MALICIOUS (1) campaign cataloged at 2024-09-04(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2024-08-embeds-RealtekHDAudioManager¶
Importing a module starts downloading and executing an infostealer, widely identified by AV/sandboxes.
Abuse categories¶
infostealer
Campaign uses infostealer.
remote_executable
Downloads and executes a remote executable.
References¶
Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
-
hxxps://github.com/holdthatcode/host/raw/main/howl.exe -
hxxps://github.com/holdthatcode/host/raw/main/menu.exe -
hxxps://raw.githubusercontent.com/bloodstainedvvs/host/main/code.exe -
hxxps://github.com/bloodstainedvvs/host/raw/main/zwerve.exe -
hxxps://cdn.discordapp.com/attachments/1276975489780809812/1282787632082059359/zwerve.exe?ex=66e0a094&is=66df4f14&hm=f4604d9783911e770716516e30d4f665214449f46aa2c5a59afc4bda7042bfba& -
hxxps://github.com/holdthatcode/e/raw/main/code.exe -
hxxps://github.com/holdthatcode/e/raw/main/zwerve.exe -
hxxps://github.com/holdthatcode/e/raw/main/CBLines.exe -
hxxps://github.com/holdthatcode/e/raw/main/Anch.exe
Packages in the campaign¶
campaign:2024-08-embeds-RealtekHDAudioManager¶
- antibyfron
- artindex
- automsg
- cblines
- cryptocalls
- dahood
- discould
- embeds
- ezauto
- haaahhaha
- hahahasillyxd
- larpexodus
- lowui
- modeflow
- mumupatcher
- mumuplayer12
- nezur
- partpyth
- pyaacv
- pyadd
- pycblines
- pycordapi
- pydeobf
- pydllcfg
- pykane
- pyloy
- pymatcha
- pysleek
- pysolara
- pytkit
- pytrv
- pytskcheck
- pyvantq
- rodll
- roinject
- rolib
- solaraund
- uidesign
- websend
- xsilyxd