TrendMicro

A Deep Dive into Water Gamayun’s Arsenal and Infrastructure

EncryptHub Stealer Variant A

Name stealer_module.ps1
encrypthub_steal.ps1
MD5 2f8bf3e5b6cbdb0c8e5935b078711867
1fbe357c26133a4b39b96fdd2c48f1ae
SHA-1 Ca4fea2deacb9665461eb74b6422b137326c0d76
57ab6bdbb41289f3c8983d5b48fc98c08782ed1f
SHA-256 B29e630b9c70b0daaba4f83489494444c04c7a470b9c24eb4ddffb6cd7cf05ff
677601f72181c53541f850248dd0904153ea62458489d7aa782149b93399ebd8
Size 368111 bytes
371740 bytes)
File type PowerShell

Table 5. EncryptHub Stealer Variant A

Upon execution, the malware collects extensive system information, including antivirus software, installed software, network adapters, running applications, and more. It also extracts sensitive data such as Wi-Fi passwords, Windows product keys, clipboard history, and session data from various messaging clients, VPN clients, VNC clients, FTP clients, and password managers. Additionally, it collects files from user directories based on these specific keywords and extensions:

$keywords = @(“2fa”, “acc”, “account”, “auth”, “backup”, “bank”, “binance”, “bitcoin”, “bitwarden”, “btc”, “casino”, “code”, “coinbase “, “crypto”, “dashlane”, “discord”, “eth”, “exodus”, “facebook”, “funds”, “info”, “keepass”, “keys”, “kraken”, “kucoin”, “lastpass”, “ledger”, “login”, “mail”, “memo”, “metamask”, “mnemonic”, “nordpass”, “note”, “pass”, “passphrase”, “proton”, “paypal”, “pgp”, […])

$allowedExtensions = @(“*.jpg”, “*.png”, “*.rdp”, “*.txt”, “*.doc”, “*.docx”, “*.pdf”, “*.csv”, “*.xls”, “*.xlsx”, “*.ldb”, “*.log”, “*.pem”, “*.ppk”, “*.key”, “*.pfx”)

The following Figure 21 illustrates how the malware fingerprints a victim machine.

Read More HERE