Unveiling EncryptHub: Analysis of a multi-stage malware campaign

April 7, 2025, 11:07 a.m.

Description

EncryptHub, an emerging cybercriminal entity, has been conducting multi-stage malware campaigns using trojanized applications and third-party distribution services. Their tactics include using PowerShell scripts for system data gathering, information exfiltration, and payload deployment. The threat actor prioritizes stolen credentials based on cryptocurrency ownership and corporate network affiliation. EncryptHub is developing a remote access tool called 'EncryptRAT' with plans for future distribution. Their evolving killchain involves multiple stages, including initial execution, data exfiltration, system information collection, and eventual deployment of the Rhadamanthys malware. Despite operational security mistakes, EncryptHub continues to refine their tactics, emphasizing the need for vigilant cybersecurity measures.

External References

https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware
https://otx.alienvault.com/pulse/67f3aae3b4d4fbbfe08e7839
Tags
rhadamanthys
kematian stealer
information stealer
2025-04-07
labinstalls
pay-per-install
encryptrat

Date

  • Created: April 7, 2025, 10:37 a.m.
  • Published: April 7, 2025, 10:37 a.m.
  • Modified: April 7, 2025, 11:07 a.m.

Indicators

  • f687fe9966f7a2cb6fdc344d62786958edc4a9d9b8389a0e2fea9907f90cfde2
  • f2836437090bfb8ff878c9a8aee28e036adc4ad7c73a51623c5c6ff12445a741
  • ecb7ee118b68b178e62b68a7e2aaee85bafc8b721cb9cee30d009a0c96e59cef
  • e4fc16fb36a5cd9e8d7dfe42482e111c7ce91467f6ac100a0e76740b491df2d4
  • cc70570dd68a01ef43497c13ea7e5620256208b73bd1e4487f3bf0c91617169f
  • c5f07de4d69742b5a4492f87902c1907948149052a9522719b1f14ab3cb03515
  • c124f307ffbfdba7190c0df9651e895c720962094a78a0af347b2f1e7a8962d0
  • 9d9829ff50f5195ef4c1ebee6cf430c013ad47665657ef9a6c3bc0b9911a40c4
  • 977198c47d5e7f049c468135f5bde776c20dcd40e8a2ed5adb7717c2c44be5b9
  • 90b7b711f56f00a1fa08a7a29f2cd8602b8aa1a0d78986dbfc9f64e38ac6cecd
  • 7d222bb62ae995479f05d4bddaa0b7d6dd7ade8d9c438214b00cc1d1be9b9db1
  • 6b249d6421f4c8c04ca11febb0244f333aa49ca6a28feee62b7c681960a86ad5
  • 5588d1c5901d61bb09cd2fc86d523e2ccbc35a0565fd63c73b62757ac2ee51f5
  • 522fd6a56589f3ce764c88846006cca8c37ccbb286c6d2754ea979a59909271d
  • 532f4c9c72f1c77531a55f7811371aa65f85fc3a768d792482cab3381cdd29b3
  • 4af6e5a266577ccc2dca9fcbe2f56a9673947f6f3b5b9d1d7eb740613fce80d4
  • 411e6413afc5dadc63f69dd37d25f23dfee1fbd5eff1a591ba33dfc38ca5a4fd
  • 381695385bde0f96ad93dcbab79b3fc40f84e497c0b6afd087d2f1a2fbf824c3
  • 37bf1269a21cba22af239e734de043f1d08d61b44414bcf63b1b9198e6a8bc87
  • 21b99435d0cf1f9845feb795c83cbf9d10211e6bc26460f4cdcfcd57569054fe
  • 1bce694f9f811982eb01d381a69cdd56c3fa81d113e41b5acb902ec66ec942b1
  • 1661e8f8758526f913e4400af8dbfa7587794ba9345f299fa50373c7140e5819
  • 07397a113756805501a3f73a027977011849a90053f2a966053711f442d21b8d
  • 06628b0447c94dd270ecaf798bd052891cda386d504a20d439eb994004ff483c
  • fcfb94820cb2abbe80bdb491c98ede8e6cfa294fa8faf9bea09a9b9ceae35bf3
  • db3fe436f4eeb9c20dc206af3dfdff8454460ad80ef4bab03291528e3e0754ad
  • cbb84155467087c4da2ec411463e4af379582bb742ce7009156756482868859c
  • 725df91a9db2e077203d78b8bef95b8cf093e7d0ee2e7a4f55a30fe200c3bf8f
  • 85.234.100.177
  • 85.209.128.128
  • 82.115.223.199
  • 64.95.13.166
  • 45.131.215.16
  • 193.149.176.228
  • 185.215.113.39
  • 185.215.113.97
  • 82.115.223.182
  • 31.41.244.11
  • https://encrypthub.us/encrypthub/ram/ram.ps1
  • https://encrypthub.us/encrypthub/ram/ram.exe
  • https://encrypthub.us/encrypthub/ram/
  • https://encrypthub.us/encrypthub/fickle/payload.xn--ps1-to0a
  • https://85.234.100.177/b97c5970b3a1f0ccc/iwbsn37q.xl2a8
  • http://31.41.244.11/files/5094364719/wvjwgck.ps1
  • http://31.41.244.11/files/5094364719/wclchue.ps1
  • http://31.41.244.11/files/5094364719/wVjWGck.ps1
  • http://31.41.244.11/files/5094364719/rrfd0ev.ps1
  • http://31.41.244.11/files/5094364719/WClchuE.ps1
  • http://31.41.244.11/files/5094364719/T5NHWKA.ps1
  • http://31.41.244.11/files/5094364719/RRFd0ev.ps1
  • http://185.215.113.97/files/5094364719/LR8QUOU.ps1
  • http://185.215.113.39/files/5094364719/pcuy9xE.ps1
  • http://185.215.113.39/files/5094364719/fpEu4ir.ps1
  • http://185.215.113.39/files/5094364719/RNsgUnN.ps1
  • http://185.215.113.39/files/5094364719/7GVy9sB.ps1
  • paloaltonworks.com
  • meets-gooie.com
  • malwarehunterteam.net
  • healthy-cleanse-fit.com
  • global-protect.net
  • encrypthub.us
  • conferx.live
  • concur.net.co
  • blackangel.dev
  • b8-crypt0x.com
  • alphabit.vc
  • 353827-coinbase.com
  • global-protect.us
  • fuckedserver.net
Download all indicators here!

Attack Patterns

  • EncryptRAT
  • Kematian Stealer
  • Rhadamanthys
  • EncryptHub