Indicators of compromise - A Deep Dive into Water Gamayun's Arsenal and Infrastructure

===========================
Files
===========================

================= MSI ================= 
[Filename]				[SHA256]								[Detection]
DingTalk_v7.6.38.122510801.msi		cbb84155467087c4da2ec411463e4af379582bb742ce7009156756482868859c  	Trojan.Win32.RHADAMANTHYS.YXFCR
					015f0fdf24a19b98447fab5fa16abf929c1cf9be33e9455ce788909dd5a8dbfe  	Trojan.Win32.RHADAMANTHYS.YXFCT

EchonexMeets.exe			b1fa0ded2f0cc42a70b7a0c051f772cd6db76b15d50ec119307027e670998728 	TrojanSpy.Win32.RHADAMANTHYS.YXFCT

QQTalk.msi				725df91a9db2e077203d78b8bef95b8cf093e7d0ee2e7a4f55a30fe200c3bf8f 	Trojan.Win32.STEALC.YXFCG

VooV Meeting.msi			db3fe436f4eeb9c20dc206af3dfdff8454460ad80ef4bab03291528e3e0754ad 	Trojan.Win32.STEALC.YXFCR

SilentPrism Backdoor			5cc0d46909bd6733dd331e2dfcef5ef9b9a9efb709b104c1c9a9d49026715065	Backdoor.PS1.SILENTPRISM.YXFCR
					7d9b41d7600c79b79e01f4e5100673bb134d5b4ea84ed8fcc9a2be6ccc1df4f7	Backdoor.PS1.SILENTPRISM.YXFCR
					983506186590f7118cb507d29f12f163afb536a03e6d0f4fb441df8afe49ede1	Backdoor.PS1.SILENTPRISM.YXFCR


================= MSC EvilTwin loader =================

[SHA256]								[Detection]
b1b3d27deb35dd8c8fed75e878adae3f262475c8e8951d59e5df091562c2779b  	Trojan.PS1.FICKLESHADE.YXFCR
7f8bd2d63bb95d61fcbdb22827c3a3e46655f556da769d3880c62865e6fde820  	Trojan.PS1.FICKLESHADE.YXFCR
43eab8488dce80c1086aafdf4594b1a438347e32275abeaa8b2bb14475fb3f98  	Trojan.PS1.FICKLESHADE.YXFCR
1b3309c7a4c3940eff1e1ab1905641b23ea743c4f11d82107ce36fa1ec2299e9  	Trojan.PS1.FICKLESHADE.YXFCR
2aeb9aeca5739ea1cb5a30d284d65e36fe18f47db9e5e504063d982b9c3bc3e9  	Trojan.PS1.FICKLESHADE.YXFCR
9b830c2979cbce45573aa21d765adda76f52db254155ae49648ef5050ceaf774  	Trojan.PS1.FICKLESHADE.YXFCR
4e6f35ab5eb9242335bee01d6df9b50f665043f9930a630df7e170b904f52a24  	Trojan.PS1.FICKLESHADE.YXFCR
d76c25e2761210783055b43349370253d794e94ee913a2be7596b9554eacf107  	Trojan.PS1.FICKLESHADE.YXFCR
5357279bad530c3af89713aaf6befe19a22e438f22952aed46097590130551fa  	Trojan.PS1.FICKLESHADE.YXFCR
413dea8ea8cb09cd3ac49531a8e0a13f767c09f78fb77856f4668377532a64ef  	Trojan.PS1.FICKLESHADE.YXFCR
0943b0f328282504c2661cd56e4bd83e3b3e5a4cce89e2e5523f83a2d535a07e  	Trojan.PS1.FICKLESHADE.YXFCR
f5c97f23543e904944120ef738f300049eae85c3b0bf8b86b346572f7bc6dec1  	Trojan.PS1.FICKLESHADE.YXFCR
9e9ca325f44eeff4087bb67052536ba565da18e70e5b29c79ed77c14c5548131  	Trojan.PS1.FICKLESHADE.YXFCR
6b99530953010dd8061a3a328c04c30653bba26439dd30a752262582b0d02933  	Trojan.Win32.FICKLESHADE.YXFCN
045a1cbcc99c53c092bb61d43b89a6f7308fd01d9ceaeb9a72bbf81669dcbef8  	Trojan.Win32.FICKLESHADE.YXFCN
cd301bdc07518027567a5ed242ae2075f9f0bdf73315e99d4d949280f151fefe  	Trojan.PS1.FICKLESHADE.YXFCR
405d1dcdbba56bce99a308734c39ac8ca62ffb55dbd69565293a79b468e4dad1  	Trojan.PS1.FICKLESHADE.YXFCN
f381a3877028f29ec7865b505b5c85ce77d4947d387d3f30071159fa991f009a  	Trojan.PS1.RHADAMANTHYS.YXFCG
0ac748baaad6017e331a8d99aae9e5449a96ba76fb7374f5d8c678ae52b7db9f  	Trojan.PS1.FICKLESHADE.YXFCN
8833f2a6e84c91e31ae65e5ab269b362f7d4c2a2af63d760fe5b6452b9ecba96  	Trojan.PS1.FICKLESHADE.YXFCN
47dc344e945a0170c1f69caf1cf5d63bca22239e17f7df1a01e6235484fa0593  	Trojan.PS1.FICKLESHADE.YXFCN
590512bf29e2a4a006f8cc76a931f14778f599fa14c9f0a935a16d7394e08422  	Trojan.PS1.FICKLESHADE.YXFCN
1bce694f9f811982eb01d381a69cdd56c3fa81d113e41b5acb902ec66ec942b1  	Trojan.PS1.FICKLESHADE.YXFCN
761690343f0577df22e7130a5efdf54ea246214395cbc94ac91ae91aab78a76c 	TrojanSpy.PS1.NEGASTEAL.YXFBSZ
badb915188b5292cb1a22624aa386ab0ad8279d5bd2678926123560ecffe0e0c 	Trojan.PS1.FICKLESHADE.YXFCN
f3988f4c889e6ae79b7ebde97a677e2abfc89c53ffc800a8954b713d317232d3 	Trojan.PS1.FICKLESHADE.YXFCN
6df96984d5ba709282b6c92287262bd81f980811b58b0c03b9b421ba1e580c6b 	Trojan.PS1.FICKLESHADE.YXFCN
ad95786b2402c6a2cc36a513937a10503aff74e180ea1213cbfe40ca820d3b13 	Trojan.PS1.FICKLESHADE.YXFCN
b3ed3f2bc5334e54ca8d6020d37da0764f123fa5717638229422bd95a028097b 	Trojan.PS1.FICKLESHADE.YXFCN
20da5e4736a91eb6aa55892d1497c724fb16767da43ccf3227db5c9647bb0793 	Trojan.PS1.FICKLESHADE.YXFCN
e71e6b81c46aab4760840369e3ffe6ac80a9e6a2e62fc7e563265ed37efd695a 	Trojan.PS1.FICKLESHADE.YXFCN
b7b72d141ed56c8e5a924dfa959771548883b88e84646150447f85eb97f88e62 	Trojan.PS1.FICKLESHADE.YXFCN
60f5d8eadaba230b95339011daf4800f81e35ac721bf908f68ed8191388addcb 	Trojan.PS1.FICKLESHADE.YXFCN
9854322760307c04aacd78f136e4d1496950811ee2f24978915d7cd322ecb36c 	Trojan.PS1.FICKLESHADE.YXFCN
6ca1f674e54a2d2f12c387403cba885037ede153e16ec4f6e1ddd216ba897215 	Trojan.PS1.FICKLESHADE.YXFCN
105303ae231b9e2fee43c82afac59249593155bbf7bfdc51eda49cb50351857f 	Trojan.PS1.FICKLESHADE.YXFCN
86e4115111e88bbaf09fe73cfc8255a4aac64f7ffed4a3229bbc8d626566f0c8 	Trojan.PS1.FICKLESHADE.YXFCN
94ee2227696da3049ff67592834b4b6f98186f91e6d1cd1eeec44f24b9df754b 	Trojan.PS1.FICKLESHADE.THLACBD
97a766db470c44347b65a0bc282582f96a47d96ed8d7946f4da33775d384033a 	Trojan.PS1.FICKLESHADE.SM
47e4142fa6ab10a2d7dc0423d41f9bdbb3ced0f4fae5c58b673386d11dd8c973 	Trojan.PS1.FICKLESHADE.THLACBD
cedf4589428ae05d3d2dca1d1bd7fa28f6cafe54a077a6090f873053e04fd5ce 	Trojan.PS1.FICKLESHADE.SM
bb563180196989dcee91417aa56d6f1bfc9320b2427536c200dffcd784774906 	Trojan.PS1.FICKLESHADE.SM
691087ec9b50022d3e23695c0b41e2927cb4c4825a1f5fd7e2f21ae3465e8973 	Trojan.PS1.FICKLESHADE.YXFCR
969c7ee8709a519c4a4878b230d4ba7f81fb9563320b5983f8f1f95d4d215ece 	Trojan.PS1.FICKLESHADE.SM
ba195a227fb76e8820d6db36cd00c89095b88faf01471fcdd9c0c7de61a63a5d 	Trojan.PS1.FICKLESHADE.SM
e31ce5803bb68222eeac117614ddb92ed3c137bcf129f873d44960ab9d8bab33 	Trojan.PS1.FICKLESHADE.SM
cfafc9b2d6cbc65769074bab296c5fbacc676d298f7391a3ff787307eb1cbce0 	Trojan.PS1.FICKLESHADE.YXFCR
3761060c509b9444bdd3d0e65d7f68e39ff5c52fa87fdc59db02c1553e21e403 	Trojan.PS1.FICKLESHADE.YXFCN
e0ae6b6cfd6544a02517e91b74bda9d5cb98674dc04609743de012354c2cdf22 	Trojan.PS1.FICKLESHADE.YXFCR
af4d26b987093be6b442e655ffdafa8e1542e80f6a47a6895aa523f2f180025c 	Trojan.PS1.FICKLESHADE.YXFCR
9d2aaa8672d583af4c03c23127d6cac509799a49ff9293ed63628d5b710b7528 	Trojan.PS1.FICKLESHADE.YXFCR
f5c97f23543e904944120ef738f300049eae85c3b0bf8b86b346572f7bc6dec1 	Trojan.PS1.FICKLESHADE.YXFCR


================= DarkWisp backdoor ================= 

[SHA256]								[Detection]
ef8c99b57ff01d2267c6d946347f450bd4b92cea56fbd0bb36f0bc9de985ff83  	Backdoor.PS1.DARKWISP.YXFCD
d150d8d8bfa651c0e08a10323ecb0bccf346a35bd1bad19f89a5338acd8a88b3  	Backdoor.PS1.DARKWISP.YXFCD
1a0103eb4ba83b978d6f006225d6b7b80c5b21948715c0d78d3643a306d4d2e0  	Backdoor.PS1.DARKWISP.YXFCD
b9ea588642ea77d39ccafab329c2f10718f2c7771e2ee77a0c6deda285a48de8  	Backdoor.PS1.DARKWISP.YXFCD
9637506691705b2ffa90ff6b46fb71f11125dffabb19f3e89fd1bfb1f4caa223  	Backdoor.PS1.DARKWISP.YXFCD
57ba0a5be8b2dfa2a7da564f1c50fd277212743e33e392af924da6eeb997e5db  	Backdoor.PS1.DARKWISP.YXFCD
f8a607e3214f4c98e7bff5f3822d0b0fffa0b9035d8e17acac3d51f862c80c5d  	Backdoor.PS1.DARKWISP.YXFCD
6f07d75356b3698b885ff6070c338a7d96b9f761ab6350b385288842006dff24  	Backdoor.PS1.DARKWISP.YXFCD
3009e864d40d67f803481fd7f4f8a38f46eb5dbf0c9a0b6922c11c2121ec50c6  	Backdoor.PS1.DARKWISP.YXFCD


================= EncryptHub stealer =================

[SHA256]									[Detection]
677601f72181c53541f850248dd0904153ea62458489d7aa782149b93399ebd8 (variant A)  	TrojanSpy.PS1.FICKLESHADE.YXFCD-A
B29e630b9c70b0daaba4f83489494444c04c7a470b9c24eb4ddffb6cd7cf05ff (variant A)  	TrojanSpy.PS1.FICKLESHADE.YXFCD-A

f4b5bf7a2501c26e1f7306ad78f7c6fb2637fde652aa303a3a51c53c98ed3c10 (variant B)  	TrojanSpy.PS1.FICKLESHADE.YXFCD-B
c13fb67beec7f1737234483ad8d333ff77dfce804ec5c945b45fed448f272074 (variant B)  	TrojanSpy.PS1.FICKLESHADE.YXFCD-B

49a552d3adbcad9f5ac70151b48a4edc2ae1d4094a1ea9d944785cee8b4319d7 (variant C)  	TrojanSpy.PS1.FICKLESHADE.YXFCD-C
90b7b711f56f00a1fa08a7a29f2cd8602b8aa1a0d78986dbfc9f64e38ac6cecd (variant C)  	TrojanSpy.PS1.FICKLESHADE.YXFCD-C
6ea8d7b27d2a6c0e08886f55ef810d66788d973739218270ae38c126a71ed530 (variant C)  	TrojanSpy.PS1.FICKLESHADE.YXFCD-C

[Filename]				[SHA256]								[Detection]
program.exe (Browser stealer module)	ecb7ee118b68b178e62b68a7e2aaee85bafc8b721cb9cee30d009a0c96e59cef  	TrojanSpy.Win64.FICKLESHADE.YXFCM


================= Encrypthub.ppkg =================

[SHA256]								[Detection]
97b6dc6f61b1eebb32a1e62a62680ad9814e535e40d8cd3d01583e7b1db127e8 	Trojan.Win32.ENCRYPTRAT.YXFCW
e2f5b088daeca178bf05464d05d33b365e315b53704655042847cf6db048f2d2 	Trojan.Win32.ENCRYPTRAT.YXFCV
ecc8e7e5353c814ff7f66c278a19723b5769d53c49f69c3487d495fbc882a8b9 	Trojan.Win32.ENCRYPTRAT.YXFCV
bbaba3d086a38405ef816d97c76a98fefb0e49d899f61de53c44f38142356f3a 	Trojan.Win32.ENCRYPTRAT.YXFCW
feab6172448d2a1db08a68cbe2f8bcf1876a1ed120a56c5913581c5e444e7b28 	Trojan.Win32.ENCRYPTRAT.YXFCV


================= Malware distributor =================

[Filename]		[SHA256]								[Detection]
skotes.exe		079b7f03c727de92c3fcb7d3b9b9fea6d1e9ffdcd60dc9a360af90ce7b4b5cc6 	TrojanSpy.Win32.LUMMA.YXFCV
			17a916728f5bfa2af55565e0e73a04cbc52f4d872fb41e1a4cedcc43c5a7a7d3 	TrojanSpy.Win32.LUMMA.YXFCV
			4a75b84c305f8e8fa98641e5a57f35cb3a51887a89d1291620359c2b60882f6a 	TrojanSpy.Win32.LUMMA.YXFCV
			04a43023637cfdee72e1fdbf7dd38ac442bdf2779d0450e20966f68119fa5a6a 	TrojanSpy.Win32.LUMMA.YXFCV
			e77423214cfc184f3b41bdd539024d466bd5a94c91cfaa65d4e831410a8a8f94 	TrojanSpy.Win32.LUMMA.YXFCV
			cff9c5a87b3fb5961ddf59dfa0558c5b63503f89905e2a81ccd405e333408e72 	TrojanSpy.Win32.LUMMA.YXFCV
			4ab440989c4130b4bdc183c8b2c878f0e1931dc38bbea5b8531c876202865b3e 	TrojanSpy.Win32.LUMMA.YXFCV
			a04365c2804ed63ea0cadba4fa4ffc2e0541a09059abc0e046ee57ef1645ab64 	TrojanSpy.Win32.LUMMA.YXFCV
			75b0971a19e9c80efd47b6197dce666955e1fb0a05c152d1fe37c7e511a01db1 	TrojanSpy.Win32.LUMMA.YXFCV
			ee07759184ecaf4e0ef0a2981dccfc5b6c4da43a14a7beb002ae06c95a145dcc 	TrojanSpy.Win32.LUMMA.YXFCV
			ca22e7b954277659a308ef321a67516689a24c51aea7ac3c5f2d76a583b11530 	TrojanSpy.Win32.LUMMA.YXFCV

axplong.exe		2a5f9198f1e563688a2081b746bdaf48d897ec0ae96dfafc15cd5cd52c25e8f2 	TrojanSpy.Win32.LUMMA.YXFCV
			1db9c8c816d6d5871c463da46c91864d780d933363b425983206b76c9df09e08 	TrojanSpy.Win32.LUMMA.YXFCV
			95768bc40bb040d0c07c23f566cc20df0651fc14714e617b3f4b7ed3c6b7e5dd 	TrojanSpy.Win32.LUMMA.YXFCV

WEXTRACT.EXE .MUI	5752efa219c7e42cb104917f38c146e1f747d14230be0e64a5e87c20e82075bb 	TrojanSpy.Win32.LUMMA.YXFCV


================= Related modules =================

[Filename]		[SHA256]								[Detection]
ram.exe			bad43a1c8ba1dacf3daf82bc30a0673f9bc2675ea6cdedd34624ffc933b959f4  	TrojanSpy.Win32.RHADAMANTHYS.YXFAKZ
			fcfb94820cb2abbe80bdb491c98ede8e6cfa294fa8faf9bea09a9b9ceae35bf3  	TrojanSpy.Win32.RHADAMANTHYS.YXFAWZ

ram.ps1			b4f66a5e2876e04db93aae029049a07efed2d6dca05c89c393fe5aba03b949a7  	Trojan.PS1.RHADAMANTHYS.YXFCG.dldr

stealc.ps1		025cc7b328b7558d899677dd98e2d78a72da96be3b57d7ce437876ce85783ef5  	Trojan.PS1.STEALC.YXFCR

stealc.exe		105cecd049c1be5820d6286611dfc37a8c7e511543b0edddbf74c6b6914b96ac  	TrojanSpy.Win32.STEALC.YXFCT

anydesk.ps1		7a51a25c1d451a37a28b08290149bed05d82ffa305a5c9a86576046a324a25dd  	Trojan.PS1.DOWNLOADER.YXFCR

hvnc.ps1		54a30d5c66ab34e7d5f803d6d35316a42bcdd6bb0470fbe85979b31442a7c220  	Trojan.PS1.DOWNLOADER.YXFCT

antivm.ps1		d56afa4e4c8adb6232d0ebab0527b9fbc6b2619ebe1f39d06952877eeb2d195c	Trojan.PS1.KILLPROC.YXFCV

taskmaker.ps1		bf3e01de4c7af551c4f39aaac09763a71d4bac03126ac9de426f0d51dc970eec	Trojan.PS1.ENCRYPTRAT.YXFCW


================= C&C servers =================

82[.]115[.]223[.]182
fuckedserver[.]net
malwarehunterteam[.]net 
b8-crypt0x[.]com
global-protect[.]us
encrypthub[.]net
encrypthub[.]org
blackangel[.]dev
Ciphercall[.]net
cryptolabstudio[.]com 
raw.githubusercontent.com/encrypthub/steal/main/