SHA256MediumSignal 100/100
00013ff651ac8b67d01339c1a62e39ab93185899cad15515eafbb35df24b966f
Location
United KingdomFirst Seen
Feb 7, 2024
Last Seen
Feb 26, 2026
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
4 reports99% confidence
4
Source reports
99%
Confidence score
Category tags
aaaaacceptaccess deniedaccount securityactivatoraddressadobe airadobe portableagencyall octoseekamerica flagantivirus detectionantivm_network_adaptersantivm_queries_computernameappleapple iosapple phoneascii textasyncratattackaustraliaavatier ccirbitcoinblockchainbodybody lengthbotnetbrowserbypass passwordc2 communicationcapechecks_debuggercivil societyck idck matrixck techniquesclick-based attackcnamecnccode executioncommandcommand and controlcommand decodecommand executioncommodity contracts intermediationcommunication protocolcontactcontacted hostscontacted urlscontrol ta0011copy md5copy sha1copy sha256corecorporate lawcorporationcreation datecredential harvestingcredential theftcrypto exchangecrypto miningcrypto walletcryptocurrencycryptocurrency threatscryptojackingcsc corporatedadjokedata accessdata copyingdata encryptiondata exfiltrationdata transferdecentralized financedefense evasiondeletedelete lockdeleteddeleted virustotal graphsdetailsdetect-debug-environmentdgadiamondfoxdigital currencydirect-cpu-clock-accessdistributed attacksdnsdocument formatdofoildotfuscatordumped_bufferdynamicloaderelectronic health recordsemailsemotetencryptenglishenoschenosch malwareenter rexxfieldentriesentrusterroreuropeexecution attexpiration dateextortionfccfilefile-hashfilesfiles domainfiles ipfiles locationfinal urlfinancefirstflagflag unitedfor privacyformatgamaredongen.ogenericgeneric cilgooglegraphgraph communitygvthackingheader intelheadershealth care and social assistancehealth information technologyhealthcare information systemshighhistorical sslhospital managementhostname enumerationhtml infohttp responsehttp scannerhybridico rtgroupiconids detectionsiframeigmpillegal practicesimphash matchingindicatorinformation gatheringinformation stealinginformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinput validation bypassintelintellectual property lawiocsipv4irelandit infrastructurejavajays youtubekgs0kls0last seenlawlaw practicelearnlegal consultinglegal researchlegal serviceslegal technologylink librarylocallong-sleepslumma stealermalicious activitymalicious downloadmalicious linksmalicious softwaremalwaremalware distributionmarkmonitormarkmonitor incmarkusmedical servicesmediummeta tagsmetadata analysismitre attmobilemobile securitymodifies_proxy_wpadmonitoringmonomozillams defendermusicname md5name servername serversname tacticsnameweb bvbanet technologynetworknetwork analysisnetwork probenetwork scanningnetwork_httpnetwork_icmpnetwork_smtpneutralnew collectionnextnginxno datanosy peganuance chinaobjectoc0006 httpoccamyoceaniaooo selecteloperating systemoperating system securityoverlaypacked executableparentspassive dnspasswordpassword bypasspastepath traversalpatient carepattern matchpdfpdf documentpdf phishingpe resourcepe32 executablepeexepersistence_autorunperuphiphishingphishing attackphone hackingpiiplugxpost httppresent aprpresent febpresent marprobeprocess injectionprocess32nextwpulse pulsespulsesqakbotraccoonstealerransomransomexxransomwareratreconnaissancerecord typerecord valueredline stealerredlinestealerregistry lockregszregulatory compliancerelated filerelated nidsrelicremoteremote servicesresearchedresolved ipsresource hijackingreverse dnsrgbarobertsrobotorounduprst seenrticonrticon neutralruntime-modulesrussia unknownsamplesscan endpointsscriptscript domainsscript urlssea xsearchsecurity operationsserversshell codeshowshow techniqueshowingsibotsilencesizeskynetsmithsmoke loadersnatchsneaky serversocial engineeringsocial media securitysoftware developmentsoftware exploitationsouth americaspawnsspeakez securusssl certificatestatestatic ai analysisstatusstatus codestringssub domainsummarysummary iocssuricata ipv4suricata udpv4suspicious-dnssystem disruptiont1003t1003.001t1003.005t1005t1021t1021.001t1027t1027.002t1030t1041t1047t1055t1057t1059t1059.001t1064t1068t1069.001t1071t1071.001t1078t1078.004t1083t1105t1113t1129t1190t1199t1203t1204t1204.001t1204.002t1480t1486t1490t1496t1499.002t1499.003t1518t1547.001t1553t1555t1555.003t1565t1566t1566.001t1566.002t1566.003t1568t1583t1584t1586t1587.001t1589.001t1590t1590.001ta0007 commandtag countteams apithreatthreat actorthreat analyzerthreat intelligencethreat reportthreat rounduptofseetransfer locktrojan malwaretsara brashearsttl valuetucowstucows domainstulachtwittertypetype nameunitedunited kingdomupdate lockupdaterurlsurls httpurls httpsuser executionutc submissionsvt graphweb application exploitationweb trafficwhois recordwhois whoiswin16 newin32 dynamicwin32 exewin32 malwarewindows malwarewininet c0005wiperwormwornwriteyara detectionsyara ruleyoutube account compromisezfglddkl58a url
Activity Timeline
Feb 26Feb 26
Threat Activity Heatmap
· Peak: 2026-02-26LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
4
Reports
First seenFeb 7, 2024
Last seenFeb 26, 2026
VirusTotal
Not checked
WHOIS
- description
- PE32 executable (GUI) Intel 80386, for MS Windows
- references
- FormBook: FileHash-SHA256 5b9fa34fac18f4084221969800faddfe1cf0afc22d601d211ee695934e7d62cb, FormBook: 45.159.189.105, FormBook: http://45.159.189.105/bot/regex, Emotet: www.youtube.com/watch?v=GyuMozsVyYs, Relic: bam.nr-data.net [Apple Private Data Collection], capitana.onthewifi.com, https://www.crccolorado.com/dr-adam-sang, CS IDS Rules: MALWARE Possible Compromised Host, CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz, CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt, CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses, CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst, http://www.defi-realty.com/jem9/ [phishing], http://45.159.189.105/bot/regex [phishing | tracking], https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption], https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/, https://attack.mitre.org/software/S0226/, http://watchhers.net/index.php. [ data collection], remotewd.com, https://remote.krogerlaw.com, device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com, www.pornhub.com [password decryption], www.supernetforme.com [CnC], ddos.dnsnb8.net [CnC], http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing], http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743, http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs, https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!], https://us-bankofamerica.com/PhoneVerification.php/, http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection], http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip, http://iphones.email [redirection chain], *Patient PII & PHI at critical risk, https://otx.alienvault.com/indicator/file/c98108ca8f4e0dd8a3f63d4ac490e115, https://www.google.com/?authuser=0, Wiper to Ransomware: The Evolution of Agrius - Sourced: ArcSight Threat Intelligence, AS15133 MCI Communications Services Inc d b a Verizon Business, Loudon County, Va, 207 Iowa.gov domains and hosts acting as cyber security [cyberreason], iowa.gov, accidentreports.iowa.gov, beready.iowa.gov, affordableconnectivity.gov, appanoosecounty.iowa.gov, bigben.iowa.gov [Ben Smith?], lacity.gov, auditortest.iowa.gov, broadband.iowa.gov, admin.auditor.iowa.gov,, https://lacity.gov/san/index.htm, https://personnel.lacity.gov, https://lacity.gov/SAN,, Domains Contacted: smtp.gmail.com www.google.com, DGA Domain [affordableconnectivity.gov & GetInternet.gov] Home ACP Universal Service Administrative Company, www.fcc.gov? DGA Domains : Certificate Subject US 443 Certificate Subject District of Columbia 443 Certificate Subject Washington 443 Certificate Subject Federal Communications Commission 443 Certificate Subject Government Entity 443 Certificate Subject 1934-06-19 443 Certificate Subject affordableconnectivity.gov 443 Certificate Issuer Entrust, Inc. 443 Certificate Issuer See www.entrust.net/legal-terms 443 Certificate Issuer, (c) 2014 Entrust, Inc. - for authorized use only 443 Certificate Issuer Entrust Certification Authority - L1M, https://www.clear.com.br/site/DirectTalk/Filter?botopenned=3Dtrue [???], https://api.ypay.pw/, https://hybrid-analysis.com/sample/7b3cc5cfc0e8706f129c9787e214364512ca9557eef083ebf784aff6bf9c5147/6284d9281d02364bb451c88d, https://www.virustotal.com/graph/embed/g7796a04693f3480fb428f7889af9b06fb17ed3c8e24043ea8a9095f191bbe5e7
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 2 years ago · Last seen 3 months ago
Appeared in 4 threat reports