IOC Radar
SHA256MediumSignal 0/100

48fc8025da8edbf1bc02db14271df668bdd0f9904d1e5bcf83bef732c386626f

Location
United StatesUnited States
First Seen
Apr 17, 2026
Last Seen
Apr 17, 2026
Apr 17
First Seen
56d ago
Apr 17
Last Seen
56d ago
2
Reports
source reports
0%
Confidence
medium
Found in 2 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
0%
Signal Score
0 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

21 techniques

Feed Intelligence Summary

2 reports0% confidence
2
Source reports
0%
Confidence score
Category tags
aaaaacceptaccess attactive scanaddress rangeaitypesakamaialertsallocation typeamerica asnamerica flagamerica unitedanalytics naappleapple centerapple dnsapple serverascii textasnoneatomautorunav detectionsbad trafficbelizebgpbgp ipblack rockbloatbloat-abodybody headbrazil as16625brian sabeybugzillacapecheckinchristopher p. ahmannchromecidrcitycivil societyck idck matrixck techniquesclickcommandcontent typecopycorporation10creation datedata collectiondata store exposuredata uploaddefense evasiondeletedelete cdelphidns attackdockdocument moveddomaindrivedrwebdynamic dnsdynamicloaderencryptencryptionenoughenter scentity lpl141entrieserroret infoet trojaneuropeexcludeexclude suggesexpiration dateexploitation activityextrextra datafailedfailurefastfastlyfastly errorfile-hashfilesfiles domainfiles relatedfinance and insurancefind sflagfoundfoundrygooglegoogle safeguardhandlehello sslhighhookwowlow dechookwowlow novhosthostnamehostname addhostshttphybridicmp trafficidentity & access exploitationids detectionsiframeincludeinclude reviewindicatorinjectioninjection activityinteliocsiot securityipv4ipv4 addirsla postalcodelearnlevel 3link initiallinuxgafgyt feblocallowfilpl141lumenlumen adminlumen controllumen ipmalwaremarkusmcafeemediummetameta namemitre attmovedmozillams windowsmsiename serversname tacticsnamed pipenetwork namenextnext associatedno expirationnone googlenorth americaopen threatopeniocopenurl cpandapassive dnspathpattern matchpcappdb pathpdf reportpegasusphishingpleasepoland unknownportpowershellpragmapresent augpresent decpresent janpresent julpresent junpresent novpresent octpresent sepprotocol-devipublic bgppulse pulsespulse submitpulses noneransomwarereadread crecord valueredacted forrelated tagsresearchedretail tradereverse dnsreview excludesea psearchsectigo limitedsectigo publicserversservicesessionidshowshow techniqueshowingsnowspainspawnsstarfieldstatic dnsstatusstixstop datastringsstrongstwasuspt1010t1018t1027t1036t1045t1047t1055t1056t1057t1063t1070t1071t1082t1083t1095t1497t1518t1547t1562t1573t1574tcp includetelecommunicationsthreat actortitletls handshaketls issuingtlsv1top destinationtop sourcetor analysistor nodetrojantrojandroppertwittertypeuniqueunitedunited kingdomunited statesunknown cnameunknown nsurlsutc googleutc gzy6fm95cs5viprevirtoolvirustotal apivulnerability scanw32.bloat-aweb application attackwebkit bugzillawhoiswhois serverwindirwindowswindows ntwormwritewrite cx msedgeyara detectionsyara rule

Activity Timeline

1 total obs
Apr 17Apr 17

Threat Activity Heatmap

· Peak: 2026-04-17
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreLow Risk
0
SIGNAL
Signal Score
0%
Confidence
2
Reports
First seenApr 17, 2026
Last seenApr 17, 2026

VirusTotal

Not checked

WHOIS

description
<<Anomalous binary characteristics have been identified in a file that is being used to compile a Windows operating system for the first time in the history of the software, as well as an unauthorised virus>> Darkgate. Links wouldnt attach. User does not have whatsapp.
references
Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 "Broken Seal" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions., Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91), Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare’s transit layer for resilience and to reduce direct exposure of origin infrastructure., Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 "Fail-Closed" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure, Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 → high (suggests packing/encryption), .reloc 6.66 → possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess, Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem., MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's "Broken Seal" exploit bypasses., As of Feb 13 (early AM) — Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13), Verification failure observed in automated verification handlers during sandbox replay., The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls—including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation—are implemented to validate a high-interaction user environment prior to execution., Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal., Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171., SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138., SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff — Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload)., nationalgrid.com — Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level., eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade., Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat, The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30–.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr, Sprouts Farmers Market, https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print? _gl=1*loeqyip*_ *_gc|_au*MTM5Mjg3NzAwNC4xNzY5MzY30DA2, https://shop.sprouts.com/store/sprouts/flyers/view/weekly/print?, Pegasus | A targets devices are obviously infiltrated, IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com, IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp), Yara Detections: Zeppelin_30 , Zeppelin_19 , ConventionEngine_Term_Desktop ,, Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Launch , Delphi, Alerts: cape_detected_threat https_ urls, IP’s Contacted: 142.250.217.65 142.251.33.110 69.42.215.252, Domains Contacted: xred.mooo.com freedns.afraid.org docs.google.com crls.pki.goog, Domains Contacted: drive.usercontent.google.com, ConventionEngine_Anomaly_MultiPDB_Double, https://jviwczq.zc-apple.com/, SUSP_NET_NAME_ConfuserEx ConfuserEx AssemblyTitle dbgdetect_files siCe ntIce dbgdetect DotNET_ConfuserEx, Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD,, Malware Hosting: 13.107.226.70, Scanning Host: 13.107.246.70, https://blog.endgames.com/ • https://pages.endgames.com • https://www.endgames.com, http://www.endgames.com • http://www.endgames.com/ • https://blog.endgames.com • http://pages.endgames.com/, pages.endgames.com• http://blog.endgames.com • http://blog.endgames.com/ • http://pages.endgames.com, www.endgame.com • blog.endgames.com • blog.endgames.us • blog.endgamesystems.com • www.onyx-ware.com, https://wg41xm05b3.endgamesystems.com/ • https://www.endgamesystems.com • https://www.endgamesystems.com/, endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process, endgames.us • endgames.com • endgamesystems.com • http://www.endgames.us • http://www.endgames.us/, https://wg41xm05b3.endgamesystems.com • http://blog.endgames.us/ • http://blog.endgames.us, https://blog.endgamesystems.com • https://blog.endgamesystems.com/ • https://httpswww.endgamesystems.com, https://blog.endgames.us • https://blog.endgames.us/ • https://www.endgames.us • https://www.endgames.us/, wg41xm05b3.endgamesystems.com • http://blog.endgamesystems.com • http://blog.endgamesystems.com/, http://httpswww.endgamesystems.com • http://wg41xm05b3.endgamesystems.com • http://www.endgamesystems.com/, http://wg41xm05b3.endgamesystems.com/ •http://www.endgamesystems.com, [email protected]?, http://blackrock.work.gd/, http://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena.io/, blackbox-exporter.lenovo-k8s.home.local.advena.io, https://blackbox-exporter.lenovo-k8s.home.local.advena.io, http://blackbox-exporter.lenovo-k8s.home.local.advena.io, supplierportal.gov2x.com, http://wonporn.com/top/Pakistani_Sucking, https://embed-nl.pornoperso.com/storage/videos/l/o/lottie/lottie-moss-nude-spreading-it-open-wide-fo, https://otx.alienvault.com/indicator/url/https://sl.trustedtechteam.com/t/112341/opt_out/25cf6e0a-4f09-4066-ac1d-ded32587a303, supply.qld.gov.au, okta-dev.gov2x.com, verify.gov.tl, api.optimizer.insitemaxdev.gov2x.com, iot.insitemaxdev.gov2x.com, https://kb.drakesoftware.com/Site/Browse/15183/State, https://support.drakesoftware.com/oidc-callback&response_mode=query&response_type=code&scope=openid openid profile email&state=OpenIdConnect.AuthenticationProperties=VWCAd8SYI908zOmw3cLV0bBiMQ-qzTmuLAOEu1zXcvGui69s75FlxoGyoi9h1TNe6C5MlboHQM_xJqlqHjIBmxbRn-oJzJr3TfLSdIw_joIphiQwbzCTE1_5-elZiRtGglrbVEqQCSBFbo3AlcHMdEQyyO_3brHjBAm4yhRw04eEYb4DhQTrBumIoEyEAsxDnnhElMDx7h6lPliA_JWZW3IabbYj5k8oFf9lS-XgQAqEkYbPRkhT8d96uNjSlex7BcM0Ug&nonce=639003960753552218.MGNhMjllMTktYTA3My00NzUzLTljYjUtNzNkNzM0NTA0OGEyZTZlYmZjYW, freedns.afraid.org, https://hello.riskxchange.co/api/mailings/unsubscribe, Sabey , Ahmann, Quasi Government, Government

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 month ago · Last seen 1 month ago
Appeared in 2 threat reports