SHA256MediumSignal 91/100

`53c7ac23770ffcd26a8957047d0fda9ccd0e2c21a6a35e3d21d1889b98092fe1`

Location

Hong Kong

First Seen

Mar 11, 2024

Last Seen

Apr 8, 2026

Mar 11

First Seen

826d ago

Apr 8

Last Seen

68d ago

Reports

source reports

91%

Confidence

medium

Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

SHA-256 Hash

SHA-256 file hash — primary identifier for malware samples.

MISP Category

Artifacts Dropped

Hash Algorithm

SHA256

Confidence

91%

Signal Score

91 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

45 techniques

Feed Intelligence Summary

4 reports91% confidence

Source reports

91%

Confidence score

Category tags

aaaaabuseacceptaccess controlaccount securityactive scanaddressakamai rankakamaiasn1alertsall octoseekall scoreblueall searchallocates_rwxanalysis dateanalysis ob0001analysis ob0002analyzeanalyzer pasteanchor hrefsantivm_memory_availableapeaksoft iosappdataapple iosapple phoneapplication developmentascii textasiaassign functionattackauthentihashauthorityav detectionsawfulawsazorultbackdoorbad reputationbankerbasicblacklist httpsbloodbodybody lengthboomr functionboomrmq stringborpa loadingbotnetbotnet activitybouvet islandbreast cancerbrian sabeybrute forcec&cca1 odigicertcallback functioncallscamaro dragoncanada unknowncapacapecape sandboxcapture t1056catalog filecatalog treechina unknownchromecisco umbrellacivil societyck idck matrixclassclick-based attackcloud infrastructurecnamecobalt strikecode executioncode injectioncode overlapcolorscom laudecommandcommand & controlcommand and controlcommand executioncommand_and_controlcommunication protocolcommunication technologiescontactcontacted urlscontent lengthcontrol ob0004control ta0011cookiecorecorporate lawcorruptcount blacklistcountrycreation datecredential stuffingcredential theftcrimecritical riskcrouching yeticryptercryptocurrencycryptocurrency threatscryptojackingcsc corporatecus cndigicertcus cnmicrosoftcus lsancvecyber crimecyber criminalcyber warfaredanica implantsdark powerdata accessdata copyingdata encryptiondata exfiltrationdata store exposuredata transferdd f1ddosddos attacksde ffde indicatorsdefault browserdefense evasiondeletedeleted cdelphidelphi genericdenverdenver musicdetection listdevelopment methodologiesdevopsdigital mediadiscovery t1018discovery t1082distributed attacksdiv divdnsdns attackdoctypedomains iidone addingdos exedos executabledroppeddworddynamic expirese0 eeed f6electronic health recordself collectionemailsemotetempty hashencryptencryptionentertainment technologyentriesermacerroret infoet smtpeurodns saeuropeevasion b0003evasion t1497evasion ta0005excelexe uploadexecutable fileexfiltrationexpirationexpiration dateexploit sourceexploitation activityextortionf0001 upxfe b9federal crimefilefile-hashfilesfiles deletedfiles droppedfiles matchingfinal urlfinancefinancial crimesfirstflagfor privacyfoundfraudfreeg2 tlsgandi sasgeckogeneral fullgeneratorgenericgeneric httpgeneric malwaregeneric windosgermanyget httpget keygetkeygmbh versiongoldmaxgoogle phishgrahamgraphguest systemgvb gelimedhackershasheshashes c2aehashes hashesheader intelheader targetheadershealth care and social assistancehealth information technologyhealthcare information systemshiddenhighhistoricalhistorical sslhitmenhong konghospital managementhosthostname enumerationhrefhrefshtml documenthttp attackhttp postshttp requestshttp responsehttp scannerhttpshunting servicehybridicmp delphiicons libraryidentity & access exploitationids detectionsinc cusinc subjectindicatorinfiltrationinfo compilerinfo headerinformation gatheringinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinput validation bypassintelintellectual property lawintellectual property theftinternet of thingsiocsiot botnetiot securityiot/ics attackipv4ipv4 addiran unknownireland unknownit infrastructureja3sjpegjsonkdekeyloggerkhtmlkidney cancerkittenlaw practicelayer protocollcc linkerlearnlegal consultinglegal researchlegal serviceslegal technologylevellink libraryliver cancerlocallockbitlogolooklukelumma stealerlung cancermachine intelmacrosmagic pe32mainmalicious activitymalicious downloadmalicious file transfersmalicious linksmalicious proxymalicious softwaremalwaremalware beaconmalware distributionmalware-as_a_servicemarkmonitormarkmonitor incmatches rulemaui ransomwaremedia & entertainmentmedia distributionmedical centermedical servicesmemory dumpingmemory patternmessagemetadata analysismicrosoft stuffmirai botnetmitremitre attmobilemobile carriersmobile networksmobile securitymobile threatmonitoringmovedms visualms wordmsiemultimedia productionmusic frontname md5name serversname tacticsnation-state activitynetworknetwork connectionnetwork scanningnetwork_httpnetwork_icmpnetwork_ircnextnids_alertnids_malware_alertnjratno datanone relatednortonnumberob0006 softwareodigicert incopenopenurl coperating systemoperating system securityorganized crimeos2 executableotx octoseekoverlaypacker_entropypacking f0001packing t1045parking crewparking logicpassive dnspassword bypasspastepath traversalpatient carepattern matchpdfpdf documentpe resourcepe32 executablepe32 linkerpe32 packerpe_featurespeexepegasusperforms dnspersistence_autorunperupetitephiphishingpiipiracypluginsplugxpointpornhubpost httppragmapreconditionpremiumpresent febpresent janpresent julpresent junpresent novprobeproblemprocessprocess injectionprocesses treeproduct developmentprostate cancerprotocol h2protocol t1071proxypulse pulsespulse submitpushpythonquality assurancerally cryransomransomexxransomwareratrat trojanreadsreconnaissancerecord typerecord valuerecording industryredacted forrefreshregistry keysregulatory compliancerelated pulsesrelicremoteremote accessremote access trojanremote servicesremote systemremoves headersreportrequestresearchedresolved ipsresource hashresource hijackingrestartreverse dnsrich peroot carsa sha256rticon neutralruntime modulessabeysalitysamplessarcomascams & fraudscan endpointsscanning hostschemescriptscript scriptscriptsseaborgiumsearchsearchmeupsecuresecurity policysecurity tlsselfserver attackserver caserversservice packservice privacyserving ipsha2 secureshellshell codeshell commandsshowshow processshow techniqueshowingsiblings domainsibotside 3 studiossigmasiteskin cancerskynetsnatchsocial engineeringsocial media securitysoftware architecturesoftware developmentsoftware engineeringsoftware exploitationsoftware testingsour delsouth americaspanspawnsssdeepssdpssl certificatessl protocolstate of coloradostatusstatus codestatus pagestatus urlstreaming servicesstringssubjectsummarysummary iocssystemsystem disruptiont1005t1016t1021t1021.001t1027t1030t1046 sendst1053t1055t1059t1059.001t1059.005t1064t1069.001t1071t1071.001t1078t1082t1083t1105t1129t1133t1140t1189t1190t1203t1204t1204.001t1204.002t1486t1490t1496t1497t1499.002t1499.003t1547t1565t1566t1566.001t1566.002t1566.003t1567.001t1569.002t1587.001t1589.001t1590.001ta0002 defenseta0004 defenseta0006 inputta0007 networkta0009 commandtag counttags nonetargettargetstelecom servicestelecommunicationsthreatthreat actorthreat networkthreat preventionthreat reportthreat roundupthreat sniperthreatstitletld aggregationtld counttlstls rsatoolstop destinationtop sourcetor analysistor nodetracker radartrid upxtrojan featurestrojan malwaretrojanclickertrojandroppertrojanspytsara brashearsttl valuetulachtulach topictwittertypetype nameunicode textunitedunited kingdomunknown xnupx packedupx softwareurlsurls httpurls httpsurls urlursnifus a83f81100useruser executionutc entryutc submissionsutf8 textvaluevercelverdictverifyvhashvirtoolvt ransomwarevtapivulnerability scanweb application attackweb application exploitationweb securityweb trafficwhois recordwhois whoiswin16 newin32 dynamicwin32 exewin32 malwarewin32mydoom febwindirwindows malwarewindows ntwiperwormwritewrite cyarayara detectionsyodayoutubezenbox

Activity Timeline

1 total obs

Apr 8Apr 8

Threat Activity Heatmap

· Peak: 2026-04-08

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Dormant

3mo

Minimal

Threat ScoreHigh Risk

SIGNAL

Signal Score

91%

Confidence

Reports

First seenMar 11, 2024

Last seenApr 8, 2026

VirusTotal

Not checked

WHOIS

description: Trojan[Spy]:Win/QQWare.AM - https://r.clk71.com/s.ashx?ms=AZ71:207998_143310&[email protected]&eId=1338769034&c=h&url=http://e.snd65.com/cl/22/SCM/Exposing_Malware_in%20Linux-Based_Multi-Cloud_Environments_R1Final.pdf Sigma: • Python Initiated Connection by frack113 (critical) • Failed Code Integrity Checks by Thomas Patzke • Creation of an Executable by an Executable by frack113 | Yara: MAL_CN_FlyStudio_May18_1 from ruleset crime_floxif_flystudio by Florian Roth (Nextron Systems) S_MultiFunction_Scanners_s from ruleset gen_cn_hacktools by Florian Roth (Nextron Systems) UPX from ruleset UPX by kevoreilly | Windows_Generic_Threat_bc6ae28d from ruleset Windows_Generic_Threat by Elastic Security
references: Amnesty.org | remote.amnesty.org, tulach.cc, Worm:Win32/Benjamin IDS Detections: Win32.Worm.Benjamin.A CnC Checkin ICMP, Alerts : nids_malware_alert network_icmp network_irc persistence_autorun network_http, Alerts : nids_alert allocates_rwx creates_exe packer_entropy antivm_memory_available, Delphi Likely Precursor to Scan PING Delphi-Piette Windows Yara Detections Delphi, Delphi This program must be run under Win32 Compilers, More IP’s Contacted 74.6.143.26 Domains Contacted benjamin.xww.de, http://www.yixun.com/getkey {"privateKey": "JMVRar4COFWb3eKZ"}, Server: JFE https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.yixun.com/getkey, http://www.shopsleuth.com/goal-academy/the-citadel/colorado-springs-co, ipv4bot.whatismyipaddress.com, helloprismatic.com, https://palantir-staging.staging.candidate.app.paulsjob.ai/, Brian Sabey, Christopher P. ‘Buzz’ Ahmann, trojan.vtflooder/vflooder FileHash-SHA256 e8d7208330c634fad06d1b12bfea92435cdd7e63d01fde5ed8f3493b9deefad4, Crowdsourced IDS rules: Matches rule MALWARE-CNC Win.Trojan.Occamy variant outbound connection, Crowdsourced IDS rules: Matches rule ET INFO Generic HTTP EXE Upload Outbound, Crowdsourced IDS rules: Matches rule (stream_tcp) data sent on stream not accepting data, Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly, https://fixupx.com/Yoda4ever/status/1819058165264404527, Malicious IP: 1.3.6.1 ASNone Generic.Malware has also been named in ransomware and other highly malicious attacks., http://borpatoken.com/ borpatoken.com, Sourced: https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm, This IP carried out Apache Log4j RCE attempt(s) (also known as CVE-2021-44228 or Log4Shell). @parthmaniar on Twitter, For more information, or to report interesting/incorrect findings, give me a shoutout on @parthmaniar on Twitter., analytics.x.com | https://analytics.x.com | https://localhost.twitter.com:3443, X Vercel Servers, FileHash-MD5: b7e1dc2c46a9b972943a08b09c4dd6db, FileHash-SHA1: d20959337b099526ed5250b60d9250ab865a7c6c, FileHash-SHA256: 7b749ef9d91c1f0fe7513ece148409f2254317be8b0487603a2b333ebbb927ae, Yara: RansomWin32Betisrypt , TrojanClickerWin32NightClick , TrojanDropperWin32Jscrpt , TrojanWin32Notepices TrojanClickerWin32NightClick, apple.twitter.com | https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js | vine.co | appleid.cdn-apple.com, Vtapi: scanter.comwww.twitter.comx.com, IDS Detections: ETPRO TROJAN Possible Win32/Zbot.AHJ CnC Traffic ET SMTP Abuseat.org Block Message, IDS Detections: ET TROJAN Pushdo v3 Checkin ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain, Crypt3.BWVY: FileHash-SHA256 9235583481d06530ef1ce04fa4f9a3bf3b6735dcdef0486cf6181c7868c9c249, Crypt3.BWVY: FileHash-SHA1 4c60cf6b7e2981f1c05c5a34f880c6020923014c, Crypt3.BWVY: FileHash-MD5 947f28c8ab697548aca370c080187e6e, https://side3.com/, https://www.side3.com, http://koshishmarketing.com/mo8igygw3uv/t4z68181/ [malware_hosting], http://l2filesget.com/horyuclassic/updater/Launcher_Horyu_Classic.exe [malware_hosting], http://fillmark.net/index.php [phishing], https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [phishing], https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing], www-temp.metrobyt-mobile.com [malicious | data collection], www.icloud.com [wp-login.php], webdisk.thehomemakers.nl [spyware | tracking], https://tulach.cc/ [phishing - malware engineers. Malware commonly associated with m.brian sabey of hallrender.(.)com [malware hosting/attacking legal team], URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [OS & iOS password cracker] | 136-186.pornhub.org, cs9.wac.phicdn.net.1.1.e64a8639.roksit.net, www.anyxxxtube.net [malicious data collection], s3.amazonaws.com [targeting data collection], https://twitter.com/PORNO_SEXYBABES | https://otx.alienvault.com/indicator/url/https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/, nr-data.net [Apple Private Data Collection] | 67.199.248.12 [apple data collection IP], api.utah.edu [access apple], https://applemusic-spotlight.myunidays.com/US/en-US? [access to vulnerable or targeted devices via media], tv.apple.com, 104.92.250.162 [Apple image scanning IP] || appleid.com [insecure. other users], andrewka6.pythonanywhere.com [python connection - apple], http://l2filesget.com/horyuclassic/updater/system-eu/EnchantStatBonus_Classic.dat.lzma, https://www.picussecurity.com/resource/unc2452-nobelium-threat-group-attack-campaign, sonymobilemail.com, https://onhimalayas.com/ckfinder/userfiles/files/jafufedopegagedolabib.pdf, pegahpouraseflaw.info, http://mouthgrave.net/index.php, ransomed.vc, Intellectual property accessed and distributed, https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians, https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea, www2.megawebfind.com [command and control], http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing], 20.99.186.246 [exploit source], https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic], Win32:RATX-gen [Trj] identified., CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades), CS Sigma Rules: Disable UAC Using Registry by frack113, http://45.159.189.105/bot/regex [ tracking | botnet], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems], 0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org, https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing], CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), Remote Access Trojan, prometheus.43002.maintenis.com, appleid-secure-login.com, adsl-074-168-130-217.sip.pns.bellsouth.net, https://neca.omeclk.com/portal/wts/uc^cn^ejkaejsaBeyk7-^Oa, https://www.hybrid-analysis.com/sample/f7cb7c256e840ab93e6991462cedf6eac928c12f4102798986e2c5d27d1abc7f

`53c7ac23770ffcd26a8957047d0fda9ccd0e2c21a6a35e3d21d1889b98092fe1`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey

We value your privacy