SHA256MediumSignal 68/100

`5fe21c33017797224f4e6525784961e2705a355eea4e4d84ae037a3d0504e91a`

Location

Germany

First Seen

Mar 11, 2024

Last Seen

Apr 7, 2026

Mar 11

First Seen

827d ago

Apr 7

Last Seen

69d ago

Reports

source reports

68%

Confidence

medium

Found in 3 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

SHA-256 Hash

SHA-256 file hash — primary identifier for malware samples.

MISP Category

Artifacts Dropped

Hash Algorithm

SHA256

Confidence

68%

Signal Score

68 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

41 techniques

Feed Intelligence Summary

3 reports68% confidence

Source reports

68%

Confidence score

Category tags

aaaaacceptaccess controlaccount securityactive scanaddressakamaiasn1all octoseekanalyzeanchor hrefsapple iosapple phoneapplication developmentassign functionattackauthorityazorultbasicbloodbodybody lengthboomr functionboomrmq stringbotnetbotnet activitybreast cancerbrute forcec&cca1 odigicertcallback functioncivil societyclassclick-based attackcobalt strikecode executioncommandcommand & controlcommand and controlcommand executioncommunication protocolcontacted urlscontrol ta0011cookiecorecorporate lawcountrycreation datecritical riskcus cndigicertcus cnmicrosoftcus lsandark powerdata accessdata copyingdata encryptiondata exfiltrationdata store exposuredata transferddosde indicatorsdefense evasiondelphi genericdenverdetection listdevelopment methodologiesdevopsdistributed attacksdnsdns attackdoctypedos exedos executableelectronic health recordself collectionemotetempty hashencryptionerroreurodns saeuropeevasion ta0005executable fileexfiltrationexploit sourceexploitation activityextortionfile-hashfilesfinal urlgandi sasgeckogeneral fullgenericgeneric malwaregeneric windosgermanyget httpgmbh versiongraphhashesheader intelhealth care and social assistancehealth information technologyhealthcare information systemshistorical sslhospital managementhostname enumerationhrefshtml documenthttp attackhttp responsehttp scannerhttpshybridicons libraryidentity & access exploitationinc subjectindicatorinfo compilerinformation gatheringinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjection activityintelintellectual property lawiocsipv4ja3skdekhtmlkidney cancerlaw practicelayer protocollcc linkerlegal consultinglegal researchlegal serviceslegal technologylevellink libraryliver cancerlocallockbitlooklukelumma stealerlung cancermainmalicious activitymalicious downloadmalicious linksmalicious softwaremalwaremalware distributionmarkmonitormatches rulemedical centermedical servicesmemory patternmitremitre attmobilemobile securitymobile threatmonitoringname md5nation-state activitynetworknetwork connectionnetwork scanningnextnjratnumberodigicert incopenoperating systemoperating system securityoverlaypassive dnspassword bypasspastepatient carepattern matchpdfpdf documentpe resourcepe32 linkerpe32 packerperforms dnspetitephiphishingpiiplugxpornhubpost httpproblemprocessprocess injectionprocesses treeproduct developmentprostate cancerprotocol h2protocol t1071pulse pulsespythonquality assuranceransomexxransomwareratrat trojanreconnaissancerecord valuerefreshregistry keysregulatory compliancerelicremoteremote access trojanresearchedresolved ipsresource hashrestartreverse dnsroot carticon neutralsabeysamplessarcomascan endpointsscanning hostscriptsearchsecurity policysecurity tlsserver caservice privacyserving ipsha2 secureshellshell codesiblings domainsigmaskin cancersocial engineeringsoftware architecturesoftware developmentsoftware engineeringsoftware exploitationsoftware testingspanssdpssl certificatestatus codestatus pagestatus urlstringssubjectsummarysystemsystem disruptiont1005t1016t1021.001t1027t1030t1046 sendst1053t1055t1059t1059.001t1059.005t1064t1069.001t1071t1071.001t1078t1082t1083t1105t1129t1140t1189t1190t1203t1204t1204.001t1204.002t1486t1490t1496t1497t1499.002t1499.003t1547t1565t1566t1566.001t1566.002t1569.002t1587.001t1589.001t1590.001ta0002 defenseta0004 defenseta0007 networkta0009 commandtag counttargetsthreatthreat actorthreat preventionthreat reportthreat rounduptlstls rsatoolstor nodetrojan malwaretsara brashearstulachtwittertypeunicode textunitedurlsursnifuser executionutf8 textvalueverdictverifyweb securityweb trafficwhois recordwhois whoiswin16 newin32 dynamicwindows ntwiperyara

Activity Timeline

1 total obs

Apr 7Apr 7

Threat Activity Heatmap

· Peak: 2026-04-07

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Dormant

3mo

Minimal

Threat ScoreMedium Risk

SIGNAL

Signal Score

68%

Confidence

Reports

First seenMar 11, 2024

Last seenApr 7, 2026

VirusTotal

Not checked

WHOIS

description: Trojan[Spy]:Win/QQWare.AM - https://r.clk71.com/s.ashx?ms=AZ71:207998_143310&[email protected]&eId=1338769034&c=h&url=http://e.snd65.com/cl/22/SCM/Exposing_Malware_in%20Linux-Based_Multi-Cloud_Environments_R1Final.pdf Sigma: • Python Initiated Connection by frack113 (critical) • Failed Code Integrity Checks by Thomas Patzke • Creation of an Executable by an Executable by frack113 | Yara: MAL_CN_FlyStudio_May18_1 from ruleset crime_floxif_flystudio by Florian Roth (Nextron Systems) S_MultiFunction_Scanners_s from ruleset gen_cn_hacktools by Florian Roth (Nextron Systems) UPX from ruleset UPX by kevoreilly | Windows_Generic_Threat_bc6ae28d from ruleset Windows_Generic_Threat by Elastic Security
references: https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians, https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea, www2.megawebfind.com [command and control], http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing], 20.99.186.246 [exploit source], https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic], Win32:RATX-gen [Trj] identified., CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades), CS Sigma Rules: Disable UAC Using Registry by frack113, http://45.159.189.105/bot/regex [ tracking | botnet], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems], 0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org, https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing], CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), Remote Access Trojan

`5fe21c33017797224f4e6525784961e2705a355eea4e4d84ae037a3d0504e91a`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey

We value your privacy