IOC Radar
MD5MediumSignal 88/100

13309b5d9cfe00a3bc9431649b41f0d5

Location
Korea, Republic ofKorea, Republic of
First Seen
Apr 3, 2025
Last Seen
May 18, 2026
Apr 3
First Seen
451d ago
May 18
Last Seen
42d ago
3
Reports
source reports
88%
Confidence
medium
Found in 3 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
MD5 Hash
MD5 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
MD5
Confidence
88%
Signal Score
88 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

45 techniques

Feed Intelligence Summary

3 reports88% confidence
3
Source reports
88%
Confidence score
Category tags
acceptactiveactive createdactive scanaddressaddress googleadult contentakamai rankalertsall ipv4all octoseekamazonanalysis dateanti-debugginganti-vmantivmapache xapanasapple iosarmadillov171artemisascii textasiaasnoneattempted brute forcingautorun persistenceav detectionav detectionsbackdoorbankbank securitybankerbasic human rightsbasic telephonebodybody lengthbotnetbotnet activitybrain sabeybrian sabeybrute forcec2ca issuerscanada unknowncanvaschecks-network-adapterschecks-user-inputcivil societyck idck techniqueclassclickclient bodycloudcodecommandcommand & controlcommand and controlcomodo valkyriecontactcontacted urlscontent reputationcontent typecookiecookie stealingcopycreation datecredential harvestingcredential stuffingcryptcryptocryptocurrencycvecyber stalkingcyber threatcyber warfaredata accessdata copyingdata encryptiondata exfiltrationdata store exposuredata transferdefensedefense evasiondeletedelete cdelphidetect-debug-environmentdetections tlsdigitaldisplaynamedistributed attacksdlink routerdns attackdockdoddomaindownloaderdrwebdsl2750b rcedynamic malwaredynamic reportdynamicloaderemailemailsemotetencryptencryptionentrieserroretet infoet trojanetpro trojanevaderexpirationexploitexploitation activityextortionfalseff d5file-hashfilesfiles locationfinal urlfinancefinancial institutionfinancial servicesfingerprintingfirewall bypassfolderformfoundgafgytgermanyget helloget nagmtngoogle.com connectivity checkhackerhall renderhashheadershidden extensionhidden registryhighhigh priorityhigh registryhistorical sslhistory firsthtml infohttphttp responsehuman rights threathybridicmp trafficidentity & access exploitationidsids detectionsifeo persistenceimmigrationimphashindicatorinfostealeringress tool transferinjectioninjection activityinsurance carriers and related activitiesinteliocsiot securityipv4irelandjunk data stuffingkeyloggerkeysknown hostilelearnlifeweblifeweb serverlocallog idlogiclong-sleepslookmalicious softwaremalwaremalware infectionman softwaremarkmark brian sabeymark sabeymediamedia centermediummemory analysismetameta tagsmiraimitre attmobile threatmovedmozillams windowsmsiename serversname tacticsnavynetherlandsnextno expirationnolookup communicationoperating systemotx logootx telemetryoveroverlaypandapassive dnspasswordpassword bypasspastepatched3_c.akrvpathpattern matchpe filepe packerpeexepehashperupexephishingphishing attackpm sizepolicy httpportpossible virutpragmapresent augpresent decpresent julpresent junpresent marprocess injectionpulse pulsespulse submitpulsesransomwarereadread crecord valuerefreshregistry runregsz drelated nidsrelated pulsesrelated tagsrelic naremote handlerremote servicesresearchedresponse finalrestartrole titlerun keyssafe browsingscan endpointssddlsearchselfserverserver caserviceservice scanserving ipshellexecuteexwshowshow techniqueshowingsizeslcc2social engineeringsouth americasouth koreaspanspawnsssl certificatestart folderstartupstatic analysisstatus codestealerstreamstringssystem disruptionsystem restore disabledsysvt1003t1005t1016t1021t1021.001t1023t1027t1030t1031t1045t1053t1055t1059t1060t1068t1069.001t1071t1071.001t1078t1082t1105t1106t1113t1119t1129t1143t1190t1202t1204t1480 executiont1486t1490t1496t1499.001t1499.002t1499.003t1539t1547t1555t1556t1565t1566t1566.001t1566.002t1566.003t1573tag managerteam phishingteams apitelecommunicationstemplethreatthreat actorthreat analyzertitletls webtlsv1tofseetoolbartoolstop destinationtop sourcetor nodetrackers newtrojantrojan malwaretrojandroppertsara brashearstulachtwittertype indicatorunitedurlsurls httpus citizenshiputc googleutc httpverdictverifyviprevitrovulnerability scanwabotwhitewhoiswhois recordwhois sslcertwhois whoiswin32 malwarewindowswindows malwarewindows ntwordpress loginwormwritewrite cxportyarayara detectionsyara ruleyears ago

Activity Timeline

1 total obs
May 18May 18

Threat Activity Heatmap

· Peak: 2026-05-18
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
88
SIGNAL
Signal Score
88%
Confidence
3
Reports
First seenApr 3, 2025
Last seenMay 18, 2026

VirusTotal

Not checked

WHOIS

description
MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
references
AVDetections: Patched3_c.AKRV, Yara Detections: Armadillov171, Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http, IP’s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40, Contacted Domains: tick.usno.navy.mil www.thinkman.com, AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States, AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com www.thinkman.com | United States, AS24940 hetzner online gmbh |78.46.218.253 | static.253.218.46.78.clients.your-server.de | Germany, AS15169 google llc | 8.8.8.8 | dns.google | United States, Email: [email protected], Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States, ASN AS27064 dod network information center, Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil., Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil., tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\ [Rtk] Win32:Malware-gen, TrojanDownloader:Win32/Umbald.A Malware infection, IDS Detections: Win32/Tofsee.AX google.com connectivity check, Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc, Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process, Alerts: stealth_window packer_entropy uses_windows_utilities, Alerts: console_output antivm_memory_available pe_features, Yara Detections: MS_Visual_Basic_6_0, Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun, Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe, Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process, Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities, Alerts: queries_user_name queries_keyboard_layout queries_locale_api, Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types, porn.nonstopvideos.pl • xxx-xvideo.com • essexmetals.com, http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/, navy.mil • http://acts.navair.navy.mil • http://logistics.navair.navy.mil/rcm/, https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous, 192.5.41.40 scanning_host • 74.208.229.157 scanning_host, 444ea032708bb0d940de0ef72b944244 | credit msudosos, Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244, https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos], https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf, DoD related: 192.5.41.40 scanning_host 140.19.33.126 • 199.9.2.136 • 214.23.15.26, https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif, https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications ), 205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications ), https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0, mailbox.co.za, fmx32.aig.com • 167.230.105.81, https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn, 4860f9c5ec1ab473f1d63d19a31c82798d65a8d2 Add to Pulse Pulses 2 AV Detections 1 IDS Detections 5 YARA Detections 3 Alerts 0 Analysis Overview Analysis Date 4 days ago File Score 12 Malicious Antivirus Detections TrojanDownloader:Win32/Tugspay.A IDS Detections TLS Handshake Failure 403 Forbidden Yara Detections Win32_PUA_Domaiq , aPLib , PECompact_2xx Alerts 31 Alerts antivm_display infostealer_browser infostealer_cookies procmem_yara static_pe_anomaly suricata_alert antivm_bochs_keys physical_drive_access , CVE-2017-8570 CVE-2024-21378 CVE-2014-3153 CVE-2014-6332 CVE-2017-0199 CVE-2017-11882 CVE-2018-8453 CVE-2020-0601, Microsoft Outlook Remote Code Execution Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21378, https://otx.alienvault.com/indicator/cve/CVE-2024-21378, http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp, dvd-game-new-releases.info, 1.116.217.151 [Cobalt Strike], https://www.myminiweb.com/, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net, http://alohatube.xyz/search/tsara-brashears, vtbehaviour.commondatastorage.googleapis.com, https://www.sweetheartvideo.com/tsara-brashears/, https://www.anyxxxtube.net/search-porn/tsara-brashears/, https://tulach.cc/, ns3.hallgrandsale.ru, https://myaccount.uscis.gov/ • Immigration (DHS) Login •, https://otx.alienvault.com/indicator/url/https://myaccount.uscis.gov/, https://otx.alienvault.com/indicator/file/e1bac17d00f49b033b745ebede6561a5d4f5ef573831f9a941797b5ea8894331, High Priority IP’s Contacted • network_irc nolookup_communication • network_cnc_http • network_http p2p_cnc • MethCallEngine, Huawei Remote Command Execution - Outbound (CVE-2017-17215) • dead_host • network_icmp • osquery_detection, Mirai Variant Checkin Response • D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) • Domains Contacted ntp.ubuntu.com, Yara Detections: GlassesCode

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen 1 month ago
Appeared in 3 threat reports