SHA256HighVerifiedSignal 90/100
00000006e9d3a7e85d1f1e7711787b9a117655e249a565122ee12e9962199007
Location
First Seen
Dec 14, 2024
Last Seen
Jun 10, 2026
Found in 5 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
90%
Signal Score
90 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
5 reports90% confidence
5
Source reports
90%
Confidence score
Category tags
30000s802.11 protocolaaaaabout contactabuseacademic institutionsacceptaccessaccess contactaccess ob0005access typeaccess windowsaccount compromiseaccount securityactive relatedactive scanactive scanningadd tagadded activeaddressaddress domainaddress googleadmin cityadmin countryadmin sdkadministrative accessadobeadobe dynamicadvanced educationadversary tagsaerospace & defenseafeapaffected _and_fixedafricanagentahmannahmann specialaioseoalbertaalbertandpalertsalfperalienvault otxalienvault_ransomwarealive thailandall algorithmall domainall filehashallocates_rwxalvoesamazonamericaamerica asnamerica flaganalysis dateanalysis ob0001analysis ob0002analytics naanchor hrefsandroidangry quasianguillaansianti-analysisanti-vmantiavantivm_generic_biosantivm_memory_availableanycastanycast ogapacheapache xapi explorerappdata localappleapple ipadosaptarchardoarialarmadillov171arubaasciiascii textasiaasia pacificaslraspenaspen oneatlantaattattackaura stealeraustraliaauthentication attemptsauthorityauthorizationautomated analysisautorunav detectionsb8glwdbackdoorbad reputationbaglebangatbankers documentbarbadosbb c7bc a1behavior pidbgs6mbbig screenbinarybinary filebitcoinbjwmcebl2edge1520 refblackie virusblobblockchainblvdbmxagcbodybody doctypebotname httpbotnetbotnet activitybrian sabeybrian sabeybringbrockdorffbrowsebrowse tbrute forcebrute force attackbuildbuild webbundledbypassc tmpsamplec0002 wininetc2c2 communicationc2 ipc2 resolutioncallcallscalls processcanadacapacapecape_detected_threatcape_extracted_contentcapturecapture t1140carries http referercat antiviruscat-themed domainscatalogcatalog treecauliflowercc fdccus asnas33070certcert validitycfraych uachachachainchangedchanged datachannelchatcheat servicecheckincheckschecks adapterchecks systemchecks-usb-buschecks-user-inputchi2 md5china asnchina unknownchristopher ahmannchromechrome ucircus with magiccitycivil servicesciztgbck idck idsck matrixck t1027ck techniquesclassclickclick-based attackclosecloud backupcloud gatecloud infrastructurecloudflare dnscloudfrontcnamecnccobalt strikecodecode executioncode injectioncode overlapcode signingcolorado statecom tektonitcombellcommandcommand & controlcommand and controlcommand decodecommand executioncommand historycommand linecommodity contracts intermediationcommunication protocolcommunication technologiescommunity managementcommunity scorecompromised host detectioncomspecconnect nacontactcontacted hostscontent homecontent lengthcontent sharingcontent typecontrol ob0004controls t1562cookedcookiecopycopy md5copy sha1copy sha256copyfileexwcorporate lawcosta ricacounselcountries addcountrycountry malwarecountry namecouriercoverupcreation datecredential abusecredential accesscredential brute forcecredential harvestingcredential stealingcredential stuffingcredential theftcrimecrlf linecrowdsourced rulecry deecrypto exchangecrypto miningcrypto walletcryptocurrencycryptographic failurescryptographically unsoundcuraçaocus odigicertcustomcustom rulescvecve analysiscxxawbcyber crimecyber warfared4 dcdahua backdoor attemptdanica implantsdarkdark web mentiondatadata accessdata breachdata collectiondata copyingdata encryptiondata exfiltrationdata leakdata leakagedata manipulationdata protecteddata store exposuredata theftdata transferdata uploaddays agodcerpc protocolddosddos attacksdeautherdecentralized financedefensedefense contractingdefense evasiondefense logisticsdefense systemsdefense technologydeletedelete cdeleted documentsdeletefilewdelphidenial of servicedenial-of-servicedenmarkdenverdenver highmarkdenver musicdestination unreachabledetail infodetect-debug-environmentdev0537df bitdicator roledigital currencydigital mediadigital platformsdirectoi t1222disable_duckdisabled hashdiscovery attdiscovery t1069distributed attacksdiv divdive intodll sideloadingdnsdns attackdnssecdockdoctype htmldocument filedoddoesdohdomaindomainsdominetdosdotnetdownlink rttdownloaderdoxingdran anudrivedrive-by attackdrive-by compromisedrop ordrop resolverdropped childrendropped infodrops pedrupaldumpdumpsduration cuckoodynamicdynamic apidynamic dnsdynamicloadere1203 windowsec dfedgeedgec25edgeview driveeducationeducational resourceseducational serviceseducational technologyelectronic health recordselementelexelfelf executableelf geomielf32elf64 operationemailemailsencryptencryptionendianenergyenergy distributionenfalengineenoughenterenter scenter soenter sourceentertainment technologyentityentriesentropyenv crawlerepseregec4erroresign act violationet infoet policyet toretag wethics violationethiopiaeuropeeurope/asiaevasion attevasion ta0005eventevent categoryexchange allexchange ogexcludeexclude dataexclude suggesexeexe uploadexec amd6464executable fileexecutes-dropped-fileexecution flowexitexpiration dateexpires sunexploitationexploitation activityexport viewexternal ipextortionextrextr dataextraextracextractextraction dataextri dataf0002 pollingf4 cafailedfailed int.&primefakeavfastfastest privacyfastly errorfatal errorfederal crimefevhcfffssfilefile-based malwarefile-hashfiler datafiler filehuonfilesfiles cfiles domainfiles ipfiles locationfiles relatedfilet cefilet filerfilet filetfinfinancefinancial crimesfinancial malwarefindfind cfind sfind sufirst dnsfirst pqcflagflag unitedfloxiffloxif.afolderfor privacyforbidden accessforgeryformatformbook malware activityfoundfoundryfragmentation attackframe injectionfrance asnfraudfreefri janfri octftpfull namefull pathfull reportsfunctionfusiong2 cgather victimgbdyllogdlnamegeckogenco labsgeneral fullgeneratorgeneric httpgeoid nogermanyget helloget httpget icarusget keyget nagetkeygirls doporngithubglobalglobal g3globalcglobalggolanggooglegoogle appgoogle dnsgoogle hostedgoogle taggooglechrome ugovernment technologygrahamgraph summarygravity ratgreengreen wellgreygroups addguardguest systemguidh1256hacker knownhackershackingtrio uahall renderhandlehdtvheadhealth care and social assistancehealth information technologyhealthcare information systemshellohelphelp filesheurheuristic octhiddenhighhigh automatedhigher educationhighesthijackloaderhistoryholy see (vatican city state)home oghong konghorrible oversighthospital managementhosthostilehostinghostnamehostname addhostname enumerationhostshourly rlhrefhtmlhtml documenthtml internethtml publichtml titlehttphttp attackhttp brute forcehttp gethttp performshttp scannerhttp traffichttpshttps domainhttps httphua muicalulhybridiad6icator roleicmpicmp delphiicmp trafficicmpv4 protocolidentity & access exploitationidsids detectionsieedgeiframe tagsigorimageimpactimphash pehashinboundinc cndigicertincludeinclude datainclude reviewincluded iocsincluded reviewindiaindicatorindicatoreindicators hongindicators showinfection chain analysisinfection dnsinfiltrationinfoinfo checksinfo ta0011inforinformant targetinginformation gatheringinformation technologyinformation theftinfostealerinfostealer_browserinfostealer_cookiesinfostealing malwareinfrastructure acquisitionreconnaissanceingress tool transferinjectinjectioninjection activityinjection t1055injection_inter_processinput validation bypassinsertinsight taginstainstallintelintel 8038intellectual property lawinternal imageinternet is implodinginternet of thingsinvestigative journalist targetinginvolved directinvolved dnsiociocsionosionosasiosios malwareiot botnetiot securityiot/ics attackipv4ipv4 addipv6iran unknownirelandit infrastructurejapan as2514japan as9365john marshalljoinjoshjsonk-12 educationkey identifierkey usagekeylogkgs0kgso activitykhtmlkl0hsykls0klso activityknown torkongkqhykbl4ke.aff3ct.216labs pulseslang clapsuslateral movementlaw practicelaw schoollayer protocollearnlearn morelegallegal consultinglegal professionlegal researchlegal sector targetinglegal serviceslegal technologylengthlesslevelblue labslevelblue openlibretv metalinenumlinuxlinux subsyslinux verdictloaderloadslocalloggerlogging t1568long-sleepslookup countryloopia ablos angelesloudoun countylowfilsymslummac2maasmachinemachine labelmachomagicmailmainmalaysiamalicious activitymalicious domainsmalicious downloadmalicious linksmalicious powershell activitymalicious softwaremalwaremalware analysismalware c2malware distributionmalware installationmalware investigationmalware trafficmanually addmanualymarkmarkusmatch infomatch lowmatch unknownmatches datamatches edolavdmatches matchesmazemediamedia & entertainmentmedia centermedia contentmedia distributionmedical servicesmediummemory dumpingmemory patternmenu closemenu homemetametadata analysismexicomicrosoft rootmilitary operationsmineminiuser avatarminutes agomiragemiraimirai botnetmirai variantmisc activitymisc attackmissmiss datemiss xtimermissing documentsmitre attmitre attackmobilemobile carriersmobile networksmobile secmobile securitymobile threatmodelmodel secmodify systmodify systemmodify toolsmodule loadmodulesmonitored targetmonitoringmonth agomovedmoviemozillampgph131 hrmpgph131 lgms defenderms windowsmsiemsudosos ipv4mtu denialmufanommultimedia productionmusic frontmutexes globalgmutexes nothingnaikonnamename filename responsename servername serversname tacticsname unknownnation-state activitynational securityneedednemtihnenshinetherlandsnetwalkernetwork activitynetwork anomalynetwork attacksnetwork communicationnetwork denialnetwork disruptionnetwork droppednetwork infonetwork intrusionnetwork intrustionnetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork traffic analysisnetwork_httpnetwork_icmpnetwork_ircnew caledonianew threatnextnext associatednidsnids_alertnids_malware_alertnjratno entrino entrieotoundnode trafficnon secure workflownorth americanortonnoscriptnot availablenotifynull targetnumberobjectoc0006 httpoceaniaoffsetogoogle trustoil & gasok serverole fileollydbgolyxonlineonline harassmentonlogon rlonlvopenopen source intelligenceopen threatopen threat exchangeopensslopenurl coperating systemoperating system securityoproporganized crimeorgidoriginal fos linuxosintother services (except public administration)otxotx logootx telemetryoutboundoutbound trafficoverlayoverview zenboxpackedpacker_entropypackingpacking t1045parent pidpassive dnspassword attackspathpath mtu discoverypath traversalpatient carepattern matchpavlovpayloadpayment apppayment fraudpca statuspdfkitpe filepe packerpe sectionpe32 executablepe_featurespeexepegasuspehash externalperforms dnspersistence_autorunperupexephilippinesphishingphishing attackphoenixphp exploitationphysical securitypipespiracypkcspleaseplugxpm sizepolandponmocup postpornpornhubportportalportal openpossible data breachpostpotential data exposurepotential intrusionpower generationpower systemspoweredpp mafiapragmaprefetch1 ansiprefetch8 ansipresent aprpresent augpresent decpresent febpresent janpresent julpresent junpresent marpresent novpresent octpresent sepprivate buildprivate serverprivilege abuseprivilege escalationproc indicativeproccpuinfoprocessprocess createprocess detailsprocess injectionprocess lprocess monitorprocess t1057process_creation_suspicious_locationprocesses extraprodqprogramfilesdirprotocol exploitationprotocol t1105protonproton suiteprovidepublic administrationpublic folderpublic infrastructurepublic policypublic tlppulsepulse indicatorpulse providepulse pulsespulse submitpulsespulses hostnamepulses nonepulses otxpulses urlpushpythonqshellquasiqueue securityrabusehandleransomransomwareratrcmprcmp abrcmp kelownardap databaseread cread filesreadsreads cpurecon_fingerprintreconnaissancerecord typerecord valuerecordsrecycle binredlineredmond techredrumreferen httpreference idreferences addreferences tryrefloadapihashregistry domainregistry keysregulatory agenciesregulatory compliancerelated nidsrelated pulsesrelated tagsrelated trurelocsremc t1070remoteremote accessremote access toolremote access trojanremote servicesrenewable energyreply uniquereportreport publishreport spamreports vreputation damagerequestresearchedreserved ipreserved ip addressresidential real estateresolved ipsresponse ipreturnreverse dnsreverse ipreview excludereview iocsreview locsreview occriseproriskrmsrms modulerolerole titleroot authorityrooterrootkitrurun keysrussiasabey stashsabey typesafe browsingsafenetsameorigin agesandboxsanssbom analysissc datascamscams & fraudscanscanidscaryscriptscript domainsscript scriptscript urlsscripting attacksse datase sharesearchsearch otxsecuresecurity intelligencesecurity scanseenselfsend feedbackserverserver caserversserviceservice scanservice statussessionidshellshimcachemutexshopify fbshopify ogshowshow processshow techniqueshowingside 3 studiossignal jammingsingaporesingapore asnsint maarten (dutch part)site kitsizeskykitslcc2slovakiasmear campaignsmuxsnapssocial analyticssocial engineeringsocial mediasocial media marketingsocial media securitysocial networkingsocketsoftware composition analysissoftware developmentsoftware exploitationsoftware supplysour delsouth americasouth koreasovaspamspanspawnsspecial counselssh attackssl certificatestarfieldstartupstate of coloradostaticstatusstealth_filestopstreamstreaming servicesstringsstwastylesubmitsubvert trustsuccesssuggessuggestsuggested essuggested iocssuggested ocssuitesupply chain attacksupply chain risksuricata alertssuspsynsystemsystem compromisesystem disruptionsystemd servicesysvt07 excludet1001t1003t1005t1007t1010t1012t1016t1016.001t1018t1021t1021.001t1021.002t1021.003t1021.004t1022t1027t1027 masqueract1030t1033t1035t1036t1036 indicatort1037.002t1040t1041t1043t1045t1046t1047t1048.001t1053t1053.005t1055t1055 processt1055.003t1056t1056.004t1057t1059t1059.001t1059.002t1059.004t1059.007t1060t1063t1064t1067t1068t1069t1069.001t1070t1071t1071.001t1071.004t1076t1078t1078.004t1082t1083t1086t1087t1090t1091t1095t1102t1102.001t1105t1106t1110t1110.001t1110.002t1110.003t1110.004t1112t1113t1114t1115t1119t1120t1129t1132t1133t1134t1140t1143t1147t1155t1179t1179 hookingt1189t1190t1192t1195t1195.002t1197t1199t1202t1203t1204t1204.001t1204.002t1205t1210t1211t1213t1222t1480t1480 executiont1485t1486t1490t1496t1497t1498t1499t1499.002t1499.003t1499.004t1505t1518t1525t1539t1542t1543t1543.002t1546t1546.015t1547t1548t1550t1553t1555t1561t1561.001t1561.002t1562t1563t1564t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1567.001t1567.002t1568t1568.002t1569t1569.002t1571t1571 encryptedt1573t1573 malwaret1573.001t1574t1574 dllt1583t1583.001t1583.003t1583.005t1584t1584.001t1587.001t1588t1589t1589.001t1590t1590.001t1590.005t1591t1592t1593t1595t1595.001t1595.002t1595.003t1598t1608t1608.002t1609t1614ta0004 processta505tag managementtag managertaiwan as3462tam legaltargeted surveillance campaigntaskjobtaskjob t1053tcp protocoltcphittektonit yaratelecomtelecom servicestelecommunicationstelnet threattelustemptexoragthailandthank youthemidathorthreat actorthreat actor activitythreat exchangethreat graphthreat hunting toolthustico datatitletitle addedtls ecctls snitls versiontls/ssl crawlertnulltocstuttop destinationtop sourcetortor analysistor exittor nodetotaltr sharedtrackertraefik defaulttraffic tcptransformed ogtreetreece alfreytrinidad and tobagotroja yaratrojantrojan malwaretrojandroppertrojar datatruly horribletrusted roottry shopifytsara brashearstsara brashears targetttl valuetulachtulach typetvnes datatwittertyp datatyp filettyp innicatadtypetype datatype indicatortype otypes ofu of au0131ua archua bitnessua fullua platformualbertaudp a83f8110udp connectionsudp includeukraineultimate fileunauthorized accessunicode textunifiuniqueunique asnsunique ruunit dataunitedunited kingdomunited statesunixunix shellunknown nsupatreurlsurls showus registrantuseruser engagementuser executionuser merkdusersusrbinid idutc amazonutc facebookutc gcfezl5ynvbutc googleutc linkedinutf8 textv2 documentv3 serialvalidvalid fromvalid usagevaluevalue avaryve9 xcachevendor findingverdictversion fileversion listversion secvictim targetingvirgin islandsvirgin islands, u.s.virtovirtoolvirusvirustotal analysisvirustotal apivpnvulnerabilitiesvulnerability scanw jeffersonwabotwarpwatchweb application attackweb application exploitationweb exploitationweb protocolsweb scrapingweb securityweb trafficwebshellweek agoweeks agowelcomewhitewhois lookupwhql cryptowifi deauthentication attackwifi displaywin32 malwarewin32upatre julwin32upatre sepwindirwindowwindowswindows malwarewindows ntwindows sandboxwine emulatorwininet c0005wirewireless attackworldwormworn datawp enginewritewrite cx applex msedgex509v3 subjectxmasxml titlexmsedgeref refxorxtremeratyarayara detectionsyara ruleyara rule matchyara signatureyara.trojan.remoteadmin-151yayihyegyes dumpyoutubezbotzbot trojanzbot variantzergzergecazergeca botnet
Activity Timeline
Jun 10Jun 10
Threat Activity Heatmap
· Peak: 2026-06-10LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
90
SIGNAL
Signal Score
90%
Confidence
5
Reports
First seenDec 14, 2024
Last seenJun 10, 2026
Verified IOC
VirusTotal
Not checked
WHOIS
- description
- PE32 executable (GUI) Intel 80386, for MS Windows
- references
- www.joewa.com, Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name, Yara Detections: MacSync_AppleScript_Stealer , UPX ,, Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser, apple.k8s.joewa.com • joewa.com • http://apple.k8s.joewa.com/ • https://apple.k8s.joewa.com/, Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO, blackbox-exporter.lenovo-k8s.home.local.advena.io, http://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena/, Calls an API typically used to retrieve function addresses, load a resource T1129 Shared Modules Execution Adversaries may execute malicious payloads via loading shared modules. Learn more, Loads modules at runtime Looks up procedures from modules, (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007, https://cloudflare-dns.com/dns | cloudflare-dns.com, https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522, https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com, https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f, 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file), ‘Can't access file’ Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca, ‘Can't access file’[Found in Zergeca Botnet], IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI), IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io), Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections, IP’s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56, Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org, Crowdsourced SIGMA Below:, Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke, Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems), Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community, Crowdsourced IDS Below:, Matches rule ET POLICY External IP Lookup ipinfo.io, Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io), Matches rule ET INFO External IP Check (checkip .amazonaws .com), Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt, Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI), Unique rule identifier: This rule belongs to a private collection., geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi, https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO, Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/, crypto-pool.fr, iبامسلمون لمهمملممنامصناءواممساند | مطعم+ ممامام, Muslims have built, supported, and assisted. or Muslims: Support and Solidarity, LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado, IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST, IDS Detections: MVPower DVR Shell UCE • HackingTrio UA (Hello, World), IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution, IDS Detections: HackingTrio UA (Hello, World) • HTTP traffic on port 443 (POST), IDS Detections: Mirai Variant User-Agent (Inbound) • HackingTrio UA (Hello, World), IDS: Observed Suspicious UA (Hello, World), Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,, Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections, Alerts: cape_detected_threat, IP’s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184, IP’s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248, Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0], https://dns.google/resolve?name=SELECT, 31.6.16.33 • network.target [Found in Zergeca Botnet], multi-user.target • ootheca.top • network.target • ootheca.pw [Found in Zergeca Botnet], 84.54.51.82 • http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet], Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets, Since September 2023, according to an analysis by cyber security firm XLab CTIA., Address shows an place of origin: Broomfield , Co, Believed to be originating from Germany and Russia, BGP Hurricane Electric seen, Potentially Pegasus related . Found to be affecting an IOS device, Indicators seen may have affected a few OTX users. Is ongoing, Zergeca related URLs , URI’s , Domains, inaccessible files referenced, apple.k8s.joewa.com • joewa.com • com.apple, This pulse is so huge it’s a mess. Will break down., https://vtbehaviour.commondatastorage.googleapis.com/00000006e9d3a7e85d1f1e7711787b9a117655e249a565122ee12e9962199007_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775026717&Signature=P%2F3i0d%2BIUziFsVDwbIrETA3W8SZkGFTf3wlrvLmXvqfsRRGETKVexx%2FRUhepf6twXoZbd3ew9epae1DM%2BkYuoz%2FbTCjhBM7tT84GMZWqMB7xmN%2BcbhNt4IxbjX3H%2F1n7lZARIWNbDvRmIxuAO6gK1OdFXAmvXwp9uelNAWlT958ZX32XsGQzwQPfNna7LyY67bLa5eFdHy3eh2dZYEus2WXbJQtw743TkA5kOu2o0aoi0%2, https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark, https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada, https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96, https://www.virustotal.com/graph/embed/ge36545cffdc8444caaf69c36a825639183ebd69af93f48369156f4dfc5348f8d?theme=dark, https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027, https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027/iocs, cat-are-here.ru, Antivirus Detections: Unix.Trojan.Mirai-10028259-0 | Mirai (ELF) Mirai (Windows, Yara Detections: LZMA, IP’s Contacted: 32.227.223.238 107.74.143.88 69.196.71.159 96.16.197.80 101.80.61.229 125.101.205.34, IP’s Contacted: 16.85.50.206 215.160.125.18 40.71.227.8 57.122.151.130, All Domains Contacted: thekittler.ru newkittler.ru cats-master.ru, https://otx.alienvault.com/indicator/file/b57042ed9a7d7dbe1f7c7f32de74d2b367ee835d, https://otx.alienvault.com/indicator/domain/cat-are-here.ru, CloudFlare IP’s: 104.18.36.237 ,104.18.37.237, CloudFlare Domain: apple-dns.net, Cloudflare URL: https://forms.sonymusicfans.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js, https://forms.sonymusicfans.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js, http://213.209.143.24/ppc • http://213.209.143.24/rep.i486 • http://213.209.143.24/rep.sh4, http://213.209.143.24/x32 • https://250-mail.simswap.in • https://mail.simswap.in, http://kittler.ru/arm5 • http://kittler.ru/mpsl • http://thekittler.ru/rep.arm7, http://kittler.ru/rep.sh4 • http://kittler.ru/x32 • http://cats-master.ru/x86_64, sonymusicfans.com • forms.sonymusicfans.com • image.emails.sonymusicfans.com • url8878.e.sonymusicfans.com, https://forms.sonymusicfans.com/campaign/cannons-all-i-need-pre-add-pre-save/, https://forms.sonymusicfans.com/wp-content/plugins/smf-core/assets/css/campaign_333c4e8b19a72989caf8.css, https://view.emails.sonymusicfans.com/Error.aspx, URL http://url8878.e.sonymusicfans.com/ls/click • https://forms.sonymusicfans.com/campaign/all, http://url8878.e.sonymusicfans.com/ • http://url8878.e.sonymusicfans.com/ls/click, https://forms.sonymusicfans.com/campaign/all • https://forms.sonymusicfans.com/campaign/mmph/, https://image.emails.sonymusicfans.com/lib/fe9a12747566007d70/m/1/eb6e3ce4-7a7b-4435-a2cd-968f7277e6e0.png, https://image.emails.sonymusicfans.com/lib/fe9412747566057a72/m/1/b381d305-8e17-49be-bc99-e5fab3a7cd17.gif, push.apple.com • emails.redvue.com • apple-dns.net • 57.122.151.130 • https://teja8.kuikr.com/i6/20181130/Apple, Tracking LummaC2 Infrastructure with Cats (byAlienVault) https://otx.alienvault.com/pulse/6839003a3028827e1ebbfb1a, Interesting relationships: LummaC2 , Mirai Botnet , Sony Music Group , Apple, https://otx.alienvault.com/pulse/694898db3a9999fecfd893cb, https://www.virustotal.com/graph/embed/g69f2d0341bbf4c7180124cd0049e52603943cb3158b24298b9bd2a4e34d990fa?theme=dark, https://attack.mitre.org/groups/G1004/, https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-053, https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_, https://www.upwind.io/feed/from-compromise-to-detection-uncoveri, Amnesty.org | remote.amnesty.org, tulach.cc, Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP, Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http, Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available, Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi, Delphi This program must be run under Win32 Compilers, More IP’s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de, http://www.yixun.com/getkey {"privateKey": "JMVRar4COFWb3eKZ"}, Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey, http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co, ipv4bot.whatismyipaddress.com, helloprismatic.com, https://palantir-staging.staging.candidate.app.paulsjob.ai/, Brian Sabey, Christopher P. ‘Buzz’ Ahmann, Malware : ClipBanker Entity: Crazy Frost, www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright © CrazyFrost, Services : GoogleChromeElevationService = Delete, Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap, Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap, Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap, Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj, Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap, Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake, Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO), CS IDS: Matches rule (http_inspect) invalid status line, CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection., jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8, https://www.anyxxxtube.net/search-porn/tsara-brashears/ https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian URL http://www.anyxxxtube.net/search-porn/tsara-brashears • http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex • http://www.anyxxxtube, https://www.anyxxxtube.net/search-porn/tsara-brashears/ URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian • http://www.anyxxxtube.net/search-porn/tsara-brashears • http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex, http://www.anyxxxtube/, Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com, https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, https://www.anyxxxtube.net/search-porn/tsara-brashears/, http://45.159.189.105/bot/regex •’ Fake Pinterest •https://pin.it/, https://twitter.com/PORNO_SEXYBABES • girlsdoporn.com, Tsara never knew defense attorney fought & closed her worker’s compensation claim, Traceback- Man with signal jammer/ deauther working around her today., Absolutely zero regard for the victims who facilitate your luxury lifestyle., Do you slap luxury cologne on your undeserving face paid for by money workers suffered for?, You’d kill to have someone else’s lifestyle? May God take you out!, This God smacked penguin ordered a settlement hearing with less than 24 hours notice for claimant., He began a smear campaign immediately and is directly linked to Hall Render and Palantir, Doing any evil thing for mone does not compute for me., I’ve looked through the settlement docs, injuries caused by Jeffrey Scott Reiner DPT omitted., He must be very scary like Peter Theil because every attorney took case then backed off., Patiently waiting to see what God is going to do to all of you. You take lives for $, Stop! A woman was assaulted carved up, lived with a swollen brain , maltreatment , stalkers , hitmen?, So you can order food at fine restaurants , go to the finest places and get the best seats? No. I am earnestly praying Jehovah Sabaoth takes your last breath from all of you with Yawehs mightiest angels leading the way with a changing of guard for every tattle you will lose, On same block with HalkRender. Has close working relationship. All Palantir legal enities, https://www.virustotal.com/graph/embed/g6fbd06e582df467c9b784b455c17897fc94c601236464666b6ea48569737b84a?theme=dark, https://www.virustotal.com/gui/collection/64836171f942601f174ecfd89e64a16a09485d30484c6d5d88864314d6303868/iocs, https://www.virustotal.com/gui/file/1642a0e331de8bda30ea7ff6dbb80074f109b98dfaa9417eda8d770aff334dac/community, https://hybrid-analysis.com/sample/1642a0e331de8bda30ea7ff6dbb80074f109b98dfaa9417eda8d770aff334dac/6902f31df4f3011f930e35b0, https://www.virustotal.com/graph/embed/g9042fcb35a8547afa05b4f0276b5d85a58ec9f1202d848c1b8cd79f8c5557d40?theme=dark, https://www.filescan.io/uploads/681e38dc8d43c3a878fa07f7/reports/9415a199-278e-4194-a8dd-50a03607d121/overview, https://www.hybrid-analysis.com/sample/97935ba208fb6af4984485eeba41c3954a7aea4de42fa6f77bebb195d4728eac/681e3860434b80f67d0d220a, https://www.virustotal.com/gui/collection/ac210db96afe7597caa5e897c4f9aa435dc2dbc1d7003f34d1a5a0d69ecd2a63, https://www.virustotal.com/gui/collection/ac210db96afe7597caa5e897c4f9aa435dc2dbc1d7003f34d1a5a0d69ecd2a63/iocs, https://www.virustotal.com/gui/ip-address/172.68.8.0/details, https://ipinfo.io/172.68.8.0, https://viz.greynoise.io/ip/172.68.8.0, https://tria.ge/250509-v7ftjsymy6/behavioral1, http://clients2.google.com/time/1/current?cup2key=8:A2NSA9XiMjwnv2lppZDHJSlUjwebkbP0FRGtnA3Onzw&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, OTX issues | http://oracle.com/contracts.- I’m wondering if vulnerabilities found put us on a watchlist, It’s not doesn’t bother me. This is a great tool for quick ACCURATE results. Watch it happen live!, pegasus.thalamus.nz • http://pegasus.thalamus.nz • https://pegasus.thalamus.nz, Personally Interested: sebastianfoliaco.com • sebagofinland.com • cpcontacts.sebastianfoliaco.com, docs-api-staging.foundry.io • foundry.neconsside.com • http://foundry.neconsside.com • https://foundry.neconsside.com, https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930933603/trips, https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930956545, https://cloud.eu.samsara.com/o/562949953429579/fleet/reports/cameras/844424930985776/trips, https://hs.ecam.com/your-challenges-ecams-solutions, https://teja8.kuikr.com/i6/20181130/Apple • https://teja8.kuikr.com/images/chat/new-chat/apple.png •, https://cdn-api.ravendawn.online/assets/apple-YLDDa8Br.png" hostname as.ultraapple.ipv64.net •ipv64.net •https://cdn.goilobby.com/email-notifications/addtoapplewallet.png • https://as.ultraapple.ipv64.net/, Thalamus.nz - Registrar Dreamscape Networks International Pte Ltd t/a Crazy Domains, appspot.com • hyper7install.appspot.com, https://hybrid-analysis.com/sample/c61237fcb798f05e6af32a6aa13f8e795aac47559d601eb7f93ad65bcf58b418/68e30c476b91a8000b0dd786, http://acounts.google.com/v/signin/identifier?continue=hts%253%252F2Fconsole.cloud.google.com2Fapengine&dsh=5-1106814258%2539876543210, Changed last several digits of gmail account # In example, http://console.cloud.google.com/appengine, https://310940000.android.com.twitter.android.adsenseformobileapps.com/, https://www.netify.ai/resources/domains • 192-168-0-21.3pt3m9ng2hf.ddns.manage.alta.inc, device-local-de06e551-6b23-4aa3-bb67-6972ae6d30b5.remotewd.com 192.168.0.21, 116e33e0-8832-11ec-aef5-99a1d044639a-local.solinkcloud.com, jaycobundaberg.eclipseaurahub.com.au 192.168.0.21, grafana.ledocloud.com• 192.168.0.21, 192-168-0-21.siliconevalley1.direct.quickconnect.to, IDS Detections: Win32/Vflooder.B Checkin | Virus Total vtapi DOS, Try LogMeIn Resolve For Free — Powerful tools for device management and remote software installs from LogMeInResolve., Installed on Tsara Brashears phone in a drive up incident in October 2024, Yara: CATEGORY _7_Zip_Installer ;!@Install@! ;!@InstallEnd@! 7z Igor,Pavlov, Antivirus Detections: Yara.Trojan.Remoteadmin-151 (29:30 BST) - a full list of key details:-1-2-3-4., EXE:CompanyName • TektonIT EXE:EntryPoint:0x121cf • EXE:FileDescription RMS Component, TektonIT RMS Component • 6.0 Internal Name • LegalCopyright© 2014 TektonIT., Original Filename: RMS Module PrivateBuild • ProductName • RMS ProductVersion 6.0, Worn as Watch • Highlighter yellow & green Large Font. Looks like a toy. Clearly a weapon, Non white or African American , black haired Middle Eastern 55+ male in non discreet Car, Vehicle described as Midnight blue , attempted to hit target at a high rate of speed when target left, parking spot on possibly Logan, male tried to clip target at Logan & 18th. No plates, Same target l followed and observed at Metro T-mobile on Evans & Federal in Denver, Described as an Opaque white skinned , non Caucasian bald male. Clearly Persian or Israeli (other) Russian?, He watched a ‘target’ while buying least expensive product available. Shirt with US Flag distraction, Target no longer able to provide info. Paper tags over real Co#LP on car dark colored car., Attempted, overt side swipe of family member of target in City Park , by W/M w/US Army tags, Not surprisingly driving a Ford F 150 | Very disturbing incidents continue. Goal clear. Hired to K****, Alerts: recon_fingerprint antisandbox_sleep dynamic_function_loading encrypted_ioc, Alerts: resumethread_remote_process reads_self stealth_window uses_windows_utilities, Alerts: antivm_checks_available_memory queries_keyboard_layout, Alerts: stealth_timeout dll_load_uncommon_file_types antidebug_setunhandledexceptionfilter, Alerts: network_icmp modifies_certificates injection_resumethread dumped_buffer, Alerts: network_cnc_http network_http creates_exe uses_windows_utilities, Alerts: allocates_rwx antisandbox_foregroundwindows, Related Trump pulse: https://otx.alienvault.com/pulse/68c954a80675ccc89b0e9b63, 6.0.0.0 Deep Impact: +Tsara Brashears , +callmeDoris , +Merkd1904 , +scnrscnr, likely dorkingbeauty, 6.0.0.0 United States AS749 DOD network information center • Historical telemetry, Don’t ask questions. Just terrorize. destroy equipment paid for by US citizens. What’s yours is theirs., IDS: MALWARE-CNC Win.Trojan.Rfusclient outbound connection, IDS: Matches rule PROTOCOL-ICMP Unusual PING detected, IDS: PROTOCOL-ICMP PING Windows PROTOCOL-ICMP PING PROTOCOL-ICMP Echo Reply, IDS: PUA-OTHER RMS rmansys remote management tool cnc communication, IDS: Unique rule identifier: This rule belongs to a private collection, Signa: Matches rule Msiexec Quiet Installation by frack113, Sigma: Matches rule Remote Access Tool Services Have Been Installed - Security by Connor Martin, Nasreddine Bencherchali (Nextron Systems), Sigma: Matches rule Compression Utility Passed Uncommon Directory (via cmdline) by SOC Prime Team, Capabilities: Collection Get geographical location • Log keystrokes via polling, Capabilities: Anti-Analysis Self delete • Inspect load icon resource, Capabilities: Targeting Identify system language via API, Capabilities: Data-Manipulation Encode data using XOR Hash data with CRC32, Capabilities: Persistence Create shortcut via IShellLink Communication • Write and execute a file, Malware packed. Haven’t sorted all., Continued stalking • I am of course also being targeted w/ attempts requiring surgery., Very dangerous. Has been going on for 12+ years affecting everyone who knew target., Machiavellians have already built a new world with a world. Some fear the Apocalypse they created., https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/mc/challenge/brw/do/210/dd14d159, https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/210/d5caee55-c7ae-4b3a-8be7-b65fa5f885c9, https://apideveloper.santander.cl/sancl/partner/transaction_authorization/v1/coordinate_card/acs/visa/challenge/brw/get/220/6b180faa-7ce7-4e26-a3b0-aa241497c70f, The attackers are all different races, Caucasian, African American, Asian, Indian, Persian, Ethiopian, and ambiguous, I’d like to make an appeal. Please stop. Your original target has gone away., NNnK.exe FILEHASH SHA256 d249de5277aaa875154143f14727a761caa652960685ab529327f1affa8954cb, NNnK.exe [e755511f154b928f720d8a5c59e34ccb.virus], https://open-app.galaxus.com, Copyright: Gamma Realty 2019 Product: Auty 2 Description: Auty Original Name: NNnK.exe, Internal Name: NNnK.exe File Version: 1.88.0.0 Comments: Gynecology *File Unsigned, ihs-markit-login-changes-update-august-2020.pdf [file below], "493fda53120050f85836032324409be6c6484f90a0755ae0c6a673ba7626818b" has the file format "text", which is not supported, https://www.virustotal.com/graph/embed/g25090dbc8e9e49cc805b123e936987a5022d66ee7e2b457193bf6cf242952800?theme=dark, 80.125.71.115, Yara Detections: Armadillov171, https://malbeacon.com/, prod-lt-playstoregatewayadapter-pa.googleapis.com • redirector.gvt1.com • torexit.net-137.ampr.org
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
highFirst detected 1 year ago · Last seen 22 days ago
Appeared in 5 threat reports