IOC Radar
SHA1MediumSignal 98/100

3477a173e2c1005a81d042802ab0f22cc12a4d55

Location
PeruPeru
First Seen
Jun 17, 2021
Last Seen
Jun 19, 2026
Jun 17
First Seen
1830d ago
Jun 19
Last Seen
2d ago
11
Reports
source reports
98%
Confidence
medium
Found in 11 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-1 Hash
SHA-1 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA1
Confidence
98%
Signal Score
98 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

79 techniques

Feed Intelligence Summary

11 reports98% confidence
11
Source reports
98%
Confidence score
Category tags
.neta serviceabcdabuseacademic institutionsacceptaccessaccountacidrainactive directoryactive scanactive scanningad environmentad groupadfindadministratoradvanced portadvanced port scanneradvancedportscanneraes keyafghanistanafricaagentahnlabai securityaitbakiraakira iocsalbaniaalbanianalexalienvault_ransomwarealiveallegatoalphvamadeyamsi telemetryanalyzeanchoranchordnsandarielandariel groupandroidanunakanydeskanydesk remoteapacheapache tomcatapi callapi hashapi hashingappdataappeappearanceaptapt 27apt groupapt19apt27apt29apt29 activityapt29 conductapt41aquatic pandaarcanearctic wolfarmeniaartefactsfolderartemisascii valueascii85asec analysisasiaasnsasset managementasyncratateraatera agentatomatomicattackattack casesattack overviewauroraautoitautomotive manufacturingav evasionav/edr bypassavastavedr agentavedr bypassavosavoslockerazaz09azorultbackbackdoorbackup deletionbackup destructionbad rabbitbad reputationbankbankingbasebase64base85basecampbatloaderbazaarbazaloaderbazarbazar c2bazar loaderbazarbackdoorbazarcallbazarloaderbazarloader dllbeaconbeacon dllbeacon payloadbeacon typebeacon versionbeaconloaderbeapybearbeatdropbeerbelarusbelowbeyondbianlianbianlian groupbitcoinbitsblackcatblackshadesblisterblobbluenoroffboatlaunchbodybokbotbookmark serverboommicbotnetbotnet activitybrazilbreachbridgebrowserbrute forcebughatchbuildbumblebee c2bumblebee dllbyovdbypassc activityc serverc2 datac2 dropboxc2 profilec2 serverc2 trafficcaesarcampocampo loadercanadacanthroidcaploadercapturecarbon spidercashcec listcenterallcephalus ransomwarecerbercertchachachamelgangchanitorchaprochatchecks-usb-buschimerachinachina chopperchinese-speaking cybercrimechiselchm filecisacisa kevcisco asacisco securecisco taloscisco threatcivil servicesck techniqueclassclassloadercleanupclickclosecloudcnc servercnuserscobaltcobalt strikecobalt strike loadercobalt strikescobalt-strikecobaltstrikecodecode executioncoinminercolor1cometcommandcommand & controlcommand and controlcommand executioncommentcommercial bankingcommunication protocolcompilecompromised websitescomputer securitycomspecconceptconficonfigconfluence dataconsoleconsumer goodscontcontactcontentconticonti affiliateconti gangconti groupcontributorscontrolcookiecookie valuecopycorecore impactcorporate lawcortex xdrcovewarecovid19cp1250credentialcredential accesscredential harvestingcredential stuffingcredential theftcredit card servicescrowdstrikecrphcryptercrypto cybercryptocurrencycs loaderctrltcubacuba ransomwarecustomerloadercvecvsscybercyber attackscyber espionagecyber espionage solutionscyber newscyber security newscyber security updatescyber threat hunterscyber threatscyber updatescybercrime forumscybercrime hascybereason xdrcybersecurity architectcyclopsczechiadark cometdarkcometdarkgatedarkhoteldarkshelldarksidedatadata breachdata centerdata encryptiondata exfiltrationdata riskdata store exposuredatopdatoploaderdaveshelldc serverdclocalddosdeadeyedecoydecryptdef condefencedefenderspynetdefensedefense evasiondefraydefray777delphidemodenis legezodesktopdestination managementdetectdetect-debug-environmentdexterdfdownloaderdfir reportdfir teamdiavoldiceloaderdidier stevensdigital certificatesdircreatedirect systemdirect-cpu-clock-accessdirectorydiscorddisplaynamedkmcdkmc frameworkdll filedll librarydll payloaddll sideloadingdllentry ratdllsdnc hackdnc networkdns attackdocument managementdoesndomaindonald trumpdonedonutdoormedoorme backdoordoppelpaymerdoradorkbotdos headerdouble extortiondownloaderdownragedpiawaredridexdropboxdropbox loaderdropperdrops cobaltduckdukedumpduqudustpandwordearth wendigoeasyeasylookedr hooksedreppeducationeducational resourceseducational serviceseducational technologyefnoegregoregregor payloadelectronic health recordselectronics manufacturingelfeliteemerging threatemissary pandaemotetemotet campaignemotet coreemotet epochemotet payloademotet runempireenableencoderencryptencryptionendpoint1energyenglishenjoyenterpssessionentropyentry pointepochepochsepochtimeerik hjelmvikerroreseteset researcheset securityestoniaesxiet cncet exploiteuropeeurope/asiaevil corpexcelexecutable fileexfiltrationexitendififexotic lilyexpert perspectiveexploitexploit avaliableexploitationexploitation activityexploits & vulnerabilitiesexport functionextortionf figurefailfalconfalcon completefalsefastfeaturefeodo trackerficker stealerfigurefilefile-hashfilejustfileless malwarefilesfillerfin7finalfinancefinance and insurancefinancial servicesfinancial technologyfindfinspyfireeyefirstfirst detectionfishmasterfivehandsflexfogfog ransomwarefooterfoozerforceforeign affairsformformatfortunefrom karakurtfrontfrpftp brute forcefunctiong o2gap analysisgasgategate variantgaussgeckogeneric.933739georgiagermanyget requestgetchilditemgetoperandvaluegif headergithubgithub projectglobal funcgnu cgo downloadergogogolanggold blackburngoogle chromegoogle cloudgoogle docsgoogle drivegootkitgootkit loadergootloadergotrojgovernment technologygozigozi malwaregrabffgrantedaccessgrapeloadergreecegriffongroup policygroupexchangegrouprevilgroupuchebkacguardguloaderhackhacker newshackermanhacking newshacking teamhadeshaixi mongolhancitorhancitor c2hancitor dllhancitor exehandoverharpyharvesterhas expiredhashhasheshatching triagehavocheadhead mareheaderheadlineshealth care and social assistancehealth information technologyhealthcare information systemshellhellohello packethellokittyhidehidedrvhigher educationhighesthikithillhivehoneymytehong konghookhookshospital managementhospitality serviceshostnamehostname enumerationhow to hackhta filehtmlhtml filehtml objecthttphttp brute forcehttp c2http gethttp methodhttp posthttp scannerhttp traffichttpshttps traffichumanhuntershwinithlwhydrahypervicedidicedid malwareicedid payloadiceidicmpida proidentity & access exploitationigosiis workeriit appil fileil messaggioimages evidenceimpactimportin the wildincident responseindia-chinaindicatorindonesiaindustrial automationindustrial iotindustrial productioninfectionidinfoinformation gatheringinformation securityinformation technologyinfostealeringress tool transferinitial accessinitial contactinjectinjection activityinjectorinnoinstallintelintellectual property lawintro contiinvestigation servicesinvestigationsioc510iocindicatoriocsiot securityipcountipv4iran, islamic republic ofiso fileiso filesystemiso imageissuer cusissuer orgit infrastructureitaliaitalyitw nameja3ja3sjames haughomjan rubnjapanjarmjarm signaturejarsjasonjavascript codejitterjohnjs filejson objectjssloaderk-12 educationkalikarakurtkaspersky icskazakhstankazuarkeenadukerrdown samplekeyloggerkeyplugkhalesikhtmlknightknown hostnameskoadickorea, democratic people's republic ofkorea, republic ofkoreankorean assetkportscankronoslabslaterlateral movementlatestlatinlatvialaw practicelazagnelearnlearn morelegallegal consultinglegal researchlegal serviceslegal technologylegezolemon duckleviathanlifelimelinodelinuxlinux systemlithuanialnk filelnklnklnklnkloaderlocallockbitlockbit blacklog4jlog4shelllogiclogmeinlokibotlolbinslong-sleepslpwstr lpbufferlsasslsass memorylsass processltexasluckyluckymouseluminousmothlynxmac osmacawmachinescalemachomacosmacromagicmailtomainmain entrymakadocsmakesmakopmalaysiamalcatmaldocmalicious downloadmalicious filemalicious powershell activitymalicious softwaremalspammalwaremalware descriptionsmalware distributionmalware technologiesmalwarebazaarmanagemanaged xdrmanufacturing technologymarchx8664 gmaremarkmaskmatanbuchusmatches nomatrixmazemaze ransomwaremcafeemediamedicalmedical servicesmedremeetingmegamespinozametasploitmeterpretermethodmethodologymexicomfa bypassmichaelmicromicrobackdoormicrosoft docsmicrosoft wordmidst intrusionmimicmindminermitre attmobile threatmodelmodeloadermodule stompmongoliamonitoringmonovmmonpassmonpass clientmonpass webmorphisec labsmortomotcmotnugmountlockermovingmozillams windowsmsbuildmsbuild processmsbuild projectmsf downloadermsf shellcodemshtml enginemsiemssqlmssql processmssql servermuddywatermultiplemustang pandamyanmarmyrtusmz headern c2n cobaltn httpsnaganamename filenarilamnation-state activitynativezonenbtscannebulaneitherneshtanetbiosnetscannetspynetsupport ratnetwalkernetwirenetwork forensicsnetwork reconnaissancenetwork scanningnetwork securitynevernew zealandnewsnextnexusngrokngrok tunnelnightnim malwarenim programmingnimgrabbernimrevnimrodnimrodnimzanimzaloadernltestnobeliumnonamenorth americansantdsntlmntlm hasho2 o2ocean lotusoceaniaoceanlotusoffensivenimoilrigololone marketplaceoniondukeonlinoofficeopenopen processopen sourceopenfieldopensopenssloperating systemoperation pawnoperationsopsecor filefullnameoracle weblogicorionos versionoveroverlayownerp4bnzr0palo altopandapartpasspassword attackpatchpathpatient carepawn stormpayloadpayloadbinpayment processingpcappdf documentpe headerpeexeperuphantomheartphasephishingphishing attackphotoloaderpingpingcastlepinkslipbotpioneerpipespl shellcodeplatform sha256play ransomwarepleadpleaseplinkplugxplugx backdoorplugx implantpoint companypoisonpolandpoliceponypoortryportpos softwareposhc2postpost bodypost methodpotential scanpowerpowershellpowershell ratprefecturepress enterprimary threatpriorprivacyprivilege escalationproceedprocess hackerprocess injectionprocess manufacturingprojector libraprophetprophet spiderprotectproxyproxyshellpsexecpsrppublicpublic administrationpublic infrastructurepublic policyputtypymafkapysapysa ransomwarepythonpython scriptpyxieqakbotqakbot binaryqakbot malspamqakbot malwareqbotquality controlquasarquesto certquietexitraasradarradminragnarlockerraindrop loaderrandomransomransom virusransomexxransomhubransomwareransomware malwarerapid7rararchiveraspberry robinratrat trojanratsrazyrc4 encryptionrclonerdprdp accessre#turgencereaves6 minreconrecon villagereconnaissanceredlineredline stealerreferregdword dregszregulatory agenciesregulatory complianceregwriterelatedtoremcomremcosratremote accessremote servicesremoverenamereportreportsrequestresearchresearchedretail tradereturn addressrevilrevilcontiritarobinhoodrollcoastrootrozenarubeusrubyrun registryruntime-modulesrussiarussian federationrustrustockrustybuerryukryuk domainryuk hostryuk ransomwareryuk threatsabbathsafetykatzsagesandboxsandbox reportscalescams & fraudscanscan behavioralscannerscoutscriptscripting attacksseadukeseatbeltsecurexsecurity groupssecurity operationssekhmetsekurselectserbiaserverserver helloserviceservice mainservice scanservice workerset currentsfx codesfx fileshadowshadow chasersharpkatzshathakshellshellcodeshownshutsignsignedsilentsilent breaksilent trinitysilentbreaksizesleepsleepexslingshotsliverslovakslovakiasmadavprotect32smallsmb beaconsnakesnortsnowsoarsocgholish netsupportsocial engineeringsocssodinokibisofacysoftethersoftware developmentsoftware exploitationsoftware vulnerabilitysolarstormsolarwindssomniasourcesourceimagesouth africasouth americasouth koreaspamsparklinggoblinsparkratspawnspear phishingspeedsphwspidersprite spiderspyeyessh attackssl vpnsslblstabuniqstackstagestagerstagesstarstarkstarsstarted servicestartwstatastatestdoutstealerstefanstellarparticlestoneboatstopstormstorystreamstrikestrike activitystrike beaconstrike loaderstrike payloadstringstringsstrongstrontiumsttxstuxnetsublime editorsummarysuncryptsupernovasupply chain attacksupply chain managementsvchostswedishswiftsyn scansyscallsysdigsystemsystem disruptionsystembcsyswhispers2szdrft1003t1005t1016t1018t1021t1021.001t1021.002t1021.004t1027t1046t1048t1053t1055t1056t1059t1059.001t1068t1069.001t1070t1071t1071.001t1076t1078t1082t1083t1086t1090t1105t1110t1110.002t1113t1133t1135t1136t1140t1187t1190t1192t1199t1203t1204t1204.002t1210t1213t1218t1485t1486t1489t1490t1491t1497t1499.002t1539t1547t1550t1552.001t1555t1560t1561t1562t1562.001t1563t1565t1566t1566.001t1566.002t1566.003t1567t1569t1569.002t1570t1573t1588t1589.001t1595t1595.001t1595.002t1595.003t1598.003ta machineta471ta551ta578ta800talostargettargeted attackstargetimagetask managertcp porttcp scanteamteamt5teamt5 teamt5techtelecomtelecommunicationstemptencentthe hacker newstheftthemidathorthreatthreat actorthreat actor profilingthreat actorsthreat advisorythreat alertthreat analysisthreat analysis servicethreat feedthreat gridthreat intelligencethreat researchthreat responsethreat spotlightthreat-intelligencethreatsthreatsonarthreatsonar anti-ransomwarethreatvisionthrowbacktimetinbatipstldstls clienttls servertooltoolstor directorytor nodetouchtourism marketingtourist attractionstoxtracingtrackertransferxl urltransferxl urlstransparent tribetransportation servicestraveltravel agenciestravel bookingtravel experiencetravel technologytravelextrellotrend microtrend visiontrickbottrickbot c2trickbot crewstrickbot grouptrickbots crewtrickbots cstriggertrinidad and tobagotrinitytrojantrojanspytrumptrustttpsturkeyturkishturlatvrattwittertycoontypeuac0056udp scanukraineunc1151unc2165unc2190unc2190 beaconunc2198unc2452unc2465unc2589unc3381unified accessunitunited kingdomunited statesunusual porturisurlcampourlsurls httpurlshxxpursnifuse sectionuserpcnameutoxuuid variantuuidsuwagauxxxxxxvaporragevariantvaronisvaronis threatvatetvawtrakvba macrovbs scriptveeamveeam backupvhashvidarvietnamviewvincssvision onevmwarevmware commandvmware horizonvmware identityvmware xfervnc activityvobfusvoicevoidvollgarvpnvpn appliancevpn exploitationvpn kalivscodevulnerabilityvulnerability scanwaf rulewdigestwealth managementweb application attackweb shellweb trafficweblogic accesswebshellwherewin32 malwarewin32.agentwin32.bitcoinminerwinapiwinapi callwindwindowwindowswindows binarywindows contextwindows eventwindows exewindows hostwindows logonwindows malwarewindows ntwindows remotewindows servicewindows systemwineloaderwinidswinntiwinnti groupwinrarwinrmwinscpwiperwirelurkerwizard spiderwmicwmiexecwolfwordword documentworkspace onewormwritewscriptx.509xll filexmrigxor algorithmsxsiamxss attackxtunnelxyzcampobb hxxpyahxzyanluowangyarayara rulez85 ascii85z85 httpszbotzenpakzenseczeuszip filezloaderzscaler cloudzusyzxkbdklakv

Activity Timeline

1 total obs
Jun 19Jun 19

Threat Activity Heatmap

· Peak: 2026-06-19
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
98
SIGNAL
Signal Score
98%
Confidence
11
Reports
First seenJun 17, 2021
Last seenJun 19, 2026

VirusTotal

Not checked

WHOIS

description
PE32 executable (GUI) Intel 80386, for MS Windows
references
https://asec.ahnlab.com/en/85400/, https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/, https://arcticwolf.com/resources/blog/lost-in-the-fog-a-new-ransomware-threat/, https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/#post-132125-_u6j4jrmuhgk8, https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/, https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/, https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g, https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/, https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/, https://blog.talosintelligence.com/manjusaka-offensive-framework/, https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html, https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/, https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html, https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/, https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/, https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/, https://cert.gov.ua/article/703548, https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/, https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824, https://cert.gov.ua/article/619229, https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/, https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html, https://blog.talosintelligence.com/avoslocker-new-arsenal/, https://isc.sans.edu/diary/rss/28752, https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html, https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/, https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions, https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis, https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee, https://thehackernews.com/2022/05/malware-analysis-trickbot.html, https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux, https://asec.ahnlab.com/en/34549/, https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664, https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md, https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf, https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf, https://isc.sans.edu/diary/28636, https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html, https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/, https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/, https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html, https://blog.talosintelligence.com/mustang-panda-targets-europe/, https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/, https://security.macnica.co.jp/blog/2022/05/iso.html, https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/, https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt, https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf, https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/, https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/, https://thedfirreport.com/2022/04/25/quantum-ransomware/, https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/, https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html, https://www.varonis.com/blog/hive-ransomware-analysis, https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/, https://vanmieghem.io/blueprint-for-evading-edr-in-2022/, https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/, https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/, https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html, https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI, https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/, https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/, https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64, https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf, https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire, https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/, https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448, https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/, https://www.arashparsa.com/catching-a-malware-with-no-name/, https://cert.gov.ua/article/37704, https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/, https://thedfirreport.com/2022/03/07/2021-year-in-review/, https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/, https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage, https://cyber.wtf/2022/03/23/what-the-packer/, https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes, https://asec.ahnlab.com/en/31811/, https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/, https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489, https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike, https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/, https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/, https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/, https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue, https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/, https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/, https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/, https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html, https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks, https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/, https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1, https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf, https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/, https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia, https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/, https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671, https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/, https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3, https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/, https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/, https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/, https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf, https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf, https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/, https://istrosec.com/blog/apt-sk-cobalt/, https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/, https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/, https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/, https://securelist.com/apt-luminousmoth/103332/, https://isc.sans.edu/diary/rss/27618, https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads, https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass, https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/, https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/, https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/, https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise, https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/, https://www.cisa.gov/news-events/analysis-reports/ar21-148a, https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a, https://www.lac.co.jp/lacwatch/report/20210521_002618.html, https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf, https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/, https://thedfirreport.com/2021/05/12/conti-ransomware/, https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/, https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/, https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/, https://blog.talosintelligence.com/lemon-duck-spreads-wings/, https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/, https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff, https://isc.sans.edu/diary/27308, https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c, https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/, https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures, https://www.qurium.org/alerts/targeted-malware-against-crph/, https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware, https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/, https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811, https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout, https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/, https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md, https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060, https://thedfirreport.com/2021/01/31/bazar-no-ryuk/, https://www.security.com/threat-intelligence/solarwinds-raindrop-malware, https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/, https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/, https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618, https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html, https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach, https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/, https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/, https://isc.sans.edu/diary/rss/26862, https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf, https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf, https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware, https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/, https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/, https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/, https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv, https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/, https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/, https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md, https://thedfirreport.com/2020/10/08/ryuks-return/, https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/, https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/, https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf, https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos, https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/, https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims, https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/, https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/, https://blog.talosintelligence.com/building-bypass-with-msbuild/, https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html, https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf, https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A, https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html, https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf, https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/, https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf, https://contagiodump.blogspot.com/2014/11/onionduke-samples.html, https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/, IOCs2.csv, https://securelist.ru/head-mare-phantomheart-and-phantomproxylite/114753/, https://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a, https://thehackernews.com/2025/03/the-new-ransomware-groups-shaking-up.html, https://asec.ahnlab.com/ko/85270/, Makop-Hashes.pdf, MedusaLocker IOC, https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 2 days ago
Appeared in 11 threat reports