← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Unveiling EncryptHub: Analysis of a multi-stage malware campaign
WHITE Larva-208 AlienVault 2025-04-07 Modified: 2025-05-07
91
IOCs
HIGH VOLUME
EncryptHub, an emerging cybercriminal entity, has been conducting multi-stage malware campaigns using trojanized applications and third-party distribution services. Their tactics include using PowerShell scripts for system data gathering, information exfiltration, and payload deployment. The threat actor prioritizes stolen credentials based on cryptocurrency ownership and corporate network affiliation. EncryptHub is developing a remote access tool called 'EncryptRAT' with plans for future distribution. Their evolving killchain involves multiple stages, including initial execution, data exfiltration, system information collection, and eventual deployment of the Rhadamanthys malware. Despite operational security mistakes, EncryptHub continues to refine their tactics, emphasizing the need for vigilant cybersecurity measures.
information stealerkematian stealerlabinstallsrhadamanthyspay-per-installencryptrat
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Kematian Stealer Rhadamanthys EncryptRAT
Indicators of Compromise (91)
All domain FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL
TYPEINDICATORDESCRIPTIONCREATED
domain global-protect.us 2025-04-07
FileHash-MD5 011827ebdf113755102a47987b718587 2025-04-07
FileHash-MD5 24319498575aa15c9eef7a058e19eb97 2025-04-07
FileHash-MD5 46eae0ac01ddb2b25e366045a166f84a 2025-04-07
FileHash-MD5 5108c8cc2686bf849b48b95f71dd56e1 2025-04-07
FileHash-MD5 5488c867b16fa0ff44dc975caf8e5f8e 2025-04-07
FileHash-MD5 5ceea10d336ad0dec20eeb69758518f1 2025-04-07
FileHash-MD5 6246067a1c9a7c1359ad63476ce0dcbe 2025-04-07
FileHash-MD5 6522aad0b04cb58ab8cf30b3a8578fb1 2025-04-07
FileHash-MD5 6b1f16b8e366208a23f3eb966bd42d08 2025-04-07
FileHash-MD5 77a7b069a79ae06719db44dc3bdebb86 2025-04-07
FileHash-MD5 87792cf4bd370f483a293a23c4247c50 2025-04-07
FileHash-MD5 abaa46bc704842d6cc6f494c21546ae6 2025-04-07
FileHash-MD5 cf0514b56f6498161a3af8737d6a5cbb 2025-04-07
FileHash-MD5 e2d005af8f840f371ab2cef870dacbcf 2025-04-07
FileHash-MD5 e59a025f9310d266190b91f5330fde8d 2025-04-07
FileHash-SHA1 08bbfd2ceb2d0272f19547f060a8b6d2ce34c8eb 2025-04-07
FileHash-SHA1 1d99d7ab6334e175148a14d724e692062f9e53ff 2025-04-07
FileHash-SHA1 32aa32baa3af74c1710764fca0e5214abbeec455 2025-04-07
FileHash-SHA1 42146e9dd1bdc415b1d9b4e036812d2ecc41e70e 2025-04-07
FileHash-SHA1 46d79522034154848935839619d622cb56297bc3 2025-04-07
FileHash-SHA1 508023b2dc96336d0f74a645817da52866b6a20f 2025-04-07
FileHash-SHA1 87c46845f57dc9ca8136b730c08b5b5916ca0ad3 2025-04-07
FileHash-SHA1 8ac8d9d390c387e8834144ca5390397db97c87b9 2025-04-07
FileHash-SHA1 a0ca753f0845b420e3f25e200b81d9936e731875 2025-04-07
FileHash-SHA1 a225bee48074feac53c7cb2f3929a41f7b4a71d3 2025-04-07
FileHash-SHA1 b0d24a6fa1af41c50e0fe11cbd266894eb45522c 2025-04-07
FileHash-SHA1 c1bd7bc905fee7f749329fbd70fd8fd37319b300 2025-04-07
FileHash-SHA1 cb9f67daff6a58a28f588d49643a0fdeb6f23bec 2025-04-07
FileHash-SHA1 d4ece3957927d4440a43a00a7c0d30ea21238809 2025-04-07
FileHash-SHA1 d8d946a6df1649972694312e299aeff3cf2afb9b 2025-04-07
FileHash-SHA1 ef5a33d30c00d1a0af0ec860146c31ff0f9bd6b6 2025-04-07
FileHash-SHA1 ffb72adff6e099a9deb418c5d40abd8cf9b12c42 2025-04-07
FileHash-SHA256 06628b0447c94dd270ecaf798bd052891cda386d504a20d439eb994004ff483c 2025-04-07
FileHash-SHA256 07397a113756805501a3f73a027977011849a90053f2a966053711f442d21b8d 2025-04-07
FileHash-SHA256 1661e8f8758526f913e4400af8dbfa7587794ba9345f299fa50373c7140e5819 2025-04-07
FileHash-SHA256 1bce694f9f811982eb01d381a69cdd56c3fa81d113e41b5acb902ec66ec942b1 2025-04-07
FileHash-SHA256 21b99435d0cf1f9845feb795c83cbf9d10211e6bc26460f4cdcfcd57569054fe 2025-04-07
FileHash-SHA256 37bf1269a21cba22af239e734de043f1d08d61b44414bcf63b1b9198e6a8bc87 2025-04-07
FileHash-SHA256 381695385bde0f96ad93dcbab79b3fc40f84e497c0b6afd087d2f1a2fbf824c3 2025-04-07
FileHash-SHA256 411e6413afc5dadc63f69dd37d25f23dfee1fbd5eff1a591ba33dfc38ca5a4fd 2025-04-07
FileHash-SHA256 4af6e5a266577ccc2dca9fcbe2f56a9673947f6f3b5b9d1d7eb740613fce80d4 2025-04-07
FileHash-SHA256 522fd6a56589f3ce764c88846006cca8c37ccbb286c6d2754ea979a59909271d 2025-04-07
FileHash-SHA256 532f4c9c72f1c77531a55f7811371aa65f85fc3a768d792482cab3381cdd29b3 2025-04-07
FileHash-SHA256 5588d1c5901d61bb09cd2fc86d523e2ccbc35a0565fd63c73b62757ac2ee51f5 2025-04-07
FileHash-SHA256 6b249d6421f4c8c04ca11febb0244f333aa49ca6a28feee62b7c681960a86ad5 2025-04-07
FileHash-SHA256 725df91a9db2e077203d78b8bef95b8cf093e7d0ee2e7a4f55a30fe200c3bf8f 2025-04-07
FileHash-SHA256 7d222bb62ae995479f05d4bddaa0b7d6dd7ade8d9c438214b00cc1d1be9b9db1 2025-04-07
FileHash-SHA256 90b7b711f56f00a1fa08a7a29f2cd8602b8aa1a0d78986dbfc9f64e38ac6cecd 2025-04-07
FileHash-SHA256 977198c47d5e7f049c468135f5bde776c20dcd40e8a2ed5adb7717c2c44be5b9 2025-04-07
FileHash-SHA256 9d9829ff50f5195ef4c1ebee6cf430c013ad47665657ef9a6c3bc0b9911a40c4 2025-04-07
FileHash-SHA256 c124f307ffbfdba7190c0df9651e895c720962094a78a0af347b2f1e7a8962d0 2025-04-07
FileHash-SHA256 c5f07de4d69742b5a4492f87902c1907948149052a9522719b1f14ab3cb03515 2025-04-07
FileHash-SHA256 cbb84155467087c4da2ec411463e4af379582bb742ce7009156756482868859c 2025-04-07
FileHash-SHA256 cc70570dd68a01ef43497c13ea7e5620256208b73bd1e4487f3bf0c91617169f 2025-04-07
FileHash-SHA256 db3fe436f4eeb9c20dc206af3dfdff8454460ad80ef4bab03291528e3e0754ad 2025-04-07
FileHash-SHA256 e4fc16fb36a5cd9e8d7dfe42482e111c7ce91467f6ac100a0e76740b491df2d4 2025-04-07
FileHash-SHA256 ecb7ee118b68b178e62b68a7e2aaee85bafc8b721cb9cee30d009a0c96e59cef 2025-04-07
FileHash-SHA256 f2836437090bfb8ff878c9a8aee28e036adc4ad7c73a51623c5c6ff12445a741 2025-04-07
FileHash-SHA256 f687fe9966f7a2cb6fdc344d62786958edc4a9d9b8389a0e2fea9907f90cfde2 2025-04-07
FileHash-SHA256 fcfb94820cb2abbe80bdb491c98ede8e6cfa294fa8faf9bea09a9b9ceae35bf3 2025-04-07
URL http://185.215.113.39/files/5094364719/7GVy9sB.ps1 2025-04-07
URL http://185.215.113.39/files/5094364719/RNsgUnN.ps1 2025-04-07
URL http://185.215.113.39/files/5094364719/fpEu4ir.ps1 2025-04-07
URL http://185.215.113.39/files/5094364719/pcuy9xE.ps1 2025-04-07
URL http://185.215.113.97/files/5094364719/LR8QUOU.ps1 2025-04-07
URL http://31.41.244.11/files/5094364719/RRFd0ev.ps1 2025-04-07
URL http://31.41.244.11/files/5094364719/T5NHWKA.ps1 2025-04-07
URL http://31.41.244.11/files/5094364719/WClchuE.ps1 2025-04-07
URL http://31.41.244.11/files/5094364719/rrfd0ev.ps1 2025-04-07
URL http://31.41.244.11/files/5094364719/wVjWGck.ps1 2025-04-07
URL http://31.41.244.11/files/5094364719/wclchue.ps1 2025-04-07
URL http://31.41.244.11/files/5094364719/wvjwgck.ps1 2025-04-07
URL https://85.234.100.177/b97c5970b3a1f0ccc/iwbsn37q.xl2a8 2025-04-07
URL https://encrypthub.us/encrypthub/fickle/payload.xn--ps1-to0a 2025-04-07
URL https://encrypthub.us/encrypthub/ram/ 2025-04-07
URL https://encrypthub.us/encrypthub/ram/ram.exe 2025-04-07
URL https://encrypthub.us/encrypthub/ram/ram.ps1 2025-04-07
domain 353827-coinbase.com 2025-04-07
domain alphabit.vc 2025-04-07
domain b8-crypt0x.com 2025-04-07
domain blackangel.dev 2025-04-07
domain concur.net.co 2025-04-07
domain conferx.live 2025-04-07
domain encrypthub.us 2025-04-07
domain fuckedserver.net 2025-04-07
domain global-protect.net 2025-04-07
domain healthy-cleanse-fit.com 2025-04-07
domain malwarehunterteam.net 2025-04-07
domain meets-gooie.com 2025-04-07
domain paloaltonworks.com 2025-04-07
References (1)
↗ https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware