{ "type": "Domain", "indicator": "b8-crypt0x.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/b8-crypt0x.com", "alexa": "http://www.alexa.com/siteinfo/b8-crypt0x.com", "indicator": "b8-crypt0x.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4043601801, "indicator": "b8-crypt0x.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "67f3aae3b4d4fbbfe08e7839", "name": "Unveiling EncryptHub: Analysis of a multi-stage malware campaign", "description": "EncryptHub, an emerging cybercriminal entity, has been conducting multi-stage malware campaigns using trojanized applications and third-party distribution services. Their tactics include using PowerShell scripts for system data gathering, information exfiltration, and payload deployment. The threat actor prioritizes stolen credentials based on cryptocurrency ownership and corporate network affiliation. EncryptHub is developing a remote access tool called 'EncryptRAT' with plans for future distribution. Their evolving killchain involves multiple stages, including initial execution, data exfiltration, system information collection, and eventual deployment of the Rhadamanthys malware. Despite operational security mistakes, EncryptHub continues to refine their tactics, emphasizing the need for vigilant cybersecurity measures.", "modified": "2025-05-07T10:02:07.628000", "created": "2025-04-07T10:37:23.742000", "tags": [ "information stealer", "kematian stealer", "labinstalls", "rhadamanthys", "pay-per-install", "encryptrat" ], "references": [ "https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware" ], "public": 1, "adversary": "Larva-208", "targeted_countries": [], "malware_families": [ { "id": "Kematian Stealer", "display_name": "Kematian Stealer", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "EncryptRAT", "display_name": "EncryptRAT", "target": null } ], "attack_ids": [ { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 15, "FileHash-SHA1": 17, "FileHash-SHA256": 28, "URL": 17 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 386543, "modified_text": "389 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e7cba2606bdb8acfedda1c", "name": "A Deep Dive into Water Arsenal and Infrastructure", "description": "Water Gamayun, a suspected Russian threat actor, exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise systems and exfiltrate data. The group uses custom payloads like EncryptHub Stealer variants, SilentPrism and DarkWisp backdoors, as well as known malware like Stealc and Rhadamanthys. Their delivery methods include malicious provisioning packages, signed .msi files, and Windows MSC files. The attackers employ techniques such as LOLBins and encrypted communications to evade detection. Their infrastructure includes C&C servers for managing infected systems and exfiltrating data. The campaign highlights the group's adaptability and sophistication in cyber espionage operations.", "modified": "2025-04-28T10:06:12.559000", "created": "2025-03-29T10:29:54.426000", "tags": [ "zero-day", "backdoor", "c&c", "stealc", "cve-2025-26633", "darkwisp", "lolbins", "stealer", "rhadamanthys", "encrypthub stealer", "powershell", "silentprism", "msc eviltwin" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "EncryptHub Stealer", "display_name": "EncryptHub Stealer", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 62, "FileHash-SHA1": 62, "FileHash-SHA256": 108, "hostname": 1, "CVE": 1, "URL": 3 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 386546, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ebb383c09e67bf08f536e4", "name": "A Deep Dive into Water Gamayun\u2019s Arsenal and Infrastructure", "description": "Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.", "modified": "2025-05-01T09:02:21.300000", "created": "2025-04-01T09:36:03.598000", "tags": [ "sha256", "detection", "filename", "dive", "water gamayun", "arsenal", "infrastructure", "files", "backdoor", "msc eviltwin", "silentprism", "darkwisp", "encrypthub", "a", "c", "trojanspy" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "EncryptHub", "display_name": "EncryptHub", "target": null }, { "id": "A", "display_name": "A", "target": null }, { "id": "C", "display_name": "C", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 55, "FileHash-SHA1": 55, "FileHash-SHA256": 105, "hostname": 1 }, "indicator_count": 224, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67eb5c27a3c28726af1b3e6f", "name": "IOC - A Deep Dive into Water Gamayun\u2019s Arsenal and Infrastructure", "description": "", "modified": "2025-04-28T10:06:12.559000", "created": "2025-04-01T03:23:19.437000", "tags": [ "zero-day", "backdoor", "c&c", "stealc", "cve-2025-26633", "darkwisp", "lolbins", "stealer", "rhadamanthys", "encrypthub stealer", "powershell", "silentprism", "msc eviltwin" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "EncryptHub Stealer", "display_name": "EncryptHub Stealer", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": "67e7cba2606bdb8acfedda1c", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 62, "FileHash-SHA1": 62, "FileHash-SHA256": 108, "hostname": 1, "CVE": 1, "URL": 3 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ee1f848149d93d8d8043d7", "name": "A Deep Dive into Water Arsenal and Infrastructure", "description": "", "modified": "2025-04-28T10:06:12.559000", "created": "2025-04-03T05:41:24.498000", "tags": [ "zero-day", "backdoor", "c&c", "stealc", "cve-2025-26633", "darkwisp", "lolbins", "stealer", "rhadamanthys", "encrypthub stealer", "powershell", "silentprism", "msc eviltwin" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "EncryptHub Stealer", "display_name": "EncryptHub Stealer", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": "67e7cba2606bdb8acfedda1c", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 62, "FileHash-SHA1": 62, "FileHash-SHA256": 108, "hostname": 1, "CVE": 1, "URL": 3 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d4f2d7988e3ccde79896ca", "name": "Trojanized Targets Cryptocurrency Wallets and Corporate Networks", "description": "", "modified": "2025-04-14T03:00:25.447000", "created": "2025-03-15T03:24:07.049000", "tags": [ "http", "update", "siem", "iocs", "keep antivirus", "endpoint", "domains", "urls" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "FileHash-MD5": 14, "FileHash-SHA1": 14, "FileHash-SHA256": 28, "URL": 14 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d10f1cbad06b8c2ca87f6f", "name": "Unveiling EncryptHub: Analysis of a multi-stage malware campaign", "description": "Outpost24\u2019s products and services help businesses improve their security posture and reduce the threat posed by cyber criminals, but what do you know about them and what are the company's goals?", "modified": "2025-04-11T04:03:55.909000", "created": "2025-03-12T04:35:40.173000", "tags": [ "encrypthub", "powershell", "outpost24", "labinstalls", "krakenlabs", "telegram bot", "encryptrat", "encrypthub llc", "hash", "temp folder", "february", "rhadamanthys", "crypto", "bypass", "loader", "june", "august", "beware", "team", "kematian" ], "references": [ "https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/?s=31" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Kematian", "display_name": "Kematian", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 14, "FileHash-SHA1": 16, "FileHash-SHA256": 28, "URL": 17 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "415 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d03ef4f422c11bb2fc0c85", "name": "Unveiling EncryptHub: Analysis of a multi-stage malware campaign", "description": "Outpost24\u2019s products and services help businesses improve their security posture and reduce the risk of being targeted by cybercriminals such as the so-called \"dark web\u201d EncryptHub.", "modified": "2025-04-10T13:04:45.185000", "created": "2025-03-11T13:47:32.624000", "tags": [ "encrypthub", "powershell", "outpost24", "labinstalls", "krakenlabs", "telegram bot", "encryptrat", "encrypthub llc", "hash", "temp folder", "february", "rhadamanthys", "crypto", "bypass", "loader", "june", "august", "beware", "team", "kematian" ], "references": [ "https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/#indicators-of-compromise-iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Kematian", "display_name": "Kematian", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 14, "FileHash-SHA1": 16, "FileHash-SHA256": 28, "URL": 17 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "416 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cb3f223b1ffcf196042aa7", "name": "EncryptHub's Multi-Stage Phishing Campaigns Deliver Stealers and Ransomware", "description": "A financially motivated threat group, known as EncryptHub, has been actively conducting advanced phishing campaigns to deploy information stealers and ransomware. Researchers have observed the group targeting users of popular applications by distributing trojanized versions and leveraging third-party Pay-Per-Install (PPI) services to distribute malware.", "modified": "2025-04-06T18:02:30.032000", "created": "2025-03-07T18:46:56.279000", "tags": [ "encrypthub", "powershell", "outpost24", "labinstalls", "krakenlabs", "telegram bot", "encryptrat", "encrypthub llc", "hash", "temp folder", "february", "rhadamanthys", "crypto", "bypass", "loader", "june", "august", "beware", "team", "kematian" ], "references": [ "https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Kematian", "display_name": "Kematian", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 14, "FileHash-SHA1": 16, "FileHash-SHA256": 28, "URL": 17 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cacb587b7a51ee5d994f49", "name": "Unveiling EncryptHub: Analysis of a multi-stage malware campaign", "description": "Outpost24\u2019s products and services help businesses improve their security posture and reduce the threat posed by cyber criminals, but what do you know about them and what are the company's goals?", "modified": "2025-04-06T10:00:27.717000", "created": "2025-03-07T10:32:56.903000", "tags": [ "encrypthub", "powershell", "outpost24", "labinstalls", "krakenlabs", "telegram bot", "encryptrat", "encrypthub llc", "hash", "temp folder", "february", "rhadamanthys", "crypto", "bypass", "loader", "june", "august", "beware", "team", "kematian" ], "references": [ "https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Kematian", "display_name": "Kematian", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 14, "FileHash-SHA1": 16, "FileHash-SHA256": 28, "URL": 17 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware", "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html", "https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/?s=31", "https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/", "https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/#indicators-of-compromise-iocs" ], "related": { "alienvault": { "adversary": [ "Water Gamayun", "Larva-208" ], "malware_families": [ "Darkwisp", "Silentprism", "Encrypthub stealer", "Kematian stealer", "Rhadamanthys", "Encryptrat", "Stealc" ], "industries": [ "Government", "Defense" ] }, "other": { "adversary": [ "Water Gamayun" ], "malware_families": [ "Darkwisp", "Kematian", "C", "Silentprism", "Encrypthub stealer", "Rhadamanthys", "A", "Trojanspy", "Encrypthub", "Stealc" ], "industries": [ "Government", "Defense" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "67f3aae3b4d4fbbfe08e7839", "name": "Unveiling EncryptHub: Analysis of a multi-stage malware campaign", "description": "EncryptHub, an emerging cybercriminal entity, has been conducting multi-stage malware campaigns using trojanized applications and third-party distribution services. Their tactics include using PowerShell scripts for system data gathering, information exfiltration, and payload deployment. The threat actor prioritizes stolen credentials based on cryptocurrency ownership and corporate network affiliation. EncryptHub is developing a remote access tool called 'EncryptRAT' with plans for future distribution. Their evolving killchain involves multiple stages, including initial execution, data exfiltration, system information collection, and eventual deployment of the Rhadamanthys malware. Despite operational security mistakes, EncryptHub continues to refine their tactics, emphasizing the need for vigilant cybersecurity measures.", "modified": "2025-05-07T10:02:07.628000", "created": "2025-04-07T10:37:23.742000", "tags": [ "information stealer", "kematian stealer", "labinstalls", "rhadamanthys", "pay-per-install", "encryptrat" ], "references": [ "https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware" ], "public": 1, "adversary": "Larva-208", "targeted_countries": [], "malware_families": [ { "id": "Kematian Stealer", "display_name": "Kematian Stealer", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "EncryptRAT", "display_name": "EncryptRAT", "target": null } ], "attack_ids": [ { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 15, "FileHash-SHA1": 17, "FileHash-SHA256": 28, "URL": 17 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 386543, "modified_text": "389 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e7cba2606bdb8acfedda1c", "name": "A Deep Dive into Water Arsenal and Infrastructure", "description": "Water Gamayun, a suspected Russian threat actor, exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise systems and exfiltrate data. The group uses custom payloads like EncryptHub Stealer variants, SilentPrism and DarkWisp backdoors, as well as known malware like Stealc and Rhadamanthys. Their delivery methods include malicious provisioning packages, signed .msi files, and Windows MSC files. The attackers employ techniques such as LOLBins and encrypted communications to evade detection. Their infrastructure includes C&C servers for managing infected systems and exfiltrating data. The campaign highlights the group's adaptability and sophistication in cyber espionage operations.", "modified": "2025-04-28T10:06:12.559000", "created": "2025-03-29T10:29:54.426000", "tags": [ "zero-day", "backdoor", "c&c", "stealc", "cve-2025-26633", "darkwisp", "lolbins", "stealer", "rhadamanthys", "encrypthub stealer", "powershell", "silentprism", "msc eviltwin" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "EncryptHub Stealer", "display_name": "EncryptHub Stealer", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 62, "FileHash-SHA1": 62, "FileHash-SHA256": 108, "hostname": 1, "CVE": 1, "URL": 3 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 386546, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ebb383c09e67bf08f536e4", "name": "A Deep Dive into Water Gamayun\u2019s Arsenal and Infrastructure", "description": "Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.", "modified": "2025-05-01T09:02:21.300000", "created": "2025-04-01T09:36:03.598000", "tags": [ "sha256", "detection", "filename", "dive", "water gamayun", "arsenal", "infrastructure", "files", "backdoor", "msc eviltwin", "silentprism", "darkwisp", "encrypthub", "a", "c", "trojanspy" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "EncryptHub", "display_name": "EncryptHub", "target": null }, { "id": "A", "display_name": "A", "target": null }, { "id": "C", "display_name": "C", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 55, "FileHash-SHA1": 55, "FileHash-SHA256": 105, "hostname": 1 }, "indicator_count": 224, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67eb5c27a3c28726af1b3e6f", "name": "IOC - A Deep Dive into Water Gamayun\u2019s Arsenal and Infrastructure", "description": "", "modified": "2025-04-28T10:06:12.559000", "created": "2025-04-01T03:23:19.437000", "tags": [ "zero-day", "backdoor", "c&c", "stealc", "cve-2025-26633", "darkwisp", "lolbins", "stealer", "rhadamanthys", "encrypthub stealer", "powershell", "silentprism", "msc eviltwin" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "EncryptHub Stealer", "display_name": "EncryptHub Stealer", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": "67e7cba2606bdb8acfedda1c", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 62, "FileHash-SHA1": 62, "FileHash-SHA256": 108, "hostname": 1, "CVE": 1, "URL": 3 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ee1f848149d93d8d8043d7", "name": "A Deep Dive into Water Arsenal and Infrastructure", "description": "", "modified": "2025-04-28T10:06:12.559000", "created": "2025-04-03T05:41:24.498000", "tags": [ "zero-day", "backdoor", "c&c", "stealc", "cve-2025-26633", "darkwisp", "lolbins", "stealer", "rhadamanthys", "encrypthub stealer", "powershell", "silentprism", "msc eviltwin" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html" ], "public": 1, "adversary": "Water Gamayun", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "EncryptHub Stealer", "display_name": "EncryptHub Stealer", "target": null }, { "id": "SilentPrism", "display_name": "SilentPrism", "target": null }, { "id": "DarkWisp", "display_name": "DarkWisp", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": "67e7cba2606bdb8acfedda1c", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "FileHash-MD5": 62, "FileHash-SHA1": 62, "FileHash-SHA256": 108, "hostname": 1, "CVE": 1, "URL": 3 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d4f2d7988e3ccde79896ca", "name": "Trojanized Targets Cryptocurrency Wallets and Corporate Networks", "description": "", "modified": "2025-04-14T03:00:25.447000", "created": "2025-03-15T03:24:07.049000", "tags": [ "http", "update", "siem", "iocs", "keep antivirus", "endpoint", "domains", "urls" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "FileHash-MD5": 14, "FileHash-SHA1": 14, "FileHash-SHA256": 28, "URL": 14 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d10f1cbad06b8c2ca87f6f", "name": "Unveiling EncryptHub: Analysis of a multi-stage malware campaign", "description": "Outpost24\u2019s products and services help businesses improve their security posture and reduce the threat posed by cyber criminals, but what do you know about them and what are the company's goals?", "modified": "2025-04-11T04:03:55.909000", "created": "2025-03-12T04:35:40.173000", "tags": [ "encrypthub", "powershell", "outpost24", "labinstalls", "krakenlabs", "telegram bot", "encryptrat", "encrypthub llc", "hash", "temp folder", "february", "rhadamanthys", "crypto", "bypass", "loader", "june", "august", "beware", "team", "kematian" ], "references": [ "https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/?s=31" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Kematian", "display_name": "Kematian", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 14, "FileHash-SHA1": 16, "FileHash-SHA256": 28, "URL": 17 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "415 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d03ef4f422c11bb2fc0c85", "name": "Unveiling EncryptHub: Analysis of a multi-stage malware campaign", "description": "Outpost24\u2019s products and services help businesses improve their security posture and reduce the risk of being targeted by cybercriminals such as the so-called \"dark web\u201d EncryptHub.", "modified": "2025-04-10T13:04:45.185000", "created": "2025-03-11T13:47:32.624000", "tags": [ "encrypthub", "powershell", "outpost24", "labinstalls", "krakenlabs", "telegram bot", "encryptrat", "encrypthub llc", "hash", "temp folder", "february", "rhadamanthys", "crypto", "bypass", "loader", "june", "august", "beware", "team", "kematian" ], "references": [ "https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/#indicators-of-compromise-iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Kematian", "display_name": "Kematian", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 14, "FileHash-SHA1": 16, "FileHash-SHA256": 28, "URL": 17 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "416 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cb3f223b1ffcf196042aa7", "name": "EncryptHub's Multi-Stage Phishing Campaigns Deliver Stealers and Ransomware", "description": "A financially motivated threat group, known as EncryptHub, has been actively conducting advanced phishing campaigns to deploy information stealers and ransomware. Researchers have observed the group targeting users of popular applications by distributing trojanized versions and leveraging third-party Pay-Per-Install (PPI) services to distribute malware.", "modified": "2025-04-06T18:02:30.032000", "created": "2025-03-07T18:46:56.279000", "tags": [ "encrypthub", "powershell", "outpost24", "labinstalls", "krakenlabs", "telegram bot", "encryptrat", "encrypthub llc", "hash", "temp folder", "february", "rhadamanthys", "crypto", "bypass", "loader", "june", "august", "beware", "team", "kematian" ], "references": [ "https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Kematian", "display_name": "Kematian", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 14, "FileHash-SHA1": 16, "FileHash-SHA256": 28, "URL": 17 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cacb587b7a51ee5d994f49", "name": "Unveiling EncryptHub: Analysis of a multi-stage malware campaign", "description": "Outpost24\u2019s products and services help businesses improve their security posture and reduce the threat posed by cyber criminals, but what do you know about them and what are the company's goals?", "modified": "2025-04-06T10:00:27.717000", "created": "2025-03-07T10:32:56.903000", "tags": [ "encrypthub", "powershell", "outpost24", "labinstalls", "krakenlabs", "telegram bot", "encryptrat", "encrypthub llc", "hash", "temp folder", "february", "rhadamanthys", "crypto", "bypass", "loader", "june", "august", "beware", "team", "kematian" ], "references": [ "https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Kematian", "display_name": "Kematian", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 14, "FileHash-SHA1": 16, "FileHash-SHA256": 28, "URL": 17 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "b8-crypt0x.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "b8-crypt0x.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780242186.2341285 }