IOC Radar
SHA1HighVerifiedSignal 97/100

4a6cb6640b7a43ccfc6ee9921f0e88ba84da8a0b

Location
ChinaChina
First Seen
Jul 19, 2024
Last Seen
Apr 14, 2026
Jul 19
First Seen
712d ago
Apr 14
Last Seen
78d ago
5
Reports
source reports
97%
Confidence
high
Found in 5 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
SHA-1 Hash
SHA-1 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA1
Confidence
97%
Signal Score
97 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

79 techniques

Feed Intelligence Summary

5 reports97% confidence
5
Source reports
97%
Confidence score
Category tags
a50 typa5ipa9 a8aaaaaamiraiabv0abv01acceptaccess attaccess typeaccount securityactiveactive scanadded activeaddress domainaddress rangeafricaakamai rankalertsalgoritall domainall filehashall ipv4allocation typealvoesamericaamerica flagamerica relatedapollo databaseapple incarialas834 ipxoasciiascii textashburnasiaasia pacificattackautoitav detectionsavailable frombackdoorbb c7bc a1bd poczeniabg phonebinarybinary filebotnetbotnet activitybrute forcebulgaria phonec tmpsamplec2c2 ipc2 resolutionc2 zergecacallcallscanadacanrebcc fdcdn rangecertcert validitychainchinacidrck idck idsck matrixclick-based attackcloud infrastructurecloudflare dnscode executioncode injectioncommandcommand & controlcommand and controlcommand executioncommunication protocolcontactcontroller fakecptbdevcreation datecredential harvestingcredential stuffingcro intormationd4 dcdata accessdata copyingdata exfiltrationdata store exposuredata transferdata uploadddosddos attacksdefense evasiondelphidete datadetect-debug-environmentdirectoi t1222disrupt servicedistributed attacksdiv divdive intodns attackdnssecdoc processdohdomail showingdownloaderdroo anvdropsds nxdomaindynamic dnsdynamicloaderedgeview driveee fcegyptelfelf contaelf executableelf geomielf upxelf32 operationelf64 operationemailsencryptencryptionengineenoughenter scentrieserroreuropeeurope/asiaevasionevolvesexchange allexchange lteexcludeexclude dataexclude suggesexecexec amd6464executable fileexploitexploitation activityexternal ipextrextr referenextra ltef4 cafailedfastfastest privacyff d5filefile-hashfiler datafiler filehuonfilesfiles ipfilet cefilet filerfilet filetfiltered personfiltered routefindfind cfind sfirst dnsfor privacyformatfoundfull reportsgeckogermanyget helloget httpget icarusgithubglobalgogolanggooglegoogle dnsgoogle enhancedguardh dnsh1256hackingtrio uahandlehashes capehellohello worldhelveticaheurhighhigh ohistorical otxhostname enumerationhostshttp performshttp scannerhttpshttps domainhua muicalulhybrididentity & access exploitationids detectionsiframeimphashinboundincludeinclude datainclude reviewincluded iocsindicatorindicatoreinfection dnsinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinput validation bypassinquest labsintelinternet of thingsiocsiocs oiot botnetiot securityiot/ics attackipv4ipv4 addipv4 urlis__elfissuerit infrastructureitalyjapanjaws webserverje elfje matchesk netsvcskey usagekhtmlkorea republicl extractionlabs pulseslauncherlayer protocollearnlessless iplinklinuxloaderloadslocallsb executablelte alllzmamac osmachomacho 64bitmacsync_applescript_stealermagicmagika isomalicious activitymalicious linksmalicious softwaremalwaremanually adamanually addmanualymatches datamatches edolavdmatches matchesmatches yaramedia centermediummemo filememory patternmetadata analysismirai botnetmirai variantmitre attmitre attackmodelmodify systmodify systemmoscow regionmovedmozillamsiemvpower dvrn1 excludenamename serversname tacticsnation-state activityneterranetwork communicationnetwork infonetwork namenetwork scanningneven dilkovnew threatnextnext associatedno entrinorth americanot cryptographically soundnumbero zergecaogoogle trustopenoperating systemoperating system securityotx logootx telemetryoutbound trafficpa abusecpa statuspassive dnspath traversalpattern matchpe sectionpe32 executablepegasusperforms dnsphishingphoneidentifyponmocup postpostpost httppresent novprivate serverprivileged accessproc indicativeproc504cmdlineproccpuinfoprocessprocess createprocess injectionprocess lprogrampulsepulse pulsespulsespythonq searchq2 cbeqaeaav0qaexnqbenxzqbepaxxzransomwareread creadsreads cpureconnaissancerecord valueref breferenreference idrelated pulsesrelated tagsremc t1070remote accessremote functionremote servicesreport publishreports vresearchedresolved ipsreviewreview excludereview iocsreview occriperobotorobotodraftrussiarv gonalosc carschaansearchserver caserversserviceshellshell uceshowshowingsigkillsimsingaporesingapore asnsizeslcc2smuxsocial engineeringsocial media securitysofiasoftware developmentsoftware supplysourcesouth africaspanspawnsssdeepssltls clientstatusstopstop servicestop showstreamstringsstwasubjectsuggessuggestsuggested ocssuggestedinccsuitesystemd servicesysvt1003t1005t1012t1014t1016t1021t1021.001t1027t1027 masqueract1027.002t1030t1031t1036t1036 indicatort1037.002t1041t1047t1048t1048.002t1048.003t1055t1057t1059t1060t1069t1069.001t1069.002t1070t1070.004t1071t1071.001t1078t1082t1083t1095t1105t1113t1119t1133t1140t1155t1156t1189t1190t1203t1204.001t1204.002t1222t1222.001t1222.002t1480t1480.001t1485t1486t1489t1496t1497t1499t1499.002t1499.003t1518t1518.001t1542t1543t1543.002t1564t1564.001t1565t1566.001t1566.002t1566.003t1566.004t1571t1573t1583.005t1584.005t1587.001t1588.001t1589.001t1590.001t1609tagstext processthreat actorthumtico datatitletls catls snitls versiontocstuttor nodetraefik defaulttraffic tcptrid nulltrojan malwaretwittertyp datatyp filettyp innicatadtypetype ipv4typesunique ruunitedunited statesunixunix shellunknown nsupdaterupxupx packerurlsurls httpuseruser executionusersusrbinid iduuidv3 serialvalidvaluevirtoolvulnerability scanw4uninitializedweb application attackweb application exploitationweb trafficwhois serverwin32 malwarewin32cve aprwindirwindows malwarewindows ntwiperworldwormwritewrite cx machoxml processxoryarayara deteyara detecteayara detectionsyara detelyara rulezenbox linuxzercegazergzergecazergeca botnetzergeca sample

Activity Timeline

1 total obs
Apr 14Apr 14

Threat Activity Heatmap

· Peak: 2026-04-14
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Intelligence SummaryAI Generated

This Indicator of Compromise (IOC), a file hash, represents a critical threat requiring immediate attention due to its extremely high severity score of 96.95. Its presence within an organizational environment signifies potential compromise by sophisticated ransomware groups such as El Dorado and HsHarada, alongside associations with notorious malware families like Mirai, Tofsee, and SmallAgent. Such malicious entities are known for executing destructive attacks, including widespread data encrypt…

Threat ScoreHigh Risk
97
SIGNAL
Signal Score
97%
Confidence
5
Reports
First seenJul 19, 2024
Last seenApr 14, 2026
Verified IOC

VirusTotal

Not checked

WHOIS

description
ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
references
https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet, Multi Mirai Botnet - Spreader , Evolver C2 IP | cnc |, Executed Commands DATA /tmp/cuckoo-e98007172e0a6e295, Snort IDS alert for network traffic 2.0 Uses known network protocols on non-standard ports, Remote Access Functionality (1) 4.0 Yara detected Mirai, Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior., Matches rule ET MALWARE Mirai Variant User-Agent (Outbound), Matches rule ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution, Matches rule TGI HUNT HTTP Request to 127.0.0.1, Matches rule MALWARE-CNC User-Agent known malicious user-agent string - Mirai, Matches rule POLICY-OTHER HTTP request by IPv4 address attempt, Matches rule (icmp4) ICMP destination unreachable communication with destination host is administratively prohibited, Highlighted Text: "" "unstable_is_the_history_of_universe" (¿), Manager Plugin" "Display the battery levels of your devices and control the brightness of your display, Matches rule SUSP_ELF_LNX_UPX_Compressed_File from ruleset gen_elf_file_anomalies by Florian Roth (Nextron Systems), http://upx.sf.net • sf.net • upx.sf.net, CVE-2018-10562 cpe:2.3:o:dasannetworks:gpon_router_firmware:-, MALWARE SPREADER TROJAN EVADER, BitComet.exe 8d2b3c0aa4f615aed1ebf0c6a7acba5813709dd0038d9ab071f967217ca3aa2c, https://otx.alienvault.com/pulse/69d5859750dfad7fe7989ef4, https://www.virustotal.com/gui/file/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b/behavior, https://www.virustotal.com/gui/file/2e9df8987212300815928e0426e9358b1380a1eaba38270d03dd69e421686b5b/behavior, https://www.virustotal.com/gui/file/897b30acabf35da4937b1b8258d30dd2f89cf64ada8522b558d01eb503b7b85f/behavior, https://www.virustotal.com/graph/gd016713b8645450da71f7493b0829def1376ce3e16cf4f6d95061a7400af5447, https://www.virustotal.com/gui/file/4bf52ea159354bc0aefecb53fbf93b2fea7019eabf9ada27c58fa00c1e9bb990/details, https://www.virustotal.com/gui/file/c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f/detection/, IDS Detections: Mirai Variant User-Agent (Outbound), IDS Detections: MVPower DVR Shell UCE, IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution, IDS Detections: HackingTrio UA (Hello, World), IDS Detections: Mirai Variant User-Agent (Inbound), IDS Detections: HTTP traffic on port 443 (POST), IDS Detections: WebShell Generic - wget http - POST, IDS Detections: Observed Suspicious UA (Hello, World), Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,, Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections, Alerts: cape_detected_threat, Domains Contacted: bot.hamsterrace.space, C2 IP: 84.54.51.82, 91.195.240.19 command_and control, blackproject.tech, Jun 19, 2024… 84.54.51.82的画像 · Scanner · Mirai Downloader&C2 · Zergeca C2 · 使用的漏洞 · DDoS攻击统计., elf_mirai.txt - GitHub raw.githubusercontent.com, Investigation of Zergeca's infrastructure, C2 IP address, 84.54.51.82, served at least 2 Mirai botnets, https://apple.k8s.joewa.com/• https://com.apple • freedns.afraid.org, IPv4 188.114.96.1 In CDN range: provider=cloudflare • dns.google • push.apple.com, Zercega • IPv4 84.54.51.82, Zercega • http://bot.hamsterrace.space:5966/, Zercega • multi-user.target, Zercega • ootheca.pw, CVE-2023-22518 CVE-2018-10562 CVE-2024-6387 CVE-2025-20393, Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29, Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke, Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems), Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community, Crowdsourced IDS rules:, Matches rule ET POLICY External IP Lookup ipinfo.io, Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io), Matches rule ET INFO External IP Check (checkip .amazonaws .com), Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt, Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection., Yara detected: Xmrig cryptocurrency miner, Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance, meta.com • meta.com.apple, geomi.service • 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63, ELF contains segments with high entropy indicating compressed/encrypted content, /etc/systemd/system/geomi.service File type: ASCII text, http://www.bing.lt/search?q=, Win.Malware.Salat-10058846-0, Yara Detections: MacSync_AppleScript_Stealer, Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara, Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process, Alerts: resumethread_remote_process enumerates_running_processes reads_self, Alerts: packer_unknown_pe_section_name script_tool_executed, Alerts: queries_computer_name queries_keyboard_layout queries_locale_api, Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry, Contacted: 188.114.96.1 Domains Contacted dns.google, distracted-chebyshev.84-54-51-82.plesk.page • domain plesk.page, www.joewa.com, Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name, Yara Detections: MacSync_AppleScript_Stealer , UPX ,, Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser, apple.k8s.joewa.com • joewa.com • http://apple.k8s.joewa.com/ • https://apple.k8s.joewa.com/, Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO, blackbox-exporter.lenovo-k8s.home.local.advena.io, http://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena/, Calls an API typically used to retrieve function addresses, load a resource T1129 Shared Modules Execution Adversaries may execute malicious payloads via loading shared modules. Learn more, Loads modules at runtime Looks up procedures from modules, (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007, https://cloudflare-dns.com/dns | cloudflare-dns.com, https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522, https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com, https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f, 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file), ‘Can't access file’ Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca, ‘Can't access file’[Found in Zergeca Botnet], IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI), IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io), Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections, IP’s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56, Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org, Crowdsourced SIGMA Below:, Crowdsourced IDS Below:, Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI), Unique rule identifier: This rule belongs to a private collection., geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi, https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO, Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/, crypto-pool.fr, iبامسلمون لمهمملممنامصناءواممساند | مطعم+ ممامام, Muslims have built, supported, and assisted. or Muslims: Support and Solidarity, LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado, IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST, IDS Detections: MVPower DVR Shell UCE • HackingTrio UA (Hello, World), IDS Detections: HackingTrio UA (Hello, World) • HTTP traffic on port 443 (POST), IDS Detections: Mirai Variant User-Agent (Inbound) • HackingTrio UA (Hello, World), IDS: Observed Suspicious UA (Hello, World), IP’s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184, IP’s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248, Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0], https://dns.google/resolve?name=SELECT, 31.6.16.33 • network.target [Found in Zergeca Botnet], multi-user.target • ootheca.top • network.target • ootheca.pw [Found in Zergeca Botnet], 84.54.51.82 • http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet], Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets, Since September 2023, according to an analysis by cyber security firm XLab CTIA., Address shows an place of origin: Broomfield , Co, Believed to be originating from Germany and Russia, BGP Hurricane Electric seen, Potentially Pegasus related . Found to be affecting an IOS device, Indicators seen may have affected a few OTX users. Is ongoing, Zergeca related URLs , URI’s , Domains, inaccessible files referenced, apple.k8s.joewa.com • joewa.com • com.apple, This pulse is so huge it’s a mess. Will break down., 94.152.54.231, https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/#background

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

high
First detected 1 year ago · Last seen 2 months ago
Appeared in 5 threat reports