I also include a short “sample‑filled” version that illustrates the kind of information you would normally expect for a typical Windows‑based “hook”/loader payload. | Item | Description | |------|-------------| | File name | PassatHook‑1‑.rar | | File type | RAR archive (contains one or more executable payloads) | | SHA‑256 | | | MD5 | | | Size | | | First seen | <date/source of acquisition> | | Threat classification | Potential downloader/loader, Windows DLL/EXE, hooking library | | Potential impact | Credential harvesting, persistence via hooking, possible download of additional malware, data exfiltration. | | Confidence level | Low/Medium/High – based on available artefacts. | TL;DR – The archive appears to be a delivery mechanism for a Windows‑based hooking component (likely a DLL/EXE) that may intercept API calls, establish persistence, and download further payloads. Full confirmation requires static and dynamic analysis of the extracted binaries. 2. Indicators of Compromise (IOCs) | Type | Indicator | Context | |------|-----------|---------| | File hash | SHA‑256: MD5: | Extracted payload(s) | | File name(s) | passathook.dll , loader.exe (example) | Inside the RAR | | Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PassatHook → %APPDATA%\passathook.dll | Persistence | | Scheduled Task | TaskName: PassatHookUpdater | Persistence / auto‑update | | Network | C2 domain: c2.passathook[.]net IP: 185.62.44.112 | Observed in sandbox traffic | | Mutex | Global\PassatHookMutex | Used to ensure single instance | | Process name | svchost.exe (masquerading) | Dropped/renamed payload |
I also include a short “sample‑filled” version that illustrates the kind of information you would normally expect for a typical Windows‑based “hook”/loader payload. | Item | Description | |------|-------------| | File name | PassatHook‑1‑.rar | | File type | RAR archive (contains one or more executable payloads) | | SHA‑256 | | | MD5 | | | Size | | | First seen | <date/source of acquisition> | | Threat classification | Potential downloader/loader, Windows DLL/EXE, hooking library | | Potential impact | Credential harvesting, persistence via hooking, possible download of additional malware, data exfiltration. | | Confidence level | Low/Medium/High – based on available artefacts. | TL;DR – The archive appears to be a delivery mechanism for a Windows‑based hooking component (likely a DLL/EXE) that may intercept API calls, establish persistence, and download further payloads. Full confirmation requires static and dynamic analysis of the extracted binaries. 2. Indicators of Compromise (IOCs) | Type | Indicator | Context | |------|-----------|---------| | File hash | SHA‑256: MD5: | Extracted payload(s) | | File name(s) | passathook.dll , loader.exe (example) | Inside the RAR | | Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PassatHook → %APPDATA%\passathook.dll | Persistence | | Scheduled Task | TaskName: PassatHookUpdater | Persistence / auto‑update | | Network | C2 domain: c2.passathook[.]net IP: 185.62.44.112 | Observed in sandbox traffic | | Mutex | Global\PassatHookMutex | Used to ensure single instance | | Process name | svchost.exe (masquerading) | Dropped/renamed payload |