IOC Radar
SHA256MediumSignal 99/100

4d52d40bc7599b784a86a000ff436527babc46c5de737e19ded265416b4977c6

Location
UkraineUkraine
First Seen
Jul 10, 2022
Last Seen
Jun 3, 2026
Jul 10
First Seen
1454d ago
Jun 3
Last Seen
29d ago
10
Reports
source reports
99%
Confidence
medium
Found in 10 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
99%
Signal Score
99 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

85 techniques

Feed Intelligence Summary

10 reports99% confidence
10
Source reports
99%
Confidence score
Category tags
abuseacceptaccount compromiseaccount securityactive scanactive scanningadded activeaddressaddress domainage86400 setalexaalexa topalienalienvault partaliveall scoreblueall searchalphacrypt cncandroidanti-vmantivmapanasapostleappleapple iosapple iphoneapple itunesapple phonearabic libyaarizonaarkeistealerarrowratasciiasiaasyncratattackauctionauthenticationauthentihashauthorityav detectionsavast avgavast softwareazorultb59bn timestampbabarbabylon ratbad reputationbakers hallbaldrbanditbandit stealerbankbank securitybankerbanloadbannedbayrobbazarloaderbeaconbeastybelarusberbewbitcoinbitsblackbyteblacklist httpblankgrabberblockchainbodybody doublesbody lengthbokbotbotnetbotnet activityboxcaonbrakbrbbotbritish virginbrute forcebrute force attackbuteratbypassc serverca issuerscanada unknowncanecapechaoschatchecks idchecks-user-inputchilelockerchocociacicada3301cisco umbrellacivilcivil servicescivil societyclickclick-based attackclippercnamecnccnicobaltstrikecodecode executioncode injectioncode integritycodeccolibri loadercom dlacomfoocommand & controlcommand and controlcommand executioncommodity contracts intermediationcommunication protocolcommunication technologiescommunity homeconfigconfirm httpsconnect httpconnections idcontactcontacted urlscookiecopycorecorebotcountrycowboycowriecowrie hashescowrie honeypotcrc32creation datecreation idcredential accesscredential harvestingcredential stealingcredential stuffingcredential theftcrimsonratcryptcryptedcryptocrypto exchangecrypto miningcrypto walletcryptocurrencycryptocurrency threatscryptojackingcryptolockercurcorecurkeepcurkeep backdoorcurkeep payloadcurlogcvss v2cyrusczechia unknownczytajczytaj wicejdante discoverydarkdarkcometdarkeyedarkgatedarkskydarktrackdarkvncdatadata accessdata brokersdata centerdata copyingdata encryptiondata exfiltrationdata store exposuredata transferdavid burkettdcratddosddos attacksdearcrydecentralized financedecoy systemdecryptordelete cdelfidelphidesktopdetectsdetects codedga domaindiamondfoxdigital currencydiscorddistributed attacksdnsdns attackdofoildokument pdfdomaindomainsdonedostpuzezwl nadownloaderdroppeddropperducktailec oidelectronic health recordseliteelysiumstealeremailemailsemotetencryptencryptionenterprise securityentrieserroreuropeexecutable fileexploitexploitation activityextortionfalsefastfatalratfatdukefilefile-hashfilesfiles ipfilter fpfinal urlfinancefinancial institutionfinancial servicesfirstfivehandsflagprofleet managementfor privacyfoxpro fptfpspyfreefreight servicesgasketgeckoget dnsget nagh0stglobeimpostergmtngo daddygobratgoldmaxgorfgovernment sponsoredgovernment technologygrabgrabbergravityratguided journeyguildmahackershead bodyheadershealth care and social assistancehealth information technologyhealthcare information systemshellohelpmehigh attackhistorical sslhomenethospital managementhostnamehostname enumerationhtmlhtml infohttphttp attackhttp methodhttp requestshttp responsehttp scannerhttps danehttps odciskhunthybrid analysisico rtgroupiconidentity & access exploitationiframeiii dbtimpactimphaszimportindicatorinfoinformacje oinformation gatheringinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjectinjection activityinjectorinput validation bypassinsurance carriers and related activitiesintelintel portalintelligence agenciesinternet of thingsiocsiosiot botnetiot devicesiot securityiot/ics attackipv4iranian actorisp infecionissuerit infrastructureitunesixchatlauncherjanelaratjapan unknownjednostkajednostkijelenia grajeleniej grzejsonk netsvcskarkoffkazakhstankey algorithmkey identifierkeylogkeyloggerkgs0khtmlkillkillmbrkillmekittyklingonratklogexekls0kod odpowiedzikodowanie trecikoivmkomornik sdowykonkurskontaktowe sdkontrola pamicikrakenkutakilateral movementlazaruslcpdotleivionlemon ducklenovolibyalicense v2lifelimitedlinks typlinuxlockerlog idloggerlokiloki passwordlong-sleepslu0botlumma stealermacoutemainmalmalicious activitymalicious downloadmalicious linksmalicious powershell activitymalicious softwaremalicious urlmalvertisingmalwaremalware distributionmalware familymalware servermanualmapamaritime transportmarkmarkiratmarkmonitor incmassloggermaurigomediapimedical servicesmeltmetameta tagsmetadata analysismetromiles2millionmiraimirai botnetmisc httpmkdirmobilemobile carriersmobile networksmobile securitymobile threatmodi ratmodiloadermonitoringms windowsmsiemyagentnamename serversnation-state activitynazwa metanazwa plikuneshtanetworknetwork scanningnew servicenew service creationnextnextronnginxnidsnivdortnjratno datanoclosensontospynumbernumer wersjiocspodcisk palcaokrgowyooopsoperating systemoperating system securityordinalosnootx octoseekoutbound smtpowowapage dowpalca jarmaparallaxratparentspasspassenger transportationpassive dnspasswordpassword attackspassword bypasspastepatchpatch managementpathpath maxpath traversalpatient carepayload deliverypayment securitypayment system attackpaypalpe resourcepe32 executablepedllpegasuspersistence mechanismperuphiphishingphishing attackphone hackingpiipiratestealerpleasepolicepoolratposhkeyloggerpowershellpragmaprivacyprobeprocess idprocess injectionprometheusprzejdpublic administrationpublic infrastructurepublic policypulse pulsespulsespulses otxqakbotqbotquiteratraccoonraccoonstealerragnar lockerrail transportransomransomexxransomwareratrealteck audioreconreconnaissancerecord typerecord valuered teamredacted forredline stealerredlinestealerregistry domainregistry expiryregulatory agenciesrelated nidsrelated pulsesrelated tagsrelicremoteremote accessremote access trojanremote servicesrentsresearchedresource hijackingrestrestartrevenge-ratrevengeratreverse dnsreverseratrhysidariskiq threatrobotwrole titlerothrouter infectionrozmiarrozmiar plikurticon serbianrudnicka danerunnerryzerlosabey data centersafe sitesakula malwaresalfordsamplessamsungsandboxsandbox authorsandbox evasionsapphirestealerscan endpointsschema abusescreencapturescriptscript scriptscript urlsscripting attackssd okrgowysd rejonowysdzia grzegorzsdzia jarosawsdzie rejonowymsearchsearch mysectigo limitedsectigo rsasectopratsecure serversecurity operationssenderserbian arabicserverserviceservice binaryserving ipset cookieshifushowshowingshurk stealshutsilentsinkhole cookiesiteskalaslackbotslowsmoke loadersmtpsnakesnakekeyloggersnatchsocial engineeringsocial media securitysoftware developmentsoftware exploitationsoftware vulnerabilitiessouth americaspanspookspoolssspyeyespynetspywaresqlitesqlite wssd gbokissdeepssh attackssh monitoringssl certificatestatusstatus codestayinstealerstealeriumstormkittystreamstrelastealerstrivenstrongpitystubsubject keysummarysuspsvchostsvchost parentsystemsystem disruptionsystembct1003t1003.002t1003.004t1005t1007t1011t1016t1021t1021.001t1021.006t1027t1030t1036 maskaradat1037.003t1041t1046t1048t1053t1055t1055 pewnot1056t1057t1059t1059.001t1059.003t1059.007t1064t1068t1069.001t1071t1071.001t1078t1082t1082 pewnot1083t1084t1086t1105t1110t1110.001t1110.002t1110.003t1110.004t1113t1124t1171t1184t1185t1189t1190t1203t1204t1204.001t1204.002t1210t1486t1490t1496t1499.001t1499.002t1499.003t1505t1543t1546.013t1547t1547.001t1555t1556.001t1557t1557.001t1562t1565t1566t1566.001t1566.002t1566.003t1566.004t1574t1583.002t1587.001t1588t1589.001t1590.001t1595t1595.001t1595.002t1595.003t1596.001tag counttargettargeting databaseteam phishingteams apitelecomtelecom servicestelecommunicationstelefontestingthomas patzkethreatthreat actorthreat analyzerthreat intelligencethreat reportthreat rounduptls webtoddycattofseetofsee trojan infectiontomasz rodackitomiristoolstor nodetorismatransportation and warehousingtransportation infrastructuretransportation technologytrojantrojan malwaretrojanspytruebottsara brashearsttl valuetulachtumacz czynnytumacza migamturiantwittertworzy katalogtworzy plikityp plikutypetype indicatorua zgodnaukraineunikanie obronyuniqueunitedunited kingdomunixunsafeupgradeurlsurls httpus executionus postaluser executionusinguzbekistanv3 numerv3 serialv3 severityvalue snkzvanillaratvenom ratvenomratvhashvietnamvirgin islandsvoidcryptvulnerability scanvulturiweb application attackweb application exploitationweb exploitationweb securityweb trafficwersjawest domainswhois recordwhois whoiswin32 exewin32 malwarewindigowindowswindows malwarewindows ntwindows upgradewiperwitchwormwornwritewrite cwydziauwygasax509v3 keyxorddoszasbzawartozegostzero-day exploitzfglddkl58a url

Activity Timeline

1 total obs
Jun 3Jun 3

Threat Activity Heatmap

Threat ScoreHigh Risk
99
SIGNAL
Signal Score
99%
Confidence
10
Reports
First seenJul 10, 2022
Last seenJun 3, 2026

VirusTotal

Not checked

WHOIS

description
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
references
https://research.checkpoint.com/2023/stayin-alive-targeted-attacks-against-telecoms-and-government-ministries-in-asia/, http://www.northpoleroute.com/78985064&type=0&resid=5312625, espysite.azurewebsites.net - https://otx.alienvault.com/indicator/hostname/espysite.azurewebsites.net, TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe, TrojanSpy:Win32/Nivdort.CW: FileHash-SHA256 aa289c89f2cdbfe896f4c77c611d94aa95858797014b57e24d5fe2bb0997d7b0, Ransom:Win32/Haperlock.A: FileHash-MD5 46480bf46cde2b3e79852661cc5c36fc, Ransom:Win32/Haperlock.A: FileHash-SHA1 c881d1434164b35fb16107a25f84995b7fdef37f, Ransom:Win32/Haperlock.A; FileHash-SHA256 8264c73f129d4895573c2375ea4e4636b9d5df66852ce72ccc20d31a96ae7df1, IDS Detections: W32/Bayrob Attempted Checkin 2 Terse HTTP 1.0 Request Possible Nivdort W32/Bayrob Attempted Checkin, IDS Detections: Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz, Alerts: cape_detected_threat cape_extracted_content, https://otx.alienvault.com/indicator/file/251150379b9a0ff230899777f0952d3833a88c1a2d6a0101ea13bdd91a9550fe, https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing], "Windows SMB Information Disclosure Vulnerability." - https://otx.alienvault.com/indicator/cve/CVE-2017-0147, Backdoor:Win32/Fynloski.A: FileHash-SHA256 4e692806955f9ee3f4c7a5d9a1ac7729eb53b855b39e6f9f943f89ccba30bd49, Backdoor:Win32/Fynloski.A: FileHash-SHA 453355033bb7977831ca87cc90156b594f13b2ee, Backdoor:Win32/Fynloski.A: FileHash-MD5 c3113684e8f8aa6d1b1b67d59141e845, TrojanClicker:Win32/Ellell.A: FileHash-SHA256 7456108771e6a8bac658276c1cb9e18c8c348fdd9cd3538419751c3b5ef3ac02, TrojanClicker:Win32/Ellell.A: FileHash-SHA1 7a52b57df5b3c67f810a71dc39ff93688b141534, TrojanClicker:Win32/Ellell.A: 4d3e7d486ec5918d91e54e51c4d07dc6, PWS:Win32/Ymacco.AA50: FileHash-SHA256 105834163b1a0c89e12917a3145e14be6030a611e07f7f62fa7c57de838d6251, PWS:Win32/Ymacco.AA50: FileHash-SHA1 57486d33246bce6dfedb0836cd97c9acd4a4a39a, PWS:Win32/Ymacco.AA50: FileHash-MD5 5739cd62eb88e2a7e514784fe7cf5ca4, https://otx.alienvault.com/indicator/ip/162.222.213.199, TrojanDownloader:Win32/PurityScan.MI!MTB: FileHash-SHA1 58ba8715a88d883537ba8d0e20eea2a4d9269cad, Ransom:Win32/Tescrypt: FileHash-SHA256 916e13eb1e4313b2a04a2ae21b4955b8228183b26709a64284098ca759a8f437, PWS:Win32/QQpass.B!MTB: FileHash-SHA256 71fa9257f88c15b438616662dc468327199edb570286c7259d333953006b8eec, PWS:Win32/QQpass.B!MTB: FileHash-SHA1 fec703ee7c02ffe35c6b987bb9aac3a765e95dfb, PWS:Win32/QQpass.B!MTB: FileHash-MD5 f7c36b4e5b4b09dc369163377aade2d7, Trojan:Win32/Zombie.A: FileHash-SHA256 0b87667251b79cb800ddd88bdabecea8e13248c426d4a14ae0aae0ef5783f943, Trojan:Win32/Zombie.A: FileHash-SHA1 de974c697f0401d681e1bb3c8694a663e9e43d8f, Trojan:Win32/Zombie.A: FileHash-MD5 34e85820b41c14e07dd564f22997e893, Win.Virus.TeslaCrypt3-2: 78af1fd5be62ab829e49f9a1b5fbb8a9b30f8d0804cba5805c8f350b841d522e, IDS Detections : W32/Bayrob Attempted Checkin 2 CryptoWall Check-in AlphaCrypt CnC Beacon 4 Trojan-Ransom.Win32.Blocker.avsx, IDS Detections : AlphaCrypt CnC Beacon 3 MalDoc Request for Payload Aug 17 2016 Koobface W32/Bayrob Attempted Checkin, IDS Detections : Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt Alphacrypt/TeslaCrypt Ransomware CnC Beacon, https://otx.alienvault.com/indicator/ip/185.230.63.186, CnC IP's: 192.187.111.221 63.141.242.43 63.141.242.44 63.141.242.46 81.17.18.195 81.17.18.197 81.17.29.146 81.17.29.148, http://islamicsoftwares.com/downloads/iphone/audioCont/2/107.tar.gz http://islamicsoftwares.com/downloads/iphone/audioCont/7/110.tar.gz, smartphonesonline.co.uk https://smartphonesonline.co.uk/ https://www.smartphonesonline.co.uk/ [192.187.111.222. US - Request HTTP -Target IP], Mercenary Attackers / Cellebrite branded as: http://teacellertea.com/Pegasus/ NSO, https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635, https://otx.alienvault.com/indicator/file/0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658, https://otx.alienvault.com/indicator/ip/63.141.242.45, Yara Detections: is__elf , xorddos , LinuxXorDDoS_VariantTwo, Antivirus Detections: ELF:Xorddos-AE\ [Trj] , Unix.Trojan.Xorddos-1 ,, Trojan:Linux/Xorddos: FileHash-MD5 3b4ce1333614cd21c109054630e959b9, Trojan:Linux/Xorddos: FileHash-SHA1 a5780498e6fce5933a7e7bf59a6fa5742e97f559, Trojan:Linux/Xorddos: FileHash-SHA256 0002f7cbc10cfea832f117d66dea2d33e6ca1d5cea57d9af0784255e0112d658, https://hallrender.com/attorney/brian-sabey, Windows_Trojan_Tofsee.yar, Suspicious New Service Creation (1).yml, 672469157e58844350382fd51bc0fee1605982609c1f80a0b3df3906fbeb49a3.csv, https://www.virustotal.com/gui/collection/672469157e58844350382fd51bc0fee1605982609c1f80a0b3df3906fbeb49a3/summary, S?d Rejonowy w Jeleniej Górze.htm, II Wydzia? Karny - S?d Rejonowy w Jeleniej Górze 1.htm, http://www.jelenia-gora.so.gov.pl/, https://www.jelenia-gora.so.gov.pl/, http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze, https://tlumacz.migam.org/sad_rejonowy_jelenia_gora, https://www.jelenia-gora.sr.gov.pl/spacer, https://waf.intelix.pl/957476/Chat/Script/Compatibility, https://www.crccolorado.com/dr-adam-sang, CS IDS Rules: MALWARE Possible Compromised Host, CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz, CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt, CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses, CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst, http://www.defi-realty.com/jem9/ [phishing], http://45.159.189.105/bot/regex [phishing | tracking], https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption], https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/, https://attack.mitre.org/software/S0226/, http://watchhers.net/index.php. [ data collection], remotewd.com, https://remote.krogerlaw.com, device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com, www.pornhub.com [password decryption], www.supernetforme.com [CnC], ddos.dnsnb8.net [CnC], http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing], http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743, http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs, https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!], https://us-bankofamerica.com/PhoneVerification.php/, http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection], http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip, http://iphones.email [redirection chain], *Patient PII & PHI at critical risk, choco.exe, media-router-fp74.prod.media.vip.bf1.yahoo.com, https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector?hs_amp=true, httphttp://security.didici.cc/cves://www.sentinelone.com/anthology/ragnar-locker/, http://security.didici.cc/cve, https://whois.domaintools.com/gov1.info, https://nsa.gov1.info/utah-data-center/, https://github.com/cowrie/cowrie, Cowrie (honeypot) - Wikipedia, https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware, Advisory No-ESAF-CDC-SOC-TI-214 Asian Governments and Telecom Giants.pdf, https://community.riskiq.com/article/d8b749f2/description

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 4 years ago · Last seen 29 days ago
Appeared in 10 threat reports