ANY.RUN

🚨 Update Your Detection Rules: New In-Memory Loader

We caught a highly evasive #HanGhost loader, designed to bypass traditional detection through layered obfuscation and in-memory execution. This activity targets corporate users handling payments, logistics, and contract workflows, expanding exposure across critical operations.

⚠️ The delivery chain combines obfuscated JavaScript, hidden PowerShell execution, and environment-variable staging.

In the second stage, the loader retrieves an image file and extracts an encrypted payload embedded at the end of the file, combining steganography with in-memory loading and making detection significantly harder ❗️

👾 The loader is used to deliver multiple malware families: #PureHVNC, #XWorm, #Meduza, #AgentTesla, and #Phantom, with some chains also deploying #UltraVNC, extending the impact from initial access to persistent remote control.

⚡️#ANYRUN Sandbox allows analysts to reconstruct the full execution chain, helping confirm complex multi-stage activity earlier and reduce MTTR.

🔗 JavaScript-to-Payload execution chain:

JS ➡️ PowerShell ➡️ in-memory .NET assembly ➡️ PNG payload ➡️ Malware

📈 The campaign shows wave-based activity, indicating ongoing development and scaling:

March 26 — early cluster

April 1–2 — first large multi-family wave

April 3 — focused wave (PureHVNC / AgentTesla / Phantom)

April 6 — PureHVNC-heavy activity

April 7 — new peak with split between PureHVNC and XWorm/Meduza clusters

April 8 — multi-family wave (PureHVNC / Phantom / AgentTesla)

April 9–13 — more focused wave dominated by PureHVNC, with Phantom, DarkCloud, Formbook, and Meduza also present

👨‍💻 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/cc26155e-e8e9-442b-b000-8d1a1435e7db?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktoservice&utm_term=130426

🔍 Use this TI Lookup query to pivot from IOCs, review related activity, and validate your detection coverage: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktotilookup&utm_term=130426#%7B%2522query%2522:%2522commandLine:%255C%2522bYPaSS%2520-Command%2520*iex%2520$env:%255C%2522%2522,%2522dateRange%2522:180%7D%20

👨‍💻 Equip your SOC with faster decisions and lower workload. See how #ANYRUN fits your workflows: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=hanghost&utm_content=linktoenterprise&utm_term=130426

#cybersecurity #infosec

Apr 13 at 1:41pmWeb
Show threadANY.RUN2d ago

IOCs:

d993dfac5e0f31b06b6c44c4737fa78d642d25f82c8a5d49af8c3beadcf5804d
47499fafe309fe64ca6707e1c1a2e59fb4be2446e4f1655cee8cfaef764ba439
f10dbb2ce0017a0bbd9e8f0e9a67864ea354a1c20ba93fcc94b6b5adecef3afc
cd65e39372824319e0c3697ff51857c2a79ed61df51d637a1983167c1827d84e
d51fcbe12a15b3a89a289497ef105eb635cc58c6bf9edbe76c785583d200b290
1331a0872ab744c4078a6680989c6dc1ea0c35dd4a8bdc446d42dda57f72714e
289faa3fc9883495a43a049a2202584a422dc9b259750a4fbaf418c3d8cf5798
9f4af1454eed18d17d26763908bb54a35679805f12a4fd46859d2a5681eba79e
5ac47a2e590b227b8fdc24dcf18aec91c7079a84d9a47c33cf6512cdb561c2ac
89d5faf25d12788e6940f49aee1b215e5319b15f8275894f1346e7b4b1d96741
aada52fa86cdc6c0883dfb821cbf5959d6bd0e493fdda639dd5b3d5b2c18f796
5e4a7082080a227d860c7c5bacb440e634a9af0828c59413cd28f03a7a4b7aa9
20ad64d0aadcdac600fcbdc261f2d5ba2cc4ef327e04ae6ba65ed19328086cff
2593f1f466827aac609ce0a0975c49ac2735befe683ea7e8d5a32172db0c0880
243b31a71a46b9ded1d0638efc977466a149d61833be30cdf3593b17c95fb772
c4dbb62761b5da9d4f37e2dd25cbf1b9a2e6f18c8eea5f98dbd8e78cb6c28a27
3b292243889555f80a18041cffaaedb09764ffb957ac1f9b5060233c8431c15f
c6334dbd1a5a57432303cbaefeb99d7f8b15cbb64adafabd46e2cc6f54ab35d2
693624f345bc34aacfee57bd7895752fff5cce75b689b18adc82cfc21eb4666d
1819a4fa82f07a3409971fa80f9b318dd7cd7589b6654ee62d74c6cbc06c9901
7f347e415d60ef02454a1b89e318cf51bc3c16ee7b130db9937bb09bf80f1243
515929e7fbfabe551d97782c9aed0c4a62b409302bb4ac5c63989353d9dab830
b2c9f62883835341fe042c81883f6843a29ea94c44d0f361b51b0df95ab63a01