IOC Radar
SHA256MediumSignal 95/100

494259d74bc3713f3c3bb6f6632b4441e225f2b71643a3c9947f29497e2739b5

Location
PeruPeru
First Seen
Apr 14, 2026
Last Seen
Apr 17, 2026
Apr 14
First Seen
61d ago
Apr 17
Last Seen
58d ago
4
Reports
source reports
95%
Confidence
medium
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
95%
Signal Score
95 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

19 techniques

Feed Intelligence Summary

4 reports95% confidence
4
Source reports
95%
Confidence score
Category tags
acceptactive scanalertsall filehashall ipv4analysis dateanalyze createdappleasnoneav detectionsavg clamavbackdoorbe misleadingbear sharebearshar databrute forcec2 antianalysisca validcapachi2chromecity cupertinoclient authcode signingcookiecopycountry usdb d2de d3deletedirectory permidisplaynamedns attackdnssecdynamicloaderencryptencryptionenglish usexploitation activityf3 e1file-hashfilesflag unitedgeckogermany as8560get naguardhighico rtgroupiconidentity & access exploitationids detectionsindicatorinfinite loopinfoinfo modifyinstall systeminstallers wellintelintel macis__elfissuer thawtek augk octkhtmlless seelink librarymalwaremediummodify registrymovedms visualms windowsmsdefender febmsiename domainname serversnextnorth americansisor incompleteorg appleotx logooverlaypassive dnspe32 installerpeexeperuportpowershellprimary rootpulse pulsespulse submitpushransomwarereadresearchedrticon englishsample appearsscripting intesearchsegoe uishared modulesshowsignedsouth americastreamstringssystembc_linux_variantt1010t1018t1027t1036t1047t1055t1056t1057t1070t1071t1082t1083t1095t1497t1518t1547t1562t1573t1574techniques nonethreat actortitletls snitofseetokyotop destinationtop sourcetor nodetrojandroppertype typeunitedunited statesurlhttpurlmailtourlsvalidvalid usagewin16 newin32 dynamicwin32/searchsuitewindowswindows ntwritexordataxserveryara detections

Activity Timeline

1 total obs
Apr 17Apr 17

Threat Activity Heatmap

· Peak: 2026-04-17
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
95
SIGNAL
Signal Score
95%
Confidence
4
Reports
First seenApr 14, 2026
Last seenApr 17, 2026

VirusTotal

Not checked

WHOIS

description
PE32 executable (GUI) Intel 80386, for MS Windows
references
b9e4e47c3f96846c30581c08acf5bc56.virus, BearShare Install File Version 12.0.0.135802, Musiclab, LLC, msoid.applemanic.com • msoid.giftcardapple.shop • msoid.appleportconsulting.com, gateway.fe.apple-dns.net • apple-dns.net, africa.konnect.com, http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123, euw-serp-dev-testing19.duck.ai, account-apple.com, Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T, IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI), Yara Detections: Tofsee, Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind, Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly, Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files, Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools, Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading, IP’s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101, IP’s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20, Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org, https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21, https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password, https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e, https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:, https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback, ids-apple.com • itunes.org, xn--cloud-4sa.com, http://cab.applemarketingtools.com, http://console.applemarketingtools.com/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 months ago · Last seen 1 month ago
Appeared in 4 threat reports