← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
CREDIT Q.VASHTI [clone: ET Malware Playtech Downloader for Online Gaming]
WHITE msudosos 2026-05-09 Modified: 2026-05-09
710
IOCs
HIGH VOLUME
installer.exeprocess32nextwregsetvalueexaregopenkeyexwregdwordmediumregbinarypupadwarehttp headerregsetvalueexwloadersuspiciouspersistenceexecutionmalwarewin32 exepe32intelms windowswin32 dynamiclink librarywin16 neos2 executablepe32 compilerltcgctechniques ynonescripting interegistryelevati t1548hijack executy noneinfoabuse elevationcontrol mecflow lpluginsplugxbackdoortrojanautoitcrossridermodifybootkitabusecasinobetaharmysabeyahmanndora truepersistenceinjectiongraham techdangergamblingintellectual propertytheftbonu$dagocolorado
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Trojan.Playtech/Crossrider Trojan.Winterlove-28 TEL:Backdoor:Win32/PlugX Trojan:Win32/Zbot.SIBG!MTB #Lowfi:LUA:AutoItLargeFile TELPER:HSTR:CLEAN:Ninite #VirTool:Win32|Obfuscator.ADB Worm:Win32/Mofksys.RND!MTB Trojan:Win32/Blihan.A
Indicators of Compromise (8 / 710 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL hostname domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 3ce9d145f7e596bfdadd1d809cb78347 MD5 of 000002f7c809714f3dd89443c0b12d7f397c7dfe6108a448571e378b84c9f229 2026-05-09
FileHash-MD5 38fa59bd23310cea5c12f291d104d72f 2026-05-09
FileHash-MD5 a87f42d2c7da4137a6f5fcb9cbd25a4c 2026-05-09
FileHash-MD5 412e76b94a75e95b3507970138fcf3b2 2026-05-09
FileHash-MD5 fafe0639fad100884c960a4a80d8ca39 2026-05-09
FileHash-MD5 5c84b5099ac46312565be1aa2e21eff0 2026-05-09
FileHash-MD5 953e6dbfcc5338d200ff65ee64a79101 2026-05-09
FileHash-MD5 e79fffa1b2f8fdc0b7e554b68a5fe39f 2026-05-09
References (24)
↗ installer.exe | FileHash-SHA256 000002f7c809714f3dd89443c0b12d7f397c7dfe6108a448571e378b84c9f229 ↗ Christopher P ‘Buzz’ Ahman | Brian Sabey | Tulach | Graham Tech ↗ Yara: Detections: stack_string | ConventionEngine_Keyword_Install | ↗ Yara: research_pe_signed_outside_timestamp [anomaly] xor_0x20_xord_javascript [Obfuscation] ↗ IDS Detections: Playtech Installer PUP/Adware | Playtech Downloader Online Gaming Checkin ↗ IDS Detections: Suspicious User-Agent containing Loader | Observed C: \\ filepath observed in HTTP header ↗ CS Yara: Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs ↗ CS IDS: Matches rule ET MALWARE Playtech Downloader Online Gaming Checkin ↗ CS IDS: Matches rule (http_inspect) HTTP Content-Length message body was truncated ↗ CS IDS: Matches rule SURICATA STREAM excessive retransmissions Unique rule identifier: This rule belongs to a private collection. ↗ http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom/index.7ze ↗ cache.download2.casino.com ↗ thebeautifulbet.com ↗ Trojan:Win32/Blihan.A -Yara Detections: KBysPacker028BetaShoooo ↗ http://geo.web-installer-assets.com/,onSuccessId:8,onFailureId:9 ↗ http://geo.web-installer-assets.com/H ↗ http://geo.web-installer-assets.com/.hook_reg_dialog_skip_registration ↗ authrootstl.cab ↗ ET MALWARE Playtech Downloader Online Gaming Checkin Malware ↗ Command and Control Activity Detected ↗ Proofpoint Emerging Threats Open X Context for the matching alerts ↗ Rule references https://www.virustotal.com/gui/search/00740d7d15862efb3 ↗ Destination IP: 157.185.156.194 Destination port: 80 Hostname: cache.download2.casino.com ↗ URL: http://cache.download2.casino.com/download/casino/client