IOC Radar
SHA256MediumSignal 93/100

4a9dde3979c2343c024c6eeeddff7639be301826dd637c006074e04a1e4e9fe7

Location
UkraineUkraine
First Seen
Dec 14, 2021
Last Seen
Mar 31, 2026
Dec 14
First Seen
1662d ago
Mar 31
Last Seen
93d ago
12
Reports
source reports
93%
Confidence
medium
Found in 12 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
93%
Signal Score
93 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

95 techniques

Feed Intelligence Summary

12 reports93% confidence
12
Source reports
93%
Confidence score
Category tags
abrahamabuseacademic institutionsactive directoryactive scanactive scanningadvanced portakiraakira iocsakira ransomware attackalienvault_ransomwareanapaanydeskapplication layer protocolasnsattackauthenticationauthentication abuseauthentication attackauthentication attacksauthentication attemptsauthentication brute forceauthentication bypassauthentication failuresautomated attackautomotive manufacturingbackdoorbackup destructionbad reputationbankingbazarbazarbackdoorbeaconbitcoinblockchainbotnet activitybrute forcebrute force attackbrute force attemptscalls-wmicharmpower lurechecks-bioschecks-memory-availablechecks-network-adapterschecks-user-inputchiselchrome browsercisacisa kevcisco asaclearclear farusbigclear httpscmd365 samplecobalt strikecobaltstrikecode executioncommandcommand & controlcommand and controlcommand executioncommodity contracts intermediationcommunication protocolcompromise attemptconsumer goodscontactconticorecredential accesscredential attackscredential brute forcecredential guessingcredential stuffingcredential theftcredit card servicescrypto exchangecrypto miningcrypto walletcryptocurrencydata encryptiondata exfiltrationdata store exposuredatabase authenticationddosdecentralized financedenial of servicedesktopdetect-debug-environmentdev1084 batchdiavoldictionary attackdigital currencydirect-cpu-clock-accessdouble extortiondownload rportdrokbkdrokbk c2educational resourceseducational serviceseducational technologyelectronic health recordselectronics manufacturingemotetencryptionenumerationenumeration activityesxieuropeexploitexploit avaliableexploit discoveryexploitationexploitation activityextortionfailed loginfilefile-hashfinancefinancial servicesfinancial technologyftpftp brute forcegmergoogle firebasegroup policyhasheshealth care and social assistancehealth information technologyhealthcare information systemshigher educationhospital managementhostname enumerationhotspothttp brute forcehttp scannerhttpshydrahypervicmp floodidentity & access exploitationimap brute forceimpactin the wildindicatorindustrial automationindustrial iotindustrial productioninformation gatheringinformation technologyingress tool transferinitial accessinjection activityinstallinternet scanintrusion detectioninvalid credentialsinvalid login attemptsiociocsiot securityit departmentit infrastructurek-12 educationkalikirpichknown hostnameslateral movementlazagneldap brute forcelilocclockbitlockbit ransomwarelogin attacklogin attemptlogin attemptslong-sleepsmalicious activitymalicious downloadmalicious powershell activitymalwaremalware distributionmanufacturing technologymedical servicesmedusamegamfa bypassmitre attmniamimobile threatna clearnation-state activitynetscannetwork activitynetwork attacksnetwork discoverynetwork enumerationnetwork intrusionnetwork intrusion attemptsnetwork mappingnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service scanningnetwork traffic analysisnirsoftnlbrutenmap scannokoyawantp amplificationoperating systemoverlaypasspassword attackpassword attackspassword crackingpassword sprayingpatient carepayloadpayment processingpeexeperuphishingpingcastleplay ransomwarepop3 brute forcepossible bot activitypossible compromisepossible lateral movementpossible reconnaissancepotential compromisepotential intrusionpotential intrusion attemptprivilege escalationprocess hackerprocess injectionprocess manufacturingprotocol exploitationpsexecqakbot c2squakbotquality controlransom noteransomwarereconnaissancereconnaissance activityremote accessremote desktopremote servicesresearchedretail traderoyalroyal ransomwareroyal threatrport domainrport legitrspichruntime-modulesryukscannerscanning activityscript backdoorscripting attacksserver useservice discoveryservice enumerationservice scansignedsmb brute forcesmb enumerationsmb scanningsmtpsmtp brute forcesmtp scanningsoftware developmentsoftware exploitationsophossourcesouth americasql brute forcessh attackssl vpnstopransomwaresupply chain attacksupply chain managementsurveysynsyn floodsyn scansystem accesssystem discoverysystem disruptiont1003t1005t1016t1018t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1021.007t1027t1040t1046t1047t1048t1053t1055t1056t1059t1059.001t1059.003t1059.004t1059.005t1059.006t1059.007t1059.008t1059.009t1059.010t1059.011t1068t1069.001t1070t1071t1071.001t1076t1077t1078t1081t1082t1083t1086t1087t1090t1105t1110t1110.001t1110.002t1110.003t1110.004t1113t1133t1136t1187t1190t1199t1203t1204t1204.002t1210t1213t1218t1485t1486t1490t1491t1497t1499.001t1499.002t1499.003t1539t1547t1552.001t1555t1560t1561t1562t1562.001t1563t1566t1567t1569.002t1588t1589t1589.001t1589.002t1589.003t1590t1590.005t1592t1595t1595.001t1595.002t1595.003ta machinetcp protocoltcp scantcp scanningtelnet threatthreat actorthreat intelligencetoolstortor nodetrickbotttpsudp port scanudp scanukraineunauthenticated access attemptsunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized login attemptsunc1878united kingdomunknown threat actorvalid accountsveeamvia-torvpnvpn exploitationvpn kalivulnerabilityvulnerability scanweak credentialswealth managementweb application scanningweb trafficwin32 malwarewindows malwarewinrarwinscpwizard spiderzensec

Activity Timeline

1 total obs
Mar 31Mar 31

Threat Activity Heatmap

· Peak: 2026-03-31
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreHigh Risk
93
SIGNAL
Signal Score
93%
Confidence
12
Reports
First seenDec 14, 2021
Last seenMar 31, 2026

VirusTotal

Not checked

WHOIS

references
https://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a, https://labs.inquest.net/iocdb, Threat Insights: Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets, https://www.cisa.gov/sites/default/files/2023-03/aa23-061a-stopransomware-royal-ransomware.pdf, IOCs for Bazar, Conti, Diavol, Ryuk, TrickBot, WizardSpider 05042022.csv, https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/, https://bazaar.abuse.ch/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 4 years ago · Last seen 3 months ago
Appeared in 12 threat reports