← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
CREDIT Q.VASHTI [clone: ET Malware Playtech Downloader for Online Gaming]
WHITE msudosos 2026-05-09 Modified: 2026-05-09
710
IOCs
HIGH VOLUME
installer.exeprocess32nextwregsetvalueexaregopenkeyexwregdwordmediumregbinarypupadwarehttp headerregsetvalueexwloadersuspiciouspersistenceexecutionmalwarewin32 exepe32intelms windowswin32 dynamiclink librarywin16 neos2 executablepe32 compilerltcgctechniques ynonescripting interegistryelevati t1548hijack executy noneinfoabuse elevationcontrol mecflow lpluginsplugxbackdoortrojanautoitcrossridermodifybootkitabusecasinobetaharmysabeyahmanndora truepersistenceinjectiongraham techdangergamblingintellectual propertytheftbonu$dagocolorado
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Trojan.Playtech/Crossrider Trojan.Winterlove-28 TEL:Backdoor:Win32/PlugX Trojan:Win32/Zbot.SIBG!MTB #Lowfi:LUA:AutoItLargeFile TELPER:HSTR:CLEAN:Ninite #VirTool:Win32|Obfuscator.ADB Worm:Win32/Mofksys.RND!MTB Trojan:Win32/Blihan.A
Indicators of Compromise (7 / 710 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL hostname domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 de7237a20a6499a197fba63cd0e02a36541db51c SHA1 of 000002f7c809714f3dd89443c0b12d7f397c7dfe6108a448571e378b84c9f229 2026-05-09
FileHash-SHA1 5118f5d0247ad8b533b43c8b2f6f504c094d9d15 2026-05-09
FileHash-SHA1 d1eb23a46d17d68fd92564c2f1f1601764d8e349 2026-05-09
FileHash-SHA1 2737e85936fedcf9c25612752ce8f064e1433b7e 2026-05-09
FileHash-SHA1 25f00759b0e6641f9b423e6a52556c2e4e2796c3 2026-05-09
FileHash-SHA1 b5029eacb718bad5dbfc8005e918085fbcc89f00 2026-05-09
FileHash-SHA1 bfe907cb4817a6b71d18b3eb7f038a46535c2f3d 2026-05-09
References (24)
↗ installer.exe | FileHash-SHA256 000002f7c809714f3dd89443c0b12d7f397c7dfe6108a448571e378b84c9f229 ↗ Christopher P ‘Buzz’ Ahman | Brian Sabey | Tulach | Graham Tech ↗ Yara: Detections: stack_string | ConventionEngine_Keyword_Install | ↗ Yara: research_pe_signed_outside_timestamp [anomaly] xor_0x20_xord_javascript [Obfuscation] ↗ IDS Detections: Playtech Installer PUP/Adware | Playtech Downloader Online Gaming Checkin ↗ IDS Detections: Suspicious User-Agent containing Loader | Observed C: \\ filepath observed in HTTP header ↗ CS Yara: Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs ↗ CS IDS: Matches rule ET MALWARE Playtech Downloader Online Gaming Checkin ↗ CS IDS: Matches rule (http_inspect) HTTP Content-Length message body was truncated ↗ CS IDS: Matches rule SURICATA STREAM excessive retransmissions Unique rule identifier: This rule belongs to a private collection. ↗ http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom/index.7ze ↗ cache.download2.casino.com ↗ thebeautifulbet.com ↗ Trojan:Win32/Blihan.A -Yara Detections: KBysPacker028BetaShoooo ↗ http://geo.web-installer-assets.com/,onSuccessId:8,onFailureId:9 ↗ http://geo.web-installer-assets.com/H ↗ http://geo.web-installer-assets.com/.hook_reg_dialog_skip_registration ↗ authrootstl.cab ↗ ET MALWARE Playtech Downloader Online Gaming Checkin Malware ↗ Command and Control Activity Detected ↗ Proofpoint Emerging Threats Open X Context for the matching alerts ↗ Rule references https://www.virustotal.com/gui/search/00740d7d15862efb3 ↗ Destination IP: 157.185.156.194 Destination port: 80 Hostname: cache.download2.casino.com ↗ URL: http://cache.download2.casino.com/download/casino/client