SHA256HighVerifiedSignal 98/100

`10c4067908181cebb72202d92ff7a054b19ef3aada939bf76178e35be9506525`

Location

Canada

First Seen

Nov 8, 2020

Last Seen

May 1, 2026

Nov 8

First Seen

2045d ago

May 1

Last Seen

46d ago

Reports

source reports

98%

Confidence

high

Found in 6 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.

SHA-256 Hash

SHA-256 file hash — primary identifier for malware samples.

MISP Category

Artifacts Dropped

Hash Algorithm

SHA256

Confidence

98%

Signal Score

98 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

47 techniques

Feed Intelligence Summary

6 reports98% confidence

Source reports

98%

Confidence score

Category tags

a serviceabcdabuseacceptaccessaccountaccount brute forceacidrainactive scanactive scanningad environmentad groupadfindadministratoraes keyafghanistanafricaagentahnlabai securityaitbalbaniaalbanianalexaliveallegatoamadeyamsi telemetryanalyzeanchoranchordnsandroidanunakanydeskanydesk remoteapacheapache tomcatapi callapi hashapi hashingappdataappeappearanceapplication attackaptapt 27apt groupapt19apt27apt29apt29 activityapt29 conductapt41aquatic pandaarcanearmeniaartefactsfolderartemisascii valueascii85asec analysisasiaasyncratateraatera agentatomatomicattackattack overviewauroraauthenticationautoitav evasionavastavosavoslockerazaz09azorultbackbackdoorbad rabbitbankbasebase64base85basecampbatloaderbazaarbazaloaderbazarbazar c2bazar loaderbazarbackdoorbazarcallbazarloaderbazarloader dllbeaconbeacon dllbeacon payloadbeacon typebeacon versionbeaconloaderbeapybearbeatdropbeerbelarusbelowbeyondbitcoinbitsblackcatblackshadesblisterblobbluenoroffboatlaunchbodybokbotbookmark serverboommicbotnetbotnet activitybrazilbreachbridgebrowserbrute forcebrute force attackbughatchbuildbumblebee c2bumblebee dllbypassc activityc serverc2 datac2 dropboxc2 profilec2 serverc2 trafficcaesarcampocampo loadercanadacanthroidcaploadercapturecarbon spidercashcec listcenterallcerbercertchachachamelgangchanitorchaprochatchimerachinachina chopperchinese-speaking cybercrimechiselchm filecisacisco securecisco taloscisco threatck techniqueclassclassloadercleanupclickclosecloudcnc servercnuserscobaltcobalt strikecobalt strike loadercobalt strikescobaltstrikecodecoinminercolor1cometcommandcommand & controlcommand and controlcommentcommercial bankingcommunication protocolcompilecompromise attemptcomspecconceptconficonfigconfluence dataconsolecontcontactcontentconticonti affiliateconti gangconti groupcontributorscontrolcookiecookie valuecopycorecore impactcortex xdrcovewarecovid19cp1250credential accesscredential brute forcecredential stuffingcrowdstrikecrphcryptercryptocurrencycs loaderctrltcubacuba ransomwarecustomerloadercvsscybercyber espionagecyber espionage solutionscyber threat hunterscyber threatscybercrime hascybereason xdrcybersecurity architectcyclopsczechiadark cometdarkcometdarkgatedarkhoteldarkshelldarksidedatadata centerdata encryptiondata exfiltrationdata riskdatabase brute forcedatabase securitydatopdatoploaderdaveshelldc serverdclocalddosdeadeyedecoydecryptdef condefenderspynetdefensedefense evasiondefraydefray777defray777 ransomwaredelphidemodenial of servicedenis legezodesktopdetectdetect-debug-environmentdexterdfdownloaderdfir reportdfir teamdiavoldiceloaderdidier stevensdigital certificatesdircreatedirect systemdirectorydiscorddisplaynamedistributed attacksdkmcdkmc frameworkdll filedll librarydll payloaddll sideloadingdllentry ratdllsdnc hackdnc networkdns attackdoesndomaindonald trumpdonedonutdoormedoorme backdoordoppelpaymerdoradorkbotdos headerdownloaderdownragedpiawaredridexdropboxdropbox loaderdropperdrops cobaltduckdukedumpduqudustpandwordearth wendigoeasyeasylookedr hooksedreppefnoegregoregregor payloadelfeliteemerging threatemissary pandaemotetemotet campaignemotet coreemotet epochemotet payloademotet runempireenableencoderencryptencryptionendpoint1energyenglishenjoyenterpssessionentropyentry pointenumerationepochepochsepochtimeerik hjelmvikerroreseteset researcheset securityestoniaesxiet cncet exploiteuropeeurope/asiaevil corpexcelexecutable fileexfiltrationexitendififexotic lilyexpert perspectiveexploitexploitationexploitation activityexport functionextortionfailfalconfalcon completefalsefastfeaturefeodo trackerficker stealerfigurefilefile-hashfilejustfileless malwarefilesfillerfin7finalfindfinspyfireeyefirstfirst detectionfishmasterfivehandsflexfooterfoozerforceforeign affairsformformatfortunefrom karakurtfrontfrpftpftp brute forcefunctiong o2gap analysisgasgategate variantgaussgeckogeneric.933739georgiagermanyget requestgetchilditemgetoperandvaluegif headergithubgithub projectglobal funcgnu cgo downloadergogogolanggold blackburngold dupontgoogle chromegoogle cloudgoogle docsgoogle drivegootkitgootkit loadergootloadergotrojgozigozi malwaregrabffgrantedaccessgrapeloadergreecegriffongroup policygroupexchangegrouprevilgroupuchebkacguardguloaderhackhackermanhacking teamhadeshaixi mongolhancitorhancitor c2hancitor dllhancitor exehandoverharpyharvesterhashhatching triagehavocheaderheadlineshellhellohello packethellokittyhidehidedrvhighesthikithillhivehoneymytehong konghookhookshta filehtmlhtml filehtml objecthttphttp brute forcehttp c2http gethttp methodhttp posthttp scannerhttp traffichttpshttps traffichumanhuntershwinithlwhydraicedidicedid malwareicedid payloadiceidicmpida proidentity & access exploitationidleigosiis workeriit appil fileil messaggioimages evidenceimap brute forceimpactimportincident responseindia-chinaindicatorindonesiainfectionidinfoinfostealeringress tool transferinitial accessinitial contactinjectinjection attacksinjectorinstallintelintro contiinvestigation servicesinvestigationsioc510iocindicatoriocsiot securityipcountipv4iran, islamic republic ofiso fileiso filesystemiso imageissuer cusissuer orgitaliaitalyitw nameja3ja3sjames haughomjan rubnjapanjarmjarm signaturejarsjasonjavascript codejitterjohnjs filejson objectjssloaderkarakurtkaspersky icskazakhstankazuarkerrdown samplekeyplugkhalesikhtmlknightkoadickorea, republic ofkoreankportscankronoslaterlateral movementlatinlatvialazagnelearnlearn morelegallegezolemon duckleviathanlifelimelinodelinuxlinux systemlithuanialnk filelnklnklnklnkloaderlocallockbitlockbit blacklog4jlog4shelllogiclogin attacklogin attemptslogin brute forcelogmeinlokibotlolbinslpwstr lpbufferlsasslsass memorylsass processltexasluckyluckymouseluminousmothmac osmacawmachinescalemachomacosmacromagicmailtomainmain entrymakadocsmakesmalaysiamalcatmaldocmalicious activitymalicious filemalicious network activitymalicious softwaremalspammalwaremalware descriptionsmalware technologiesmalwarebazaarmanagemanaged xdrmarchx8664 gmaremarkmaskmasscanmatanbuchusmatches nomatrixmazemaze ransomwaremcafeemediamedremeetingmegamespinozametasploitmeterpretermethodmethodologymexicomichaelmicromicrobackdoormicrosoft docsmicrosoft wordmidst intrusionmindminermitre attmobile threatmodelmodule stompmongoliamonitoringmonovmmonpassmonpass clientmonpass webmorphisec labsmortomotcmotnugmountlockermovingmozillams windowsmsbuildmsbuild processmsbuild projectmsf downloadermsf shellcodemshtml enginemsiemssqlmssql processmssql servermuddywatermultiplemustang pandamyanmarmyrtusmz headern c2n cobaltn httpsnaganamename filenarilamnation-state activitynativezonenbtscannebulaneitherneshtanetbiosnetscannetspynetsupport ratnetwalkernetwirenetwork activitynetwork attacksnetwork enumerationnetwork forensicsnetwork intrusion attemptnetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service scanningnevernew zealandnewsnextnexusngrokngrok tunnelnightnim malwarenim programmingnimgrabbernimrevnimrodnimrodnimzanimzaloadernltestnmap scannobeliumnonamenorth americanotepadnotepad++nsantdsntlmntlm hasho2 o2ocean lotusoceaniaoceanlotusoffensivenimoilrigololone marketplaceoniondukeonlinoofficeopenopen processopen sourceopenfieldopensopenssloperating systemoperation pawnoperationsopsecor filefullnameoracle weblogicorionos versionoverownerp4bnzr0palo altopandapartpasspassword attackpassword attackspatchpathpawn stormpayloadpayloadbinpcappdf documentpe headerpeexeperuphasephishingphotoloaderpingpinkslipbotpioneerpipespl shellcodeplatform sha256pleadpleaseplinkplugxplugx backdoorplugx implantpoisonpolandpoliceponypoortrypop3 brute forceportpos softwareposhc2postpost bodypost methodpotential scanpowerpowershellpowershell ratprefecturepress enterprimary threatpriorprivacyprocess hackerprocess injectionprojector libraprophetprophet spiderprotectprotocol exploitationproxyproxyshellpsexecpsrppublicputtypymafkapysapysa ransomwarepythonpython scriptpyxieqakbotqakbot binaryqakbot malspamqakbot malwareqbotquasarquesto certquietexitraasradarradminragnarlockerraindrop loaderrandomransomransom virusransomexxransomhubransomwarerapid7rararchiveraspberry robinratrat trojanratsrazyrc4 encryptionreaves6 minreconrecon villagereconnaissancereconnaissance activityredlineredline stealerreferregszregwriterelatedtoremcomremcosratremote accessremote access attemptsremote servicesremoverenamereportreportsrequestresearchresearchedreturn addressrevilrevilcontiritarobinhoodrollcoastrootrozenarubeusrubyrun registryruntime-modulesrussiarussian federationrustrustockrustybuerryukryuk domainryuk hostryuk ransomwareryuk threatsabbathsafetykatzsagesandboxsandbox reportscalescams & fraudscan behavioralscannerscoutscriptseadukeseatbeltsecurexsecurity groupssekhmetsekurselectserbiaserverserver helloserviceservice exploitation attemptservice mainservice scanservice workerset currentsfx codesfx fileshadowshadow chasersharpkatzshathakshellshellcodeshownshutsignsilentsilent breaksilent trinitysilentbreaksizesleepsleepexslingshotsliverslovakslovakiasmadavprotect32smallsmb beaconsmb brute forcesmtpsmtp brute forcesnakesnortsnowsoarsocgholish netsupportsocssodinokibisofacysoftethersolarstormsolarwindssomniasourceimagesouth africasouth americaspamsparklinggoblinsparkratspawnspear phishingspeedsphwspidersprite spiderspyeyessh attacksslblstabuniqstackstagestagerstagesstarstarkstarsstarted servicestartwstatastatestdoutstealerstellarparticlestoneboatstopstormstorystreamstrikestrike activitystrike beaconstrike loaderstrike payloadstringstringsstrongstrontiumsttxstuxnetsublime editorsummarysuncryptsupernovasupply chain attacksuspected compromisesvchostswedishswiftsyscallsysdigsystem accesssystem disruptionsystembcsyswhispers2szdrft1018t1021t1021.001t1021.002t1040t1046t1047t1053t1055t1059t1059.001t1059.003t1059.004t1069.001t1070t1071t1071.001t1076t1077t1078t1083t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1190t1199t1204t1486t1490t1496t1499.002t1499.003t1539t1563t1565t1566t1573t1589t1590t1595t1595.001t1595.002t1595.003ta471ta551ta578ta800talostargettargeted attackstargetimagetask managertcp porttcp protocoltcp scantcp scanningteamteamt5teamt5 teamt5techtelecomtelecommunicationstelnet threattemptencenttheftthemidathorthreatthreat actorthreat advisorythreat alertthreat analysisthreat analysis servicethreat feedthreat gridthreat intelligencethreat researchthreat responsethreat spotlightthreat-intelligencethreatsthreatsonarthreatsonar anti-ransomwarethreatvisionthrowbacktinbatipstldstls clienttls servertoolstor directorytor nodetouchtracingtrackertransferxl urltransferxl urlstravelextrellotrend microtrend visiontrickbottrickbot c2trickbot crewstrickbot grouptrickbots crewtrickbots cstriggertrinidad and tobagotrinitytrojantrojan malwaretrojanspytrumptrustttpsturkeyturkishturlatvrattwittertycoontypeuac0056udp scanukraineunauthorized accessunauthorized access attemptunc1151unc2165unc2190unc2190 beaconunc2198unc2452unc2465unc2589unc3381unified accessunitunited statesunusual porturisurlcampourlsurls httpurlshxxpursnifuse sectionuserpcnameuuid variantuuidsuwagavalid accountsvaporragevariantvaronisvaronis threatvatetvatet loadervawtrakvba macrovbs scriptvhashvidarvietnamviewvincssvision onevmwarevmware commandvmware horizonvmware identityvmware xfervnc activityvobfusvoicevoidvollgarvscodevulnerability scanwaf rulewdigestweb application attackweb trafficweblogic accesswebshellwherewin32 malwarewin32.agentwin32.bitcoinminerwinapiwinapi callwindwindowwindowswindows binarywindows contextwindows eventwindows exewindows hostwindows logonwindows malwarewindows ntwindows remotewindows servicewindows systemwineloaderwinidswinntiwinnti groupwinrarwinrmwinscpwiperwirelurkerwizard spiderwmicwmiexecwordword documentworkspace onewormwritewscriptx.509xll filexmrigxor algorithmsxss attackxtunnelxyzcampobb hxxpyahxzyanluowangyarayara rulez85 ascii85z85 httpszbotzenpakzeuszip filezloaderzscaler cloudzusyzxkbdklakv

Activity Timeline

1 total obs

May 1May 1

Threat Activity Heatmap

· Peak: 2026-05-01

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Dormant

3mo

Minimal

Threat ScoreHigh Risk

SIGNAL

Signal Score

98%

Confidence

Reports

First seenNov 8, 2020

Last seenMay 1, 2026

Verified IOC

VirusTotal

Not checked

WHOIS

description: In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.
references: https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/, https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/, https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html, https://labs.inquest.net/iocdb

`10c4067908181cebb72202d92ff7a054b19ef3aada939bf76178e35be9506525`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey

We value your privacy