SHA256HighVerifiedSignal 85/100
3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3
Location
PeruFirst Seen
Jun 14, 2023
Last Seen
Jun 3, 2026
Found in 6 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
85%
Signal Score
85 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
6 reports85% confidence
6
Source reports
85%
Confidence score
Category tags
abuseaccount compromiseacr stealeraddressaitm serverakira ransomwarealmondratamos steakeramos stealeranydesk moduleaptapt-k-47apt36apt43archive fileartradownloaderastral stealerasyncrat reloadedatomic httpsatomic stealerautoitautoit malwareavast-anti-root-kitbabbleloaderbackdoorbadpilot campaignbanshee infostealerbcttbdarkratbha006bitter aptblockboinc c2bootkitty iocsbotnetbrazanbamboo c2brazenbamboobugsleep malwarebumblebee malwareburnsratburnsrat cc2c2 addressc2 communicationc2 domainc2 httpc2 httpsc2 ipc2 serverc2 serverscheat enginechristmas-themed lnk fileschrome extensions hijackedclickfix-tacticcloudcloud atlascloud computingcloud migrationcloud securitycloud servicescloud storagecloudscout_evasive pandacobalt strikecode executioncode injectioncode issuescode snippetscometlogger-0.1command and controlcommand executioncommunication protocolcompiled autoit malwarecompromise notecontagious interviewcredential accesscredential harvestingcrowdstrike outage exploitcthulhu stealercyber threatsdamndarkgatedarkracedatadata encryptiondata exfiltrationdata theftdatabase securitydefanged filedemodex rootkitdetailsdetect-debug-environmentdigital signaturedirect-cpu-clock-accessdistributed attacksdlldonexdownload urldownloaderdropperduoyieagerbee backdooreldoradoeldorado ransomwareelfespionage campaignevasive pandaexeexploitextortionfake captchafake chromefake discount sitesfake game sitesfatalratferret malwarefilefile-hashfilesfinaldraft elffinaldraft malwarefinancefinancial servicesfindfingerprintfirstfirst seenfirst stagefooterfreelance developer scamg1002gamacopy aptgamaredongh0stratghostgambitghostsocksgithubgithub usersglove-stealergmergoogle ads heistgoogle meetguidloaderhasheshashes payloadhawkeye malwarehelldown linuxhelldown ransomwarehidden rootkithornshorns-hooveshtahta filehta md5hta scripthtmlhtml payloadhttp attackhttp posthttp scannericonindicatorindicatortypeinformation stealersinformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinjection attacksinvisibleferret malwareiociocsiocs filesiocs hashiocs helldowniocs maliciousiocs zipips httpsipv4ipv4 addressit infrastructurejs downloadkeyloggerkiwistealerl fileslandinglatin americalegionloader malwarelinkslinuxlnklnk fileloaderlockbitlockbit ransomwarelockbit3long-sleepslumma payloadlumma stealermacma malwaremalmalicious linksmalicious powershell activitymalicious softwaremallox ransomwaremalwaremalware analysismalware c2malware hashmalware signingmd5mekotio bankingmekotio banking trojanmgbot malwaremicrosoft advertisers phishedmintsloadermintsloader c2mintsloader_stealcmirrorface campaignmirrorface campainmitre attmiyaratmlpeamoneromonitormsimsi filemulti-cloud managementmut-1244-githubmutexmuuydownloaderna majesticna starkneshtanetsupport ratnetwork ipnoneuclid ratnoopdoor malwarenoopldr type1noopldr type2operating systemopswat oesisorpcbackdoorottercookie contagious interviewottercookie malwarepaloalto unit42panelpathloaderpayloadpayload hostpayload urlpcappeexeperuphishingphishing attackphishing urlsphobosphobos ransomwarephpsertphpsert variantplay ransomwarepluginplugxplugx c2plugx malwareportspost requestpost-exploitationpowershower c2process injectionpscppsexecpublicpullpumakitpurecrypterpxa stealerpypi-aiocpapythonpython malwarepython nodestealerpython-based backdoorqianxinqianxin droppedqilin ransomwarequite solsjoasquocransomransomhubransomwareransomware-lockbit3-iocs.csvratrat racerdpwrapper abusereddelta c2redditref5961ref5961 groupregistry keysremcos trojanremote accessremote servicesresearchedrhadamanthys c2rockstar-phishingromcom exploitsromcom-exploitsrot2 cipherrspackrspack_compromised_packagesruntime-modulesrustystealersalt typhoonsample sha256samplesscripting attackssearchseashell blizzardsectopratsecurity operationsseenseo abuseserver httpserversservice dllsftp attackshadowroot ransomwareshell commandssilent lynx aptsilent skimmersimilar sha256sitesitessliver implantsmokeloadersnailresin attacksnake keyloggersneaky 2fasocial engineeringsoftware developmentsoftware integritysolana-backdoorsolo airfieldsouth americassh accessstarstar blizzardstar blizzard spear-phishingstealcstealc c2stealc payloadstealerstealerssteelfox trojanstrike loadersstring decodingstring obfuscationstrongstudio codesystem disruptionsystembcsystembc ratt1001t1005t1020t1021t1021.001t1027t1027.002t1033t1041t1053t1053.005t1055t1059t1059.001t1059.003t1059.005t1068t1069.001t1070t1070.001t1070.004t1071t1071.001t1071.004t1078t1078.002t1082t1083t1086t1095t1105t1106t1110.002t1114t1114.001t1133t1140t1176t1190t1195t1195.002t1199t1204t1204.001t1204.002t1213t1213.003t1486t1490t1496t1499.001t1499.002t1499.003t1547t1547.001t1554.001t1554.003t1555t1555.003t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1569.002t1573t1573.001t1573.002t1587.001t1590.001t1598t1598.003tag-100tailscale abusetencent droppedthreat intelligencetls certificatetokentrojan malwaretrojanizedtrojanspytype nameu.s. organization targeteduac-0185uac-0194urlsurls httpurls httpsv4 removalvalleyrat malwarevantvbshower c2versionversion bversion cversion dversion evgod ransomwareviewvisual studiovisual studio codevssadmin deleteweaponized softwareweb securityweb trafficwebflow abusewezrat malwarewhoiswin32 malwarewindows malwarewindows payloadwinos4.0 ratwolfsbane backdoorwscsplymir ransomwarezebo-0.1.0zipmsi
Activity Timeline
Jun 3Jun 3
Threat Activity Heatmap
· Peak: 2026-06-03LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
85
SIGNAL
Signal Score
85%
Confidence
6
Reports
First seenJun 14, 2023
Last seenJun 3, 2026
Verified IOC
VirusTotal
Not checked
WHOIS
- description
- KiwiStealer is a file-exfiltration malware first identified in 2024 and observed in late 2024 being used by the Bitter APT. Its primary function is harvesting and exfiltrating files rather than performing broad lateral movement or other complex persistence behaviors. The sample enumerates specific directories and targets a defined set of file extensions, only attempting to exfiltrate files modified within the past year and whose size is under 50 MB. Before file collection, the malware gathers basic system information—at minimum the username and computer name—and appends these identifiers to the command-and-control (C2) URI. The C2 endpoint is hardcoded in the binary and is decoded at runtime using a two-step routine: string reversal followed by a modified Caesar cipher (ROT2). The sample uses a mutex named "rabadaisunique" to prevent multiple concurrent instances on the same host.
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
highFirst detected 3 years ago · Last seen 10 days ago
Appeared in 6 threat reports