IOC Radar
MD5HighVerifiedSignal 88/100

306b5d4ac19f49754b35460cde1d0993

Location
PeruPeru
First Seen
May 24, 2026
Last Seen
Jun 12, 2026
May 24
First Seen
36d ago
Jun 12
Last Seen
18d ago
5
Reports
source reports
88%
Confidence
high
Found in 5 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
MD5 Hash
MD5 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
MD5
Confidence
88%
Signal Score
88 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

13 techniques

Feed Intelligence Summary

5 reports88% confidence
5
Source reports
88%
Confidence score
Category tags
aaaaacceptaccess typeactive scanaddress domainalertsall domainall filehashalvoesamericaarialascii textasiaasia pacificav detectionsbackdoorbb c7bc a1binarybinary filebotnetbotnet activityc tmpsamplec2 ipc2 resolutioncallcallscanadacc fdcertcert validitychainchecks-network-adapterschecks-user-inputck idck idsck matrixclickcloudflare dnscodecommandcommand & controlcontactcontainer securitycopycreation datecryptocurrencycryptominingd4 dcdata uploadddosdefense evasiondelphidetect-debug-environmentdirect-cpu-clock-accessdirectoi t1222div divdive intodns attackdohdomaindomainsdownloaderdynamic dnsdynamicloaderedgeview driveelf executableelf geomielf64 operationencryptencryptionenoughentrieserroreuropeexchange allexcludeexclude dataexclude suggesexec amd6464exploitation activityexternal ipextrf4 cafailedfastfastest privacyfilefile-hashfiler datafiler filehuonfilesfiles ipfilet cefilet filerfilet filetfindfind cfind sfirst dnsformatfull reportsgeckogermanyget helloget icarusglobalgolanggoogle dnsh1256hackingtrio uahandlehelloheurhighhostnamehostshttp performshttp traffichttpshttps domainhua muicalulhybridids detectionsinboundincludeinclude datainclude reviewindicatorindicatoreinfection dnsinfoinjection activityinteliot securityipv4 addkey usagekhtmlkuberneteslabs pulseslayer protocollearnlesslinuxloaderloadslocalmalwaremanualymatches datamatches edolavdmatches matchesmediummemory patternmetametro4shellmiraimirai variantmitre attmitre attackmodelmodify systmodify systemmozillams windowsnamename serversname tacticsnetwork infonew threatnextnext associatedno entrinorth americanumberogoogle trustopenoperating systemotx logootx telemetryoutboundoverlaypassive dnspathpe sectionpe32 executablepeer-to-peerpeexepegasusperforms dnsperuponmocup postpostprivate serverproc indicativeproccpuinfoprocess createprocess injectionprocess lpulsepulse pulsespulsesransomwareread creadsreads cpurecord valueredis exploitationreference idrelated tagsremc t1070remote servicesreport publishresearchedreview excludereview occruntime-modulessearchserver caserversserviceservice scanservice-scanshellshowshowingsingaporesingapore asnsmuxsoftware supplysouth americaspanstatusstopstreamstringsstwasuggestsuggested ocssuitesuspicious-udpsystemd servicesysvt1021t1021.001t1027t1027 masqueract1036 indicatort1055t1069.001t1070t1071t1078t1082t1190t1499t1543t1609targeting databasethreat actortico datatitletls snitls versiontocstuttor nodetraefik defaulttraffic tcptrojantwittertyp datatyp filettyp innicatadtypeunique ruunitedunixunix shellunknown nsurlsusrbinid idv3 serialvaluevulnerability scanwin32 malwarewindirwindowswindows malwareworldwormwritexoryarayara detectionsyara rulezergzergecazergeca botnet

Activity Timeline

1 total obs
Jun 12Jun 12

Threat Activity Heatmap

· Peak: 2026-06-12
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
88
SIGNAL
Signal Score
88%
Confidence
5
Reports
First seenMay 24, 2026
Last seenJun 12, 2026
Verified IOC

VirusTotal

Not checked

WHOIS

description
MD5 of 03acb11799183f3b25b2ffe7227e0e010016eae81b23a663f32b5b0929d0598d
references
https://www.fortinet.com/blog/threat-research/misconfigured-enrolled-and-dormant-anatomy-of-a-p2pinfect-kubernetes-compromise, IOCs-MAY2.csv, www.joewa.com, Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name, Yara Detections: MacSync_AppleScript_Stealer , UPX ,, Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser, apple.k8s.joewa.com • joewa.com • http://apple.k8s.joewa.com/ • https://apple.k8s.joewa.com/, Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO, blackbox-exporter.lenovo-k8s.home.local.advena.io, http://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena/, Calls an API typically used to retrieve function addresses, load a resource T1129 Shared Modules Execution Adversaries may execute malicious payloads via loading shared modules. Learn more, Loads modules at runtime Looks up procedures from modules, (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007, https://cloudflare-dns.com/dns | cloudflare-dns.com, https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522, https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com, https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f, 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file), ‘Can't access file’ Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca, ‘Can't access file’[Found in Zergeca Botnet], IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI), IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io), Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections, IP’s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56, Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org, Crowdsourced SIGMA Below:, Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke, Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems), Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community, Crowdsourced IDS Below:, Matches rule ET POLICY External IP Lookup ipinfo.io, Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io), Matches rule ET INFO External IP Check (checkip .amazonaws .com), Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt, Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI), Unique rule identifier: This rule belongs to a private collection., geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi, https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO, Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/, crypto-pool.fr, iبامسلمون لمهمملممنامصناءواممساند | مطعم+ ممامام, Muslims have built, supported, and assisted. or Muslims: Support and Solidarity, LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado, IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST, IDS Detections: MVPower DVR Shell UCE • HackingTrio UA (Hello, World), IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution, IDS Detections: HackingTrio UA (Hello, World) • HTTP traffic on port 443 (POST), IDS Detections: Mirai Variant User-Agent (Inbound) • HackingTrio UA (Hello, World), IDS: Observed Suspicious UA (Hello, World), Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,, Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections, Alerts: cape_detected_threat, IP’s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184, IP’s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248, Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0], https://dns.google/resolve?name=SELECT, 31.6.16.33 • network.target [Found in Zergeca Botnet], multi-user.target • ootheca.top • network.target • ootheca.pw [Found in Zergeca Botnet], 84.54.51.82 • http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet], Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets, Since September 2023, according to an analysis by cyber security firm XLab CTIA., Address shows an place of origin: Broomfield , Co, Believed to be originating from Germany and Russia, BGP Hurricane Electric seen, Potentially Pegasus related . Found to be affecting an IOS device, Indicators seen may have affected a few OTX users. Is ongoing, Zergeca related URLs , URI’s , Domains, inaccessible files referenced, apple.k8s.joewa.com • joewa.com • com.apple, This pulse is so huge it’s a mess. Will break down.

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

high
First detected 1 month ago · Last seen 18 days ago
Appeared in 5 threat reports