info
The binary carries fraudulent Microsoft version information designed to evade cursory inspection:
File Version: 5.50.4807.2300
Description: Internet Extensions for Win32
Original Name: wininet.dll
Product: Microsoft(R) Windows (R) 2000 Operating System
Copyright: Copyright (C) Microsoft Corp. 1981-2001
Internal Name: wininet.dll
This mimics the legitimate Windows Internet API DLL. The version (5.50, dated 2001) corresponds to Windows 2000 — deliberately outdated to avoid scrutiny on modern systems.
PE Overlay
An overlay of 10,645 bytes exists at file offset 647,195 (beyond the last PE section). The overlay contains:
- Binary header bytes:
c0 00 ce 00 08 11 ce 00 00 00 ... - Plaintext environment variable strings from collected victim system data:
USERNAME=Bruno/USERDOMAIN=DESKTOP-ET51AJOTEMP=C:\Users\Bruno\AppData\Local\Temp- System paths, PowerShell module paths, processor identifiers
Interpretation: The overlay is a runtime-writable region where Gh0stRAT stores collected host reconnaissance data before exfiltration. Multiple victim username references (Bruno, John Doe, JohnDoe) suggest this stub was reused or tested across environments before deployment.
Packer / Protector Analysis
ASPack 2.x / HidePE by BGCorp (detected by PEiD as "ASProtect" signed by Anorganix):
- Compresses the real PE into the
.rsrcsection as a resource blob - Decompressor stub in
.vrsection unpacks at runtime into memory - Uses SetUnhandledExceptionFilter anti-debugging (signature:
antidebug_setunhandledexceptionfilter) - Checks available physical memory for sandbox detection (
antivm_checks_available_memory) - Detects virtual disk environments (
antivm_generic_disk) - Queries keyboard layout and locale for victim targeting/VM detection
- Implements long sleep delays to defeat sandbox timeouts (
antisandbox_sleep,stealth_timeout)
Unpacked payload SHA256 (extracted by CAPE Sandbox):
f22ee652808ac4c18a7ff9ae538363f1665e91f771d9280241a94fb8771654c7 (630,784 bytes)
Infection Chain / Kill Chain
[Initial Vector Unknown]
│
▼
┌─────────────────────────────────────────────────┐
│ Stage 0: wininet.dll (657,840 bytes) │
│ Masquerades as Microsoft Windows DLL │
│ Protected: ASPack/HidePE │
└────────────────────┬────────────────────────────┘
│ Drops to %TEMP%
▼
┌─────────────────────────────────────────────────┐
│ Stage 1: %TEMP%\gvzsio.exe (intermediate) │
│ Packed Gh0stRAT installer │
└────────────────────┬────────────────────────────┘
│ cmd.exe /c ping 127.0.0.1 -n 2 & gvzsio.exe
│ (anti-analysis delay via ping)
▼
┌─────────────────────────────────────────────────┐
│ Anti-Analysis: ping 127.0.0.1 -n 2 │
│ Introduces 2-second network delay │
│ Defeats time-bound sandbox environments │
└────────────────────┬────────────────────────────┘
│ Executes installer
▼
┌─────────────────────────────────────────────────┐
│ Stage 2: gvzsio.exe installs components: │
│ ├── C:\wiseman.exe (RAT main binary) │
│ ├── C:\ngmop\jtovz.tvj (loader DLL) │
│ ├── C:\ngmop\lang.ini (C2 config file) │
│ └── C:\ngmop\ReadMe.txt (decoy text) │
│ │
│ Invokes: │
│ rundll32.exe "c:\ngmop\jtovz.tvj",RAFlush \ │
│ C:\Users\...\gvzsio.exe │
│ │
│ Deletes: ljiks.exe (original), gvzsio.exe │
└────────────────────┬────────────────────────────┘
│ rundll32 loads jtovz.tvj
▼
┌─────────────────────────────────────────────────┐
│ Stage 3: jtovz.tvj (DLL, .tvj extension) │
│ Loaded via rundll32, export: RAFlush │
│ Sets persistence registry keys │
│ Spawns C:\wiseman.exe │
└────────────────────┬────────────────────────────┘
│ CreateProcess
▼
┌─────────────────────────────────────────────────┐
│ Stage 4: wiseman.exe (Gh0stRAT payload) │
│ Reads config from C:\ngmop\lang.ini │
│ Connects to: api.wisemansupport.com │
│ / 107.163.56.251:6658 │
│ Writes to: \Device\Netbios, \Device\RasAcd │
│ Full RAT capabilities active │
└─────────────────────────────────────────────────┘
PERSISTENCE (Two-vector):
HKCU\Run\EvtMgr = rundll32.exe "c:\ngmop\jtovz.tvj",RAFlush
HKCU\Run\Wiseman = C:\wiseman.exe
Behavioral Analysis
Execution Behaviors (CAPE Sandbox)
Anti-Analysis:
- Checks available physical memory (< threshold → abort, T1082)
- Queries keyboard layout and Windows locale via registry (
HKLM\SYSTEM\CurrentControlSet\Control\Nls\Locale) to detect VMs - Uses
SetUnhandledExceptionFilteranti-debugging hook - Enumerates physical drives to detect virtual disk signatures (T1014)
- Long sleep delays defeat time-limited sandboxes (T1071)
ping 127.0.0.1 -n 2creates network activity to delay sandbox timing
Stealth / Evasion:
- Creates hidden windows (
ShowWindow(SW_HIDE) (T1564.003) - Deletes original executable and intermediate dropper after installation (T1070)
- DLL disguised with non-standard extension
.tvj— bypasses extension-based AV scanning (T1027) - Loads MFC42LOC.DLL from
sysnativepath — bypasses 32/64-bit filesystem redirection - Spawns processes in suspended state for code injection (T1055)
Persistence:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr=c:\windows\SysWOW64\rundll32.exe "c:\ngmop\jtovz.tvj",RAFlush(T1547.001)HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wiseman=C:\wiseman.exe(T1547.001)
Reconnaissance / Collection:
- Enumerates all running processes (T1057)
- Enumerates physical drives (T1082)
- Collects system environment variables (USERNAME, COMPUTERNAME, PATH, etc.)
- Accesses Internet Cookie store (
%APPDATA%\Microsoft\Windows\INetCookies\) (T1539) - Records keyboard layout and locale (T1082)
Network C2:
- DNS resolution:
api.wisemansupport.com(returned NXDOMAIN during analysis) - Hardcoded IP:
107.163.56.251:6658(C2 offline during sandbox run — "dead_connect") - Gh0stRAT protocol: custom binary over TCP, ZLIB-compressed heartbeat/command packets
- Multiple User-Agent strings used across HTTP requests (T1071)
- C2 connection identified via mutex:
M107.163.56.251:6658
Files Accessed:
C:\ngmop\lang.ini— Gh0stRAT config file (C2 address, port, campaign ID)C:\ngmop\ReadMe.txt— Possible decoy file to appear legitimateC:\ngmop\jtovz.tvj— Loader DLL\Device\Netbios— NetBIOS device enumeration\Device\RasAcd— RAS connection device
Network Indicators
Primary C2
| Indicator | Value |
|---|---|
| IP | 107.163.56.251 |
| Port | 6658 (TCP) |
| Protocol | Gh0stRAT binary (ZLIB-compressed) |
| Domain | api.wisemansupport.com (NXDOMAIN at time of analysis) |
| ASN | AS395776 — FEDERAL ONLINE GROUP LLC |
| Country | US (Westlake Village, CA — bulletproof hosting) |
| VT Reputation | -12 (malicious) |
| VT Detections | 6/94 |
Domain Infrastructure
| Field | Value |
|---|---|
| Domain | wisemansupport.com |
| Registered | 2025-06-14 (9 months before sample submission) |
| Expires | 2027-06-14 |
| Registrar | namesrs.com |
| Registrant Email | af9e5c293659ffd2s@shieldwhois.com (privacy-shielded) |
| Registrant Country | Sweden (anonymized via ShieldWhois) |
| Name Servers | ns1/ns2.dns-parking.com |
| Current A Record | 34.120.137.41 (Google Cloud / Hostinger 404 page) |
| Current IPv6 | 2600:1901:0:84ef:: |
| MX Records | mx1/mx2.hostinger.com |
| HTTPS Cert | Let's Encrypt E8, valid 2026-02-09 to 2026-05-10 |
| Subdomains seen | api.wisemansupport.com, www.wisemansupport.com |
OPSEC Note: The current DNS for wisemansupport.com points to a Hostinger-hosted Google Cloud IP that returns a 404 — the operator has migrated the domain away from the active C2 or it's parked waiting for future use. The actual C2 (107.163.56.251) was hardcoded by IP in the binary, making the domain resolution a backup/secondary lookup.
C2 Host Intelligence
Federal Online Group LLC (AS395776):
- IP Range: 107.163.0.0/16
- NOC Contact: "Liu Lin" (
abuse@foaaa.com) - NOC Alternate:
my10000000@gmail.com(highly informal — indicator of low-accountability host) - ARIN Registration: 2013-12-23
- Last Updated: 2026-02-23 (recently updated — active relationship)
- This ASN has documented history hosting Chinese threat actor C2 infrastructure
MITRE ATT&CK Mapping
| Technique ID | Tactic | Description |
|---|---|---|
| T1027 | Defense Evasion | Obfuscated Files — Unknown PE section names |
| T1027.002 | Defense Evasion | Software Packing — ASPack/HidePE protector |
| T1014 | Defense Evasion | Rootkit — Physical drive enumeration |
| T1055 | Defense Evasion | Process Injection — Suspended process creation |
| T1070 | Defense Evasion | Indicator Removal — Deletes executed files |
| T1082 | Discovery | System Information — Memory, locale, CPU checks |
| T1057 | Discovery | Process Discovery — Enumerate running processes |
| T1129 | Execution | Shared Modules — Dynamic library loading |
| T1112 | Defense Evasion | Modify Registry — Autorun persistence keys |
| T1202 | Defense Evasion | Indirect Command Execution — cmd.exe / rundll32 |
| T1539 | Credential Access | Cookie Theft — INetCookies access |
| T1542 | Persistence | Pre-OS Boot — Drive enumeration |
| T1547.001 | Persistence | Registry Run Keys / Startup Folder |
| T1564 | Defense Evasion | Hide Artifacts — Hidden window |
| T1564.003 | Defense Evasion | Hidden Window — SW_HIDE creation |
| T1071 | Command & Control | Application Layer Protocol — Custom RAT protocol |
IOC Tables
File Hashes
| Type | Hash |
|---|---|
| SHA256 | 58802bf282ec84421a1a1d64d676cf1c5b189843dc7bb11db3e449ed16d3da30 |
| SHA1 | 30c82cac1e1b8bd7b8e75311500945d929ef95bc |
| MD5 | d9c552dc9912c63d66501ff57e134817 |
| SSDEEP | 6144:PQJf3uMxrbLgEN6S7KzA5x3S5+y3D82oC0UdkgxgfOqG:4J130ENL7kArI+y3XipfOR |
| Unpacked PE SHA256 | f22ee652808ac4c18a7ff9ae538363f1665e91f771d9280241a94fb8771654c7 |
Network IOCs
| Type | Value | Notes |
|---|---|---|
| IP | 107.163.56.251 | C2 IP (hardcoded) |
| Port | 6658/tcp | Gh0stRAT C2 port |
| Domain | api.wisemansupport.com | C2 FQDN (NXDOMAIN) |
| Domain | wisemansupport.com | Campaign domain |
| IP | 34.120.137.41 | Current domain IP (GCP/Hostinger) |
Mutex Strings
| Mutex | Meaning |
|---|---|
M107.163.56.251:6658 | Gh0stRAT standard mutex (encodes C2 IP:port) |
107.163.56.251:6658 | Variant mutex (without prefix) |
WisemanSupport_rcm | Campaign-specific run-once mutex |
Registry Keys
| Key | Value |
|---|---|
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr | c:\windows\SysWOW64\rundll32.exe "c:\ngmop\jtovz.tvj",RAFlush |
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wiseman | C:\wiseman.exe |
Files and Paths
| Path | Description |
|---|---|
C:\wiseman.exe | Main Gh0stRAT payload (dropped) |
C:\ngmop\jtovz.tvj | Loader DLL (rundll32 target, export: RAFlush) |
C:\ngmop\lang.ini | Gh0stRAT configuration file (C2 address, port, campaign ID) |
C:\ngmop\ReadMe.txt | Decoy file |
C:\1.txt | Created by installer (purpose unknown) |
C:\stov.exe | Secondary implant reference (checked for existence) |
%TEMP%\gvzsio.exe | Intermediate dropper (self-deleted) |
Sigma Rule Matches
| Rule | Category |
|---|---|
CurrentVersion Autorun Keys Modification | Persistence |
Rundll32 Execution With Uncommon DLL Extension | Defense Evasion |
Campaign Context
"WisemanSupport" Naming Pattern
The operator has applied a deliberate campaign branding across all components:
| Artifact | "Wiseman" Reference |
|---|---|
| Dropped binary | C:\wiseman.exe |
| Registry key | HKCU\Run\Wiseman |
| Campaign mutex | WisemanSupport_rcm |
| C2 domain | wisemansupport.com |
| C2 FQDN | api.wisemansupport.com |
This level of consistent naming across file system, registry, network, and mutex suggests either an operator with high operational familiarity (reuses known tooling) or a distributed team with a fixed campaign template.
Related Samples (Same C2 Infrastructure)
Files communicating with 107.163.56.251 on VirusTotal show a large cluster of Gh0stRAT variants masquerading as Windows DLLs, all with high detection rates (58–65/76+):
| File Name | SHA256 (prefix) | Classification | Detections |
|---|---|---|---|
| DXTRANS.DLL | 0000353b71b5cc56 | trojan.dacic/farfli | 59/76 |
| PNGFILT.DLL | 0000ba40684fd593 | trojan.dacic/palevo | 58/77 |
| SHLWAPI.DLL | 000186598c47c6cd | trojan.farfli/jaik | 59/76 |
| MSHTMLER.DLL | 000393ab2b2e0f02 | trojan.fragtor/farfli | 53/75 |
| TeamViewer_Resource.dll | 0003ab970289dac2 | trojan.farfli/palevo | 61/76 |
| wininet.dll | 00998e73a59b50ee | trojan.fragtor/venik | 60/76 |
| ERRLOOK.EXE | 0071a9cab9df54b2 | trojan.palevo/farfli | 65/76 |
This represents a systematic campaign where the operator deploys Gh0stRAT across multiple victims, using different DLL names as disguise but sharing the same C2 infrastructure.
Infrastructure Timeline
| Date | Event |
|---|---|
| 2025-06-14 | wisemansupport.com registered (namesrs.com) |
| 2026-02-09 | Let's Encrypt cert issued for wisemansupport.com |
| 2026-02-10 | Let's Encrypt cert issued for www.wisemansupport.com |
| 2026-02-23 | Federal Online Group LLC ARIN record updated |
| 2026-03-14 | Sample first submitted to VirusTotal (08:37:38 UTC) |
| 2026-03-14 | C2 (107.163.56.251:6658) unreachable during sandbox |
| 2026-03-14 | api.wisemansupport.com returns NXDOMAIN |
Attribution Assessment
Threat Actor: Unknown Chinese-nexus operator or MaaS (Malware-as-a-Service) customer Confidence: MEDIUM
Supporting evidence:
-
Farfli family designation — "Farfli" is a Chinese antivirus (360, Kingsoft) naming convention for Gh0stRAT variants. The family name originates from Chinese threat researcher parlance.
-
Gh0stRAT lineage — Gh0stRAT is a Chinese-developed RAT first publicly released ~2008 by C. Rufus Security Team (a Chinese hacking group). While its source code is public, the primary user base remains Chinese-nexus actors.
-
Hosting provider — Federal Online Group LLC (AS395776) is a bulletproof hosting provider with Chinese-linked technical contacts ("Liu Lin,"
abuse@foaaa.com). The informal Gmail address (my10000000@gmail.com) suggests low accountability. -
Domain registration pattern — Registered 9 months before sample deployment, using full WHOIS privacy (ShieldWhois). This level of pre-staging is characteristic of planned campaigns, not opportunistic attacks.
-
MFC 4.2 dependency — Historic Gh0stRAT builds from Chinese operators consistently target MFC 4.2 runtime for compatibility with older Windows targets (XP/2003/2008 era). This version choice narrows the likely target environment.
-
Campaign naming convention — "WisemanSupport" as a campaign name suggests either English-capable operators or use of a translation tool. The branding is more sophisticated than typical Chinese APT campaigns but less refined than Western actors.
Alternative hypothesis: This could be a Gh0stRAT MaaS offering where a Chinese developer sells access to an operator in another region. The "Sweden" WHOIS registrant (anonymized) could indicate an Eastern European or other non-Chinese customer.
Infrastructure Map
OPERATOR
│
│ controls
▼
[107.163.56.251:6658]──────────────────── Primary C2
│ Federal Online Group LLC
│ hosted by AS395776, Westlake Village CA
│
[AS395776: FEDERAL ONLINE GROUP LLC] "Bulletproof" hosting
NOC: Liu Lin (abuse@foaaa.com) Chinese-linked contacts
Range: 107.163.0.0/16
│ registered to support
▼
[wisemansupport.com]──────────────────── Campaign Domain
Registered: 2025-06-14 namesrs.com registrar
WHOIS: ShieldWhois (Sweden) Identity hidden
│
├── [api.wisemansupport.com] C2 FQDN (NXDOMAIN)
│ DNS resolved by sample Primary lookup target
│
└── [34.120.137.41] Current DNS resolution
Google Cloud / Hostinger Domain now parked/redirected
404 page returned C2 likely migrated to hardcoded IP
MALWARE COMPONENTS:
wininet.dll ──drop──> %TEMP%\gvzsio.exe
└──drop──> C:\wiseman.exe (RAT)
└──drop──> C:\ngmop\jtovz.tvj (Loader DLL)
└──create─> C:\ngmop\lang.ini (Config)
└──persist─> HKCU\Run\EvtMgr
└──persist─> HKCU\Run\Wiseman
Recommendations
- Block at perimeter:
107.163.56.251(all ports),107.163.56.0/24 - DNS sinkhole:
wisemansupport.com,api.wisemansupport.com,www.wisemansupport.com - Hunt on endpoints:
- File paths:
C:\wiseman.exe,C:\ngmop\*,%TEMP%\gvzsio.exe - Registry:
HKCU\Run\EvtMgr,HKCU\Run\Wiseman - Mutex:
WisemanSupport_rcm,M107.163.56.251:6658
- File paths:
- Network detection: Alert on TCP/6658 outbound to 107.163.56.0/24
- Hunt for rundll32 loading
.tvjfiles (SIGMA rule already triggered) - Hunt for ASPack-protected binaries masquerading as Windows DLL names