IOC Radar
SHA256MediumSignal 58/100

45cb3493020782cfcd906fb9afbf72d7f973b6e425fc5d3bd88a429e8ea395b1

Location
NetherlandsNetherlands
First Seen
Apr 2, 2025
Last Seen
Jun 2, 2026
Apr 2
First Seen
456d ago
Jun 2
Last Seen
30d ago
4
Reports
source reports
57%
Confidence
medium
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
57%
Signal Score
58 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

79 techniques

Feed Intelligence Summary

4 reports57% confidence
4
Source reports
57%
Confidence score
Category tags
aaaaabuseacceptaccess ta0006account securityactive scanactive scanningadjfprem ordadwindahmannaigalbertaalbertandpalertsalexoalexo virustotalalfreyalienvault_ransomwareall ipv4all scoreblueall searchallmul vbaget4amazon s3america flaganalysis ob0002androidansiantiapeaksoft iosappleapple iosapple privateapr poisoningaptarkeistealerascii textasiaasnoneasnone denmarkassembly commonassembly nameassociated urlsasyncratatrosav detectionsavg win32axeljgbackdoorbad reputationbad requestbanloadbodybody htmlbody lengthbonusbitcoinborland delphibotnetbotnet activitybrian sabeybrute forcebundlerc2ca validcallback phishingcanada unknowncapturecatalog treecertificate spoofingcertum codecheckcheck mutexcheckercheckinchecks amountchinachina unknowncivil servicesck idclassclickclick-based attackclosecloud infrastructureclr versioncnamecodecode executioncode injectioncommandcommand & controlcommand and controlcommand decodecommand executioncommunication protocolcommunication technologiescomodo cacompromised sitecompromised_site_redirector_fromcharcodecomspeccontactcontent typecontrolcontrol ob0004control ta0011cookiecopycorecorporate lawcountrycreation datecredential accesscredential brute forcecredential harvestingcredential stuffingcrlf linecryptbotcryptocurrencycus cnr3cyber crimecyber defensecycbotd4 portabledanabotdatadata accessdata collectiondata copyingdata encryptiondata exfiltrationdata oc0004data rtversiondata store exposuredata transferddosdecoy systemdefense evasiondeletedelphi genericdenial of servicedetailsdictionary attackdigital signaturedirectdistributed attacksdistribution managementdiv divdiv sectiondll windowsdnsdns attackdockdomaindomainabusedomainsdos borlanddotnetdouble clickdropped cdroppere weowe64eemailsemails metaemotetencryptencryptionengine dllentityentriesentries disaentropy chi2entry pointenumerateenumerate guierroret policyet toret trojaneulaeuropeeurope/asiaexe sizeexecutable fileexecutable payloadexpiration dateexploitation activityexternal-resourcesextortionfastfihafile-hashfilesfiles cfiles deletedfiles domainfiles locationfiles matchingfiles relatedfinal urlfindfind peopleflag unitedfor privacyformformatformbook cncfoundfrancefreight forwardingfromftp brute forceg2 issuerg2 validg4 issuergeneratorgenericgermanyget diskget fileget httpgetdc copyimagegoogle safegovernment technologygpt analyzergraphguloaderhackerhauthead titleheader intelheadershgnvastlaizhighhistorical sslhostinghostnamehostname enumerationhostshtml infohttp brute forcehttp requestshttp responsehttp scannerhttpshybridico rtgroupiconidentity & access exploitationids detectionsiframesindicatorinfo compilerinfo headerinformation gatheringinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinjection t1055input validation bypassintelintellectual property lawinvalid urlinventory managementiociocsiot securityipv4ipv4 addissuer certumit infrastructureja3sknown torknown-distributorlaw practicelegal consultinglegal researchlegal serviceslegal technologylehashless seeli ullimited stlinklink librarylocallogistics technologylow risklowfimaktub lockermalicious downloadmalicious imagemalicious linksmalicious softwaremalwaremalware distributionmalware httpmalware infectionmalware signingmarkusmediummedium windowsmemory oc0002metametadata analysismetadata headermitre attmobilemobile carriersmobile networksmobile securitymobile threatmodelmodule loadmodules t1129movedms visualms windowsmsiemuscatmustang pandaname md5name serversnamesnanjingnanocore rat infectionnenshinetherlandsnetworknetwork attacksnetwork intrusionnetwork protocolnetwork reconnaissancenetwork scanningnetwork_icmpneutralnextnext associatednext penjratnordvpnsetupnorth americanumbernumbersob0007 impactob0012 fileonlineonloadopenoperating system securityorionorion logoorion wioverlayparispassive dnspath traversalpattern matchpe resourcepe32 compilerpe32 executablepe32 protectorphishingphishing attackplugxpng imagepolandpoland asnpoland unknownpolicyporn relatedpossible malware infectionpost httpprefetch1 ansiprefetch8 ansipresent augpresent julpresent junpresent marpresent novpresent octpresent sepprint debugprocessprocess injectionprocess32nextwprocess_martianpublic administrationpublic infrastructurepublic policypulse pulsespulse submitpulses otxpwspythonqqpassquasiqueryransomransomwareratread creconnaissancerecord valuerefloadapihashregistry keysregulatory agenciesregulatory compliancerelatedrelated nidsrelated pulsesrelated tagsremcosremcos trojanremote accessremote servicesrequestresearchedresolved ipsresources whoisresults febreverse dnsreverse iprgbarich textrpcsrticon englishrticon neutralrticon russianrunning serverruntime modulesrussiarva entrysandboxscan endpointsscript scriptscript urlssearchsecurity operationsseenserver responseserverssettings cshared csharedink csharedinkarsa csharedinkbgbg csharedinkcscz csharedinkdadk cshipping servicesshowshow processshowingsigned filesignersigning casim unlocksiteslcc2snatchsneaky serversocial engineeringsocial media securitysoftware developmentsoftware exploitationsoftware integritysortspawnssptoxspytox ogssh attackstaticstatusstatus codestreams sizestringsstrong namesubjectsubmitsummarysupply chain attacksupply chain managementsuspswedensymantec timesystem disruptionsystem oc0001t1003t1005t1018t1021t1021.001t1027t1030t1040t1041t1046t1047t1053t1055t1056t1057t1059t1059.001t1059.003t1059.007t1060t1064t1068t1071t1071.001t1076t1078t1082t1102t1105t1110t1110.002t1119t1129t1133t1140t1143t1189t1190t1199t1203t1204t1204.001t1204.002t1204.003t1486t1490t1491.001t1496t1499.002t1499.003t1518t1518.001t1547t1553t1553.002t1554.001t1554.003t1556t1562t1563t1565t1566t1566.001t1566.002t1566.003t1568t1568.002t1571t1583t1583.001t1583.005t1587.001t1589.001t1590.001t1595t1595.001t1595.002t1595.003t1598ta0002 sharedta413ta569tags viewporttamtargettcp protocolteamstelecom servicestelecommunicationstempletext/htmlthird-party-cookiesthreat actorthreat intelligencethreat networkthreat rounduptibetan targetstime stampingtitle headtitle spytoxtmobile metrotor nodetransportation managementtreecetridenttrojantrojan featurestrojan malwaretrojan.morstartrojandroppertrojanspytrustedtrusted networktsara brashearstsara brashness deadtulachtwittertypetype nametype win32ualbertaubuntuunauthorizedunicodeunitedunited statesunknown nsurlsusage ffuseruser executionutc googlevalid signature. revoked.virtoolvirusvoidvpnvulnerability scanvy binhwarehouse operationsweb application attackweb application exploitationweb exploitationweb securityweb trafficweinedoewse netwifi attackwin16 newin32 dynamicwin32 exewin32 malwarewin32qqpass aprwindirwindowwindows malwarewindows ntwmsspacer.gifwormwritewritten cx00x00xmlxslayeryarayara detections

Activity Timeline

1 total obs
Jun 2Jun 2

Threat Activity Heatmap

· Peak: 2026-06-02
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreMedium Risk
58
SIGNAL
Signal Score
57%
Confidence
4
Reports
First seenApr 2, 2025
Last seenJun 2, 2026

VirusTotal

Not checked

WHOIS

references
Ransomware»TrojanDownloader:Win32/Dalexis | FileHash-SHA256 01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32, Antivirus Detections Win32:Filecoder-AD\ [Trj] , Win.Malware.Cabby-6803812-0 , TrojanDownloader:Win32/Dalexis!rfn!rfn, IDS Detections: Maktub Locker TOR Status Check TOR Consensus Data Requested TOR 1.0 Server Key Retrieval Tor Get Server Request TLS Handshake, Domains Contacted: fbi.gov, IP’s Contacted: 104.16.149.244 128.31.0.39 131.188.40.189 14.200.177.98 148.251.79.57, IP’s Contacted: 185.220.100.255 199.249.230.142 199.254.238.52 23.128.248.20 45.58.156.76, tulach.cc| 114.114.114.114 [public1.114dns.com] | thebrotherssabey | bian sabey under multiple WP & DGA domains , various titles , various roles, External Hosts Top Country United States, Germany | IP Hostname: 104.16.149.244: fbi.gov | United States: AS13335 cloudflare, Type Indicator Reason: IPv4 104.16.149.244 In CDN range: provider=cloudflare IPv4 131.188.40.189 IP Associated with Tor Exit Nodes, Type Indicator Reason: IPv4 192.168.56.108 Private IP Address: IPv4 46.20.35.112 IP Associated with Tor Exit Nodes: Domain: fbi.gov, PE Anomalies: entropy_based | Yara Detections: Yara Detections stack_string | Stack_String: stack_string EEEEEEEEEEEEEEEEEEEEEEEEE, DISA Entrypoint: call 0x41259b jmp 0x40b3ac int3 int3 int3 int3 int3 int3 int3 int3, https://otx.alienvault.com/otxapi/indicators/file/screenshot/01da63fd3b935be956657d8f7212e976c553a6e040d5db9592fab807441b3e32, Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad network_cnc_http network_http packer_entropy, Alerts: allocates_rwx creates_hidden_file dropper has_wmi protection_rx antivm_network_adapters raises_exception, Alerts: queries_programs wmi_antivm checks_debugger generates_crypto_key recon_fingerprint pe_unknown_resource_name, Interesting Strings: http://ns.adobe.com/xap/1.0/mm/ http://ns.adobe.com/xap/1.0/ http://ns.adobe.com/xap/1.0/sType/ResourceRef, Interesting Strings: http://www.w3.org/1999/02/22, Virus: "ba30376f915afa868763f84299fae5d2.virus.rtf - LibreOffice Writer", Cryptographical plain text c�h7��1Q�ʆ�ɔE�W�΂� Rw�e��% ���reudt���, IDS: Matches rule ET JA3 Hash - Possible Malware - Dridex, ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 129, 750, 824, 439, 282, 820, 21 , 63, 896, 91, 11, 202, 684 919,31 ,156, 743, ET TOR Known Tor Relay/Router (Not Exit) Node Traffic Groups: 869, 42, 6, 443, 85, 416, 688, 117, 217, 217, 443, 709, 703, 879, 338, 682, Matches rule Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval, IDS: Matches rule POLICY-OTHER HTTP request by IPv4 address attempt Matches rule POLICY-OTHER TOR traffic anonymizer server request Matches rule ET POLICY TOR Consensus Data Requested Matches rule ET P2P Tor Get Server Request Matches rule ET P2P TOR 1.0 Server Key Retrieval, IDS: Matches rule (http_inspect) white space before or between HTTP messages Matches rule SURICATA HTTP Request abnormal Content-Encoding, Sigma: Matches rule Failed Code Integrity Checks by Thomas Patzke Matches rule Process Creation Using Sysnative Folder by Max Altgelt, YARA Signature Match - THOR APT Scanner - RULE_AUTHOR: Florian Roth, RULE: MAL_Agent_May20_1 RULE_SET: Livehunt - Default22 Indicators RULE_TYPE: VALHALLA rule feed only ⚡- RULE_AUTHOR: Florian Roth, RULE_LINK: https://valhalla.nextron-systems.com/info/rule/MAL_Agent_May20_1 DESCRIPTION:, Detects malware used in activity noticed 05/2020 likely related to Chinese actor, REFERENCE: ACSC IOCs May 2020 pivoting RULE_AUTHOR: Florian Roth, https://www.nextron-systems.com/notes-on-virustotal-matches/, 114.114.114.114 IDS Detections DYNAMIC_DNS Query to a *.ns1.name Domain Query to a *.top domain - Likely Hostile Observed DNS Query to .work, IP 114.114.114.114 Antivirus Detections: !#SIGATTR:IEProxyChange , ALF:Backdoor:Win64/Meterpreter.AB!MTB ,, IP 114.114.114.114 Antivirus Detections: ALF:PUA:Block:VrBrothers.R!MTB , ALF:Trojan:MSIL/AgentTesla.KM , ALFPER:RefLoadApiHash ,, IP 114.114.114.114 Antivirus Detections: Backdoor:Linux/Dofloo.A!MTB , Backdoor:Linux/Gafgyt.AF!MTB , Can't access file ,, IP 114.114.114.114 Antivirus Detections: Trojan:Win32/Magania.DSK!MTB , TEL:SIGATTR:CreateRemoteThread, IP 114.114.114.114 Domain 114dns.com: PegasusPlus, Emails: [email protected] Name: Zhao Zhenping Name Servers: NS1000.114DNS.COM Org: Nanjing XinFeng Network Technologies, Inc., Address: Room 301, Building 3B, Startup park, High Tech park, Shiyang Road 56, Baixia District, Nanjing, Jiangsu, China City nan jing shi Country, https://blog.malwarebytes.org/intelligence/2016/03/maktub-locker-beautiful-and-dangerous/, https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?, Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread, Antivirus Detections: Win.Malware.Oxypumper-6900445-0, IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile, IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families), IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb), Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7, Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8, Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1, Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ, google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/, https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622, Ransomware Detected: text artifact in screenshot indicates file may be ransomware details "Antivirus" (Source: screen_11.png, Indicator: "virus"), scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99, Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9, Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a, Antivirus Detections: Win32:TrojanX-gen\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx, Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp, iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com, iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com, iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com, iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com, iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E, Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/, DotNET_Crypto_Obfuscator, Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,, Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,, Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA, IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,, IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ..., https://otx.alienvault.com/indicator/ip/216.40.34.41, Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97, ns2.tsaratsovo.net, FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955, FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79, FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848, Antivirus Detections: Win32:MalwareX-gen\ [Trj], IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator, Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx, Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger, https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29, Antivirus Detections: Win32:MalwareX-gen\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE, Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string, Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc, Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9, Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5, 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com, mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,, https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled, https://www.YouTube.com/polebote

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen 1 month ago
Appeared in 4 threat reports