PureHVNC Deployed via Python Multi-stage Loader | FortiGuard Labs
Tags
maec-delivery-vectors: Watering Hole
attack-pattern: Data Indirect Botnet - T1583.005 Botnet - T1584.005 File Deletion - T1070.004 File Deletion - T1630.002 Malware - T1587.001 Malware - T1588.001 Mmc - T1218.014 Password Managers - T1555.005 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Hollowing - T1055.012 Python - T1059.006 Software - T1592.002 Tool - T1588.002 File Deletion - T1107 Multilayer Encryption - T1079 Powershell - T1086 Process Hollowing - T1093 Windows Management Instrumentation - T1047
Show in Graph
Common Information
Type Value
UUID 323b8982-3c20-4ad6-ae3a-1f9cf3626d10
Fingerprint ac140719243e8dde
Analysis status DONE
Considered CTI value 2
Text language
Published Aug. 8, 2024, 1 p.m.
Added to db Aug. 31, 2024, 6:54 a.m.
Last updated Nov. 17, 2024, 6:55 p.m.
Headline PureHVNC Deployed via Python Multi-stage Loader
Title PureHVNC Deployed via Python Multi-stage Loader | FortiGuard Labs
Detected Hints/Tags/Attributes 72/2/35
Source URLs
Redirection Url
Details Redirection https://feeds.fortinet.com/~/902536604/0/fortinet/blog/threat-research~PureHVNC-Deployed-via-Python-Multistage-Loader
Details Source https://www.fortinet.com/blog/threat-research/purehvnc-deployed-via-python-multi-stage-loader
URL Provider
Details Provider Source level domain
Details fortinet.com www.fortinet.com
Details fortinet.com feeds.fortinet.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 122 Fortinet Threat Research Blog https://feeds.fortinet.com/fortinet/blog/threat-research 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 3 
drvenomjh.duckdns.org
Details Domain 3 
vxsrwrm.duckdns.org
Details Domain 3 
ncmomenthv.duckdns.org
Details Domain 3 
ghdsasync.duckdns.org
Details Domain 3 
anachyyyyy.duckdns.org
Details Domain 3 
xoowill56.duckdns.org
Details Domain 3 
float-suppose-msg-pulling.trycloudflare.com
Details File 137 
conhost.exe
Details File 4 
'conhost.exe
Details File 380 
notepad.exe
Details File 2 
agent.ps
Details sha256 1 
16a4de0540181bab7c5d25fcdf90838a28f2dff4ed9e0e37de3f5f1ab20afe0a
Details sha256 1 
062c5f5e9cdfd731912b262297e963b6d5e1b1d114184728065522f46a5eef2f
Details sha256 1 
2b7ee0ccfa45d2f53098cd8aa4ce73cb00ace462d8490e6843bf05cd07854553
Details sha256 1 
430300b8c527259805d29ab3fd150d9d297004ff77346cc07753290d84e77e95
Details sha256 1 
503ce7bcefdffb96b5de78254f947598a410b86d3aaf597c7334e248c46dae5b
Details sha256 1 
55134d705ccf881d011af949ad2fc0aa80dc7af50fa4a9db29b665647b869aec
Details sha256 1 
561f4b4e2c16f21b0db015819340fc59484e4994022c4cca46cf778006d5d441
Details sha256 1 
6b4f058ba41e829ff993e61b288e55552af3d98f9cd62483eeff088b26f6ab9b
Details sha256 1 
71b797032458aab9b4a1a203e7ca413f009af1961cffb98590e34f672574599a
Details sha256 1 
7292316900a0971aec0a302bc3c6632902d820804ce3b2375a9953744cab1bd9
Details sha256 1 
72ce64d50f9aa15b21631307d2143f426364634a7a2ee4b401ef76bd88c4ff3b
Details sha256 1 
8bbdd3b41a03b86f246564a23e9acd48f74428f372c4bfb0a9a3af42511661c7
Details sha256 1 
8d28191f647572d5e159f35ae55120ddf56209a18f2ca95a28d3ca9408b90d68
Details sha256 1 
90995c621718ae65ca0af4deb10a9cb895bd494df40a7b34031b17efcc63114a
Details sha256 1 
b393323b9834656a2999198d4f02c1a159c6034d3c20c483d22a30aab3810c0c
Details sha256 1 
b3bb7064af80abef417e6e7775a7e14b0bd27233fd66c2252e714a4dd2ee9c21
Details sha256 1 
d4e8bf427c196d1d5ffca52a5af7162cc5cf4df730ee3fe65b4381ac79662a15
Details sha256 1 
e5f7efb35b7316c7ace1c322559fa9a8680ddb1ac15bef7d17e5b84c767f5b75
Details sha256 1 
95a33ba5550747baf72e39b020e6215b6047983eda17250408cd6f4c16a93089
Details sha256 1 
1967661f7c32607f7cfcb9053aeb8dea0a9d8f49979e729be77a43628c91469f
Details sha256 1 
7c4e613cf4db19f54030097687227809f965a951a26a44a882692ece6e642e3c
Details sha256 1 
441c4502584240624f4af6d67eded476c781ff0b72afe95ea236cc87a50e5650
Details Url 1 
https://float-suppose-msg-pulling.trycloudflare.com
Details Windows Registry Key 29 
HKEY_CURRENT_USER\Software