IOC Radar
SHA256MediumSignal 91/100

1beb9ce73b9ca3f3231bfd9dee1533f6b978ed2ff5123479aad63fc00ee6e659

Location
Hong KongHong Kong
First Seen
Apr 17, 2026
Last Seen
Apr 17, 2026
Apr 17
First Seen
60d ago
Apr 17
Last Seen
60d ago
3
Reports
source reports
91%
Confidence
medium
Found in 3 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
91%
Signal Score
91 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

8 techniques

Feed Intelligence Summary

3 reports91% confidence
3
Source reports
91%
Confidence score
Category tags
aaaaacceptactive scanantiguaartemisascii textasiaaslrattack networkbackdoorbad loginbarbuda unknownbasicbotnet activitybrute forcecalls processcanada asncanada unknownchromeck idck techniquesclickcloud infrastructurecnccodecommandcommand linecookiecopydeletedelete cdirect-cpu-clock-accessdisplaynamedll readdns attackdnssecdomaindrwebdynamicloaderechobotencryptentrieserrorevasion attexecutes-dropped-fileexpiration dateexploitation activityextra infofarahvpn vlessfile-hashfilesfiles cfiles domainfiles relatedformfull pathfunction readgithubguardguest systemhandlehighhong konghostnamehostname addhrefhttphuawei remotehybridiana registraridentity & access exploitationindicatorinfo processesintelinvalid urliot securityipv4ipv4 addjkvpnkong flaglearnlinkslinux mirailocallong-sleepsmalwaremcafeemedia typemediummetamiraimonitoringmovedms windowsmsiemutexes nothingname serversname tacticsnation-state activitynextnext associatednsisorg domainsoverlaypandaparent pidpassive dnspathpattern matchpe filepe32 executablepeexeperupleaseportpostpresent decpresent febpresent janpresent marpresent novpresent octpresent sepproxypushransomwarerdaprdap databasereadread cread registryreaqtarecord valueregistry keysrelated tagsremote commandresearchedreverse dnsrolesruntime-modulesscribdscript urlssearchserversshowsouth americasouth koreaspawnsstatusstreamstringst1018t1056t1071t1082t1095t1105t1497t1518taiwan as3462telecomtelnet logintelnet rootthreat actortitletofseetor nodetotaltrojanttl valuetwittertypetypewsultimate fileunitedunknown nsurlsutc8 networkvariant cncviprevirgin islandsvpnwindowswindows sandboxwritewrite cwscriptshellzenbox verdict

Activity Timeline

1 total obs
Apr 17Apr 17

Threat Activity Heatmap

· Peak: 2026-04-17
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
91
SIGNAL
Signal Score
91%
Confidence
3
Reports
First seenApr 17, 2026
Last seenApr 17, 2026

VirusTotal

Not checked

WHOIS

description
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
references
https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_ReaQta-Hive.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404544&Signature=LCRNjms1qthotVXcKmffBD10Y7DKisr7k%2BlVYrTjCank6HB3%2ByH%2F1sAynrAczQNJMFvSCN5berXjisgbRQS12Ua0xWRr9S8WNELQIpaix5s1ZmT%2F20DZy3aPTFnkYjLEAbwCqct2rNETUFlznOBprz2NuaYDQTMU%2BBIuWQmPBconTM%2Bl3i3R2ijpm8NB74T2%2FHObuJDy9Q6nZLrypCtVXWXhM%2FFXBVbGbSnv8YuAN1knzyCy7, https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_VenusEye%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404740&Signature=UTWPNbGAoA9TgTHQiId%2B2IX5vXvrJW9JEMICUB8TIsjB%2F%2FqCyeDRc4kvJNYPqQxTrStjGw64eO9p5qPWO6VtkqSnCJfMhO67pVlA8pr2ftHKAGXBV5zwKVkKMUZEs45BhHkY1DLOe0o69EkrN5SlNTblrAVGT5Q6ZG54BbmLetpACp804v%2F9sfa7RgSTZBnItoA9xHcNnivoqRtyhreowE%2FTLFAXboIqs9cti95uwbKKhqzb, https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404830&Signature=xTx%2BpDgPVcC%2F9bas7r9zOD2cjhR8moW2kepUI6Dfmz5WrCrWqUpFCtn3pgbDYZqdfFa8HCluzOBpUA8ULheNBisUcHil3cplF57DdYR1C1d9uPgSqqOrjpYXoL3OtlzZFv8X00%2Ft7xwGwRgS9BohRtLi8EFvJTAJ7RC7EOm9FpG49dFxcnvjNDFSixUo2g9P0f4m0li3fkcR9onjdL2WmM1vSmAJBiaVxCMHhG8K49Ro3AwUrT9AV2uG9CnH%2Bu, https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404848&Signature=WmTL2fYm%2FkDYVa9Qo9Nz9RPF1sK%2BSfCJJtstGHcUos0pBsz0gehytubNXzwSckZACwulvt8Ye%2BDV3Q82C9WedSfmtisHhwbJuUC69xdfCcBiGcZjiEl%2FCDYoT5bQr16cZP7weWAn%2Beg8YFq4S5VWlVp3M7vNlHJSPy%2Bt4RNKiO6O5wHc74tX7b5Hvl08W9i%2F6vQ8iTmB0OFx21UK%2FG4wdLMIrBbhaxVD3zWi81iu0vgOU9, https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404928&Signature=tWjsWqqnoY%2FioSmCeqIaZY4021%2Bm6UFV%2BEiTdTHnMx6FcCgc4YRDjhGLoV24Vk%2Bq8%2Fz0qx1OAHNDq3adCrUxmP%2BTR0vYWjYEiuy%2F6hg7oSF9eiX%2BAEgRS7vQzZdiOy7%2BoKaLRFGet0HWmKoQkMYLyrY9Yu4k5mnQmOG4oecchl9baESpYfESVVfol0t7Xn%2FZCVd%2FH5gn%2BCysfY7lTC07sxIs0Cc6%2F%, https://pamchall.com/Telegram@V2ray_Alpha/, Domain: t.me • Email: [email protected], https://t.me/, Win32/Tofsee.AX google.com connectivity check, IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI), Yara Detections: Cabinet_Archive , SFX_CAB, ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile, Antivirus Detections: ELF:Mirai-AAL\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB, IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215), Huawei Remote Command Execution - Outbound (CVE-2017-17215), Huawei HG532 RCE Vulnerability (CVE-2017-17215), DYNAMIC_DNS Query to *.duckdns. Domain, SUSPICIOUS Path to BusyBox HiSilicon DVR - Default, Telnet Root Password Inbound TELNET login failed root login Bad Login Less, Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT, dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout, IP’s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202, IP’s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227, Contacted: newmethcnc.duckdns.org, https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e, https://eurotarget.com/it/auto/toyota/c-hr/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 months ago · Last seen 2 months ago
Appeared in 3 threat reports