A Deep Dive into Water Gamayun’s Arsenal and Infrastructure
EncryptHub Stealer Variant A
| Name | stealer_module.ps1 encrypthub_steal.ps1 |
| MD5 | 2f8bf3e5b6cbdb0c8e5935b078711867 1fbe357c26133a4b39b96fdd2c48f1ae |
| SHA-1 | Ca4fea2deacb9665461eb74b6422b137326c0d76 57ab6bdbb41289f3c8983d5b48fc98c08782ed1f |
| SHA-256 | B29e630b9c70b0daaba4f83489494444c04c7a470b9c24eb4ddffb6cd7cf05ff 677601f72181c53541f850248dd0904153ea62458489d7aa782149b93399ebd8 |
| Size | 368111 bytes 371740 bytes) |
| File type | PowerShell |
Upon execution, the malware collects extensive system information, including antivirus software, installed software, network adapters, running applications, and more. It also extracts sensitive data such as Wi-Fi passwords, Windows product keys, clipboard history, and session data from various messaging clients, VPN clients, VNC clients, FTP clients, and password managers. Additionally, it collects files from user directories based on these specific keywords and extensions:
$keywords = @(“2fa”, “acc”, “account”, “auth”, “backup”, “bank”, “binance”, “bitcoin”, “bitwarden”, “btc”, “casino”, “code”, “coinbase “, “crypto”, “dashlane”, “discord”, “eth”, “exodus”, “facebook”, “funds”, “info”, “keepass”, “keys”, “kraken”, “kucoin”, “lastpass”, “ledger”, “login”, “mail”, “memo”, “metamask”, “mnemonic”, “nordpass”, “note”, “pass”, “passphrase”, “proton”, “paypal”, “pgp”, […])
$allowedExtensions = @(“*.jpg”, “*.png”, “*.rdp”, “*.txt”, “*.doc”, “*.docx”, “*.pdf”, “*.csv”, “*.xls”, “*.xlsx”, “*.ldb”, “*.log”, “*.pem”, “*.ppk”, “*.key”, “*.pfx”)
The following Figure 21 illustrates how the malware fingerprints a victim machine.
Read More HERE
