IOC Radar
SHA256MediumSignal 91/100

03acb11799183f3b25b2ffe7227e0e010016eae81b23a663f32b5b0929d0598d

Location
ThailandThailand
First Seen
Mar 1, 2023
Last Seen
Jun 2, 2026
Mar 1
First Seen
1218d ago
Jun 2
Last Seen
30d ago
7
Reports
source reports
91%
Confidence
medium
Found in 7 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
91%
Signal Score
91 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

80 techniques

Feed Intelligence Summary

7 reports91% confidence
7
Source reports
91%
Confidence score
Category tags
aaaaabuseacceptaccess typeaccount securityactive scanaddress domainalertsalienvault_ransomwareall domainall filehashalvoesamericaarialascii textasiaasia pacificav detectionsbackdoorbad reputationbb c7bc a1binarybinary filebotnetbotnet activityc tmpsamplec2 ipc2 resolutioncallcallscanadacc fdcertcert validitychainchecks-network-adapterschecks-user-inputck idck idsck matrixclickclick-based attackcloudflare dnscodecode executioncode injectioncommandcommand & controlcommand and controlcommand executioncommunication protocolcontactcontainer securitycopycreation datecryptocurrencycryptominingd4 dcdata accessdata copyingdata exfiltrationdata store exposuredata transferdata uploadddosddos attacksdefense evasiondelphidetect-debug-environmentdirect-cpu-clock-accessdirectoi t1222distributed attacksdiv divdive intodns attackdohdomaindomainsdownloaderdynamic dnsdynamicloaderedgeview driveelf executableelf geomielf64 operationencryptencryptionenoughentrieserroreuropeexchange allexcludeexclude dataexclude suggesexec amd6464exploitation activityexternal ipextrf4 cafailedfastfastest privacyfilefile-hashfiler datafiler filehuonfilesfiles ipfilet cefilet filerfilet filetfindfind cfind sfirst dnsformatfull reportsgeckogermanyget helloget icarusglobalgolanggoogle dnsh1256hackingtrio uahandlehelloheurhighhostnamehostname enumerationhostshttp performshttp scannerhttp traffichttpshttps domainhua muicalulhybridids detectionsinboundincludeinclude datainclude reviewindicatorindicatoreinfection dnsinfoinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinput validation bypassintelinternet of thingsiot botnetiot securityiot/ics attackipv4 addit infrastructurekey usagekhtmlkuberneteslabs pulseslayer protocollearnlesslinuxloaderloadslocalmalicious linksmalicious softwaremalwaremanualymatches datamatches edolavdmatches matchesmediummemory patternmetametadata analysismetro4shellmiraimirai botnetmirai variantmitre attmitre attackmodelmodify systmodify systemmozillams windowsnamename serversname tacticsnetwork communicationnetwork infonetwork scanningnew threatnextnext associatedno entrinorth americanumberogoogle trustopenoperating systemoperating system securityotx logootx telemetryoutboundoutbound trafficoverlaypassive dnspathpath traversalpe sectionpe32 executablepeer-to-peerpeexepegasusperforms dnsperuphishingponmocup postpostprivate serverproc indicativeproccpuinfoprocess createprocess injectionprocess lpulsepulse pulsespulsesransomwareread creadsreads cpureconnaissancerecord valueredis exploitationreference idrelated tagsremc t1070remote accessremote servicesreport publishresearchedreview excludereview occruntime-modulessearchserver caserversserviceservice scanservice-scanshellshowshowingsingaporesingapore asnsmuxsocial engineeringsocial media securitysoftware developmentsoftware supplysouth americaspanstatusstopstreamstringsstwasuggestsuggested ocssuitesuspicious-udpsystemd servicesysvt1001t1003t1005t1007t1010t1012t1016t1021t1021.001t1027t1027 masqueract1027.002t1030t1033t1036t1036 indicatort1037.002t1041t1053t1055t1055.003t1056.004t1057t1059t1059.002t1059.004t1059.007t1060t1063t1069.001t1070t1071t1071.001t1071.004t1078t1082t1083t1090.001t1095t1098t1105t1106t1110.001t1113t1119t1129t1133t1140t1155t1190t1195t1195.002t1204.001t1204.002t1210t1222t1486t1496t1499t1499.002t1499.003t1518t1543t1543.002t1546t1546.015t1552.001t1563t1565t1571t1573t1583t1583.003t1583.005t1587.001t1589.001t1590t1590.001t1590.005t1608.002t1609t1614targeting databasethailandthreat actortico datatitletls snitls versiontocstuttor nodetraefik defaulttraffic tcptrojantrojan malwaretwittertyp datatyp filettyp innicatadtypeunique ruunitedunited statesunixunix shellunknown nsurlsuser executionusrbinid idv3 serialvaluevulnerability scanweb application attackweb application exploitationweb trafficwin32 malwarewindirwindowswindows malwareworldwormwritexoryarayara detectionsyara rulezergzergecazergeca botnet

Activity Timeline

1 total obs
Jun 2Jun 2

Threat Activity Heatmap

· Peak: 2026-06-02
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Intelligence SummaryAI Generated

This Indicator of Compromise (IOC), a specific SHA-256 hash, represents a critical and highly malicious threat to organizational security. Its presence within an environment is a strong indication of an active compromise, potentially facilitating devastating attacks such as data exfiltration, system destruction, or the deployment of ransomware. The elevated risk score associated with this IOC underscores the urgent necessity for immediate investigation and robust mitigation strategies. Failure t…

Threat ScoreHigh Risk
91
SIGNAL
Signal Score
91%
Confidence
7
Reports
First seenMar 1, 2023
Last seenJun 2, 2026

VirusTotal

Not checked

WHOIS

description
PE32 executable (GUI) Intel 80386, for MS Windows
references
https://www.fortinet.com/blog/threat-research/misconfigured-enrolled-and-dormant-anatomy-of-a-p2pinfect-kubernetes-compromise, www.joewa.com, Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name, Yara Detections: MacSync_AppleScript_Stealer , UPX ,, Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser, apple.k8s.joewa.com • joewa.com • http://apple.k8s.joewa.com/ • https://apple.k8s.joewa.com/, Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO, blackbox-exporter.lenovo-k8s.home.local.advena.io, http://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena/, Calls an API typically used to retrieve function addresses, load a resource T1129 Shared Modules Execution Adversaries may execute malicious payloads via loading shared modules. Learn more, Loads modules at runtime Looks up procedures from modules, (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007, https://cloudflare-dns.com/dns | cloudflare-dns.com, https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522, https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com, https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f, 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file), ‘Can't access file’ Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca, ‘Can't access file’[Found in Zergeca Botnet], IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI), IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io), Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections, IP’s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56, Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org, Crowdsourced SIGMA Below:, Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke, Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems), Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community, Crowdsourced IDS Below:, Matches rule ET POLICY External IP Lookup ipinfo.io, Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io), Matches rule ET INFO External IP Check (checkip .amazonaws .com), Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt, Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI), Unique rule identifier: This rule belongs to a private collection., geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi, https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO, Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/, crypto-pool.fr, iبامسلمون لمهمملممنامصناءواممساند | مطعم+ ممامام, Muslims have built, supported, and assisted. or Muslims: Support and Solidarity, LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado, IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST, IDS Detections: MVPower DVR Shell UCE • HackingTrio UA (Hello, World), IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution, IDS Detections: HackingTrio UA (Hello, World) • HTTP traffic on port 443 (POST), IDS Detections: Mirai Variant User-Agent (Inbound) • HackingTrio UA (Hello, World), IDS: Observed Suspicious UA (Hello, World), Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,, Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections, Alerts: cape_detected_threat, IP’s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184, IP’s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248, Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0], https://dns.google/resolve?name=SELECT, 31.6.16.33 • network.target [Found in Zergeca Botnet], multi-user.target • ootheca.top • network.target • ootheca.pw [Found in Zergeca Botnet], 84.54.51.82 • http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet], Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets, Since September 2023, according to an analysis by cyber security firm XLab CTIA., Address shows an place of origin: Broomfield , Co, Believed to be originating from Germany and Russia, BGP Hurricane Electric seen, Potentially Pegasus related . Found to be affecting an IOS device, Indicators seen may have affected a few OTX users. Is ongoing, Zergeca related URLs , URI’s , Domains, inaccessible files referenced, apple.k8s.joewa.com • joewa.com • com.apple, This pulse is so huge it’s a mess. Will break down.

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 3 years ago · Last seen 1 month ago
Appeared in 7 threat reports