PureHVNC Deployed via Python Multi-stage Loader

    Tuesday, August 13, 2024 In: Threat Research Print

    Date: 08/12/2024

    Severity: Medium

    Summary

    "PureHVNC Deployed via Python Multi-stage Loader" describes a cyber attack where the PureHVNC remote access Trojan (RAT) is delivered using a multi-stage approach through a Python script. The Python script first executes and then retrieves and installs the PureHVNC RAT, which allows attackers to remotely control the compromised system. This method leverages Python's flexibility to evade detection and execute complex attacks.

    Indicators of Compromise (IOC) List

    URL/Domain

    xoowill56.duckdns.org

    drvenomjh.duckdns.org

    ncmomenthv.duckdns.org

    vxsrwrm.duckdns.org

    ghdsasync.duckdns.org

    anachyyyyy.duckdns.org

    https://float-suppose-msg-pulling.trycloudflare.com/

    Hash

    561f4b4e2c16f21b0db015819340fc59484e4994022c4cca46cf778006d5d441

16a4de0540181bab7c5d25fcdf90838a28f2dff4ed9e0e37de3f5f1ab20afe0a

441c4502584240624f4af6d67eded476c781ff0b72afe95ea236cc87a50e5650

7c4e613cf4db19f54030097687227809f965a951a26a44a882692ece6e642e3c

8bbdd3b41a03b86f246564a23e9acd48f74428f372c4bfb0a9a3af42511661c7

8d28191f647572d5e159f35ae55120ddf56209a18f2ca95a28d3ca9408b90d68

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "https://float-suppose-msg-pulling.trycloudflare.com/" or url like "https://float-suppose-msg-pulling.trycloudflare.com/" or userdomainname like "xoowill56.duckdns.org" or url like "xoowill56.duckdns.org" or userdomainname like "drvenomjh.duckdns.org" or url like "drvenomjh.duckdns.org" or userdomainname like "ncmomenthv.duckdns.org" or url like "ncmomenthv.duckdns.org" or userdomainname like "vxsrwrm.duckdns.org" or url like "vxsrwrm.duckdns.org" or userdomainname like "ghdsasync.duckdns.org" or url like "ghdsasync.duckdns.org" or userdomainname like "anachyyyyy.duckdns.org" or url like "anachyyyyy.duckdns.org"

    Hash

    sha256hash IN ("561f4b4e2c16f21b0db015819340fc59484e4994022c4cca46cf778006d5d441","16a4de0540181bab7c5d25fcdf90838a28f2dff4ed9e0e37de3f5f1ab20afe0a","441c4502584240624f4af6d67eded476c781ff0b72afe95ea236cc87a50e5650","7c4e613cf4db19f54030097687227809f965a951a26a44a882692ece6e642e3c","8bbdd3b41a03b86f246564a23e9acd48f74428f372c4bfb0a9a3af42511661c7","8d28191f647572d5e159f35ae55120ddf56209a18f2ca95a28d3ca9408b90d68")

    Reference: 

    https://www.fortinet.com/blog/threat-research/purehvnc-deployed-via-python-multi-stage-loader

     

     

     


    Tags

    MalwareRATTrojanPython Scripting

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.