SHA256MediumSignal 97/100

`0c28dd735d27d2b61f537be9ee09070b8793cd74b1dd9776f902b7217c46adb9`

Location

France

First Seen

May 26, 2025

Last Seen

Apr 7, 2026

May 26

First Seen

381d ago

Apr 7

Last Seen

65d ago

Reports

source reports

97%

Confidence

medium

Found in 7 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

SHA-256 Hash

SHA-256 file hash — primary identifier for malware samples.

MISP Category

Artifacts Dropped

Hash Algorithm

SHA256

Confidence

97%

Signal Score

97 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

61 techniques

Feed Intelligence Summary

7 reports97% confidence

Source reports

97%

Confidence score

Category tags

abuseacceptaccept encodingaccessactionuactive relatedactive scanadded activeah typesaho dataahtrnaah typakamai rankallyalphacrypt cncamsi-bypassapple pegasusapplication layer protocolauto-regauto-schauto-startupbackdoorbad reputationbae systemsbayrobbeaconbodybotnetbotnet activitybrian sabeybritainbrute forcec2calls-wmicameracapturecchk asnas26658checkincidrcity sanck idck idscloud infrastructurecloud storagecode executioncode injectioncommand & controlcommand and controlcommand executioncommunication protocolcommunity managementcompromised credentialscontent sharingcookiecredential accesscredential harvestingcredential stuffingcyber weaponizationdaisy colemandata encryptiondata exfiltrationdata store exposuredata theftdata uploaddata uptoadddosdetect-debug-environmentdigital platformsdistributed attacksdom domdoxingdulce sphowndynadot privacyecaccencryptencryptionenter senter scentrieset atteuropeexclude suggesexeexecutable fileexpirationexpiration httpexploit ss7exploitation activityextortionextr includedfailedfbi flashfile-hashfilehash-sha256filesfolderfort collinsfoundfrancefronthall renderhelp4uhos hosthos hostnamehostname enumerationhttp attackhttp scannerhttpsidentity & access exploitationimages baeinclude reviewind indicatorindicatorindicators showinformation gatheringinformation stealerinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjectioninjection activityiocsiot securityipv4jeffrey scottjeffrey scott reimerlateral movementlayer protocollearn morelegal manipulationlinuxlockerlondonlong-sleepslookupmalicious activitymalicious linksmalicious softwaremalvertisingmalwaremanually addmaps assistmateo countrymedia contentmelikametadata analysismobilemobile securitymonths agoname johnname serversnetwork scanningnews videosnext associatedno entriesno expirationoctoseek publicoperating systempeexepegasuspersistence mechanismsperuphishingphishing attackphone callssmsportpresent aprpresent junpresent marprivilege escalationprocess injectionpulspulse sthowpulsespulses hostnamepulses urlragnarragnar lockerransomransomwareratreconnaissancereimer dptrelated pulsesremote accessremote servicesreport spamresearchedreverse domainrole titlerun keyssa victimsabeysafe searchsakula ratsc typescanscript urlssearchsearch filtersearch settingssecurity operationsshared contentshiptonshowshowingsiteid1social analyticssocial engineeringsocial mediasocial media exploitationsocial media marketingsocial media securitysocial networkingsoftware exploitationsourcesouth americaspamspearphishing attachmentstartupstatusstranger thingssugges datasurveillance technologysystem disruptionsystem manipulationsystems defenset1003t1021t1021.001t1027t1036t1043t1051t1053t1055t1055 processt1056t1056 inputt1059t1060t1064t1068t1069.001t1071t1071.001t1078t1080t1082t1085t1105t1105 ingresst1106t1106 nativet1114t1119t1123t1125t1129t1133t1140t1143t1155t1179t1190t1203t1204t1204.001t1210t1213t1486t1490t1496t1499.002t1499.003t1506t1534t1543t1547t1555t1565t1566t1566.001t1566.002t1566.003t1566.004t1583t1586t1587.001t1589.001t1590.001t1598ta0001 initialtbmvidtcticasterse httpthreat actorthreat intelligencetime sabeytitle addedtor nodetrojan malwaretrojanclickertrojandroppertypetype indicatortypestypes ofunitedunknown nsupx alertsus creationuser engagementuunetvalue emailsvideo capturevirtoolvulnerability scanweb securityweb trafficweeks agowestlawwin32 malwarewin32upatre augwindows malwarexorddosxwormyarayear ago

Activity Timeline

1 total obs

Apr 7Apr 7

Threat Activity Heatmap

· Peak: 2026-04-07

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Dormant

3mo

Minimal

Threat ScoreHigh Risk

SIGNAL

Signal Score

97%

Confidence

Reports

First seenMay 26, 2025

Last seenApr 7, 2026

VirusTotal

Not checked

WHOIS

description: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
references: https://www.virustotal.com/graph/embed/g60a0f23aacf2415d9e245f0186e49df7c05e9a5dd3c74f7589a6c8e36cd0be4b?theme=light, https://darfe.es/ciberwiki/index.php?title=XWorm

`0c28dd735d27d2b61f537be9ee09070b8793cd74b1dd9776f902b7217c46adb9`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey

We value your privacy