MD5HighVerifiedSignal 33/100
6615ea2fa3b879d27687a7ce917e93b0
Location
EstoniaFirst Seen
Jan 19, 2025
Last Seen
May 20, 2026
Found in 5 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
MD5 Hash
MD5 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
MD5
Confidence
33%
Signal Score
33 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
5 reports33% confidence
5
Source reports
33%
Confidence score
Category tags
a serviceaa24-131aabcdabuseacceptaccessaccountacidrainactive scanad environmentad groupadfindadministratoraes keyafghanistanafricaagentahnlabai securityaitbakiraalbaniaalbanianalexaliveallegatoamadeyamsi telemetryanalyzeanchoranchordnsandroidanunakanydeskanydesk remoteapacheapache tomcatapi callapi hashapi hashingappdataappeappearanceaptapt 27apt groupapt19apt27apt29apt29 activityapt29 conductapt41aquatic pandaarcanearmeniaartefactsfolderartemisascii valueascii85asec analysisasiaasyncratateraatera agentatomatomicattackattack overviewauroraaustraliaautoitav evasionavastavosavoslockerazaz09azorultbackbackdoorbad rabbitbad reputationbankbasebase64base85basecampbatloaderbazaarbazaloaderbazarbazar c2bazar loaderbazarbackdoorbazarcallbazarloaderbazarloader dllbeaconbeacon dllbeacon payloadbeacon typebeacon versionbeaconloaderbeapybearbeatdropbeerbelarusbelowbeyondbghbitcoinbitsblack bastablackbastablackcatblackshadesblisterblobbluenoroffboatlaunchbodybokbotbookmark serverboommicbotnetbotnet activitybreachbridgebrowserbrute forcebughatchbuildbumblebee c2bumblebee dllbypassc activityc serverc++c2c2 datac2 dropboxc2 profilec2 serverc2 trafficcaesarcampocampo loadercanadacanthroidcaploadercapturecarbon spidercashcec listcenterallcerbercertchachachacha20chamelgangchanitorchaprochatchimerachina chopperchinese-speaking cybercrimechiselchm filecisacisco securecisco taloscisco threatck techniqueclassclassloadercleanupclickclosecloudcnc servercnuserscobaltcobalt strikecobalt strike loadercobalt strikescobaltstrikecodecode executioncoinminercolor1cometcommandcommand & controlcommand and controlcommand executioncommentcommercial bankingcompilecomspecconceptconficonfigconfluence dataconsolecontcontactcontentconticonti affiliateconti gangconti groupcontributorscontrolcookiecookie valuecopycorecore impactcoroxycortex xdrcovewarecovid19cp1250credential accesscredential harvestingcredential stuffingcredential theftcritical infrastructurecrowdstrikecrphcryptercrypto cybercryptocurrencycs loaderctrltcubacuba ransomwarecustomerloadercvsscybercyber espionagecyber espionage solutionscyber threat hunterscyber threatscybercrime hascybereason xdrcybersecurity architectcyclopsdark cometdarkcometdarkgatedarkhoteldarkshelldarksidedatadata centerdata encryptiondata exfiltrationdata riskdata store exposuredatopdatoploaderdaveshelldc serverdclocalddosdeadeyedecoydecryptdef condefencedefenderspynetdefensedefense evasiondefraydefray777delphidemodenis legezodeploysdesktopdetectdetect-debug-environmentdetection and responsedexterdfdownloaderdfir reportdfir teamdiavoldiceloaderdidier stevensdigital certificatesdircreatedirect systemdirectorydiscorddisplaynamedistributed attacksdkmcdkmc frameworkdll filedll librarydll payloaddll sideloadingdllentry ratdllsdnc hackdnc networkdns attackdoesndomaindonald trumpdonedonutdoormedoorme backdoordoppelpaymerdoradorkbotdos headerdouble extortiondownloaderdownloads akiradownragedpiawaredridexdropboxdropbox loaderdropperdrops cobaltduckdukedumpduqudustpandwordearth wendigoeasyeasylookedr hooksedreppefnoegregoregregor payloadelfeliteemergency servicesemergent threat responseemerging threatemissary pandaemotetemotet campaignemotet coreemotet epochemotet payloademotet runempireenableencoderencryptencryptionendpoint1energyenglishenjoyenterpssessionentropyentry pointepochepochsepochtimeerik hjelmvikerroreseteset researcheset securityestoniaesxiet cncet exploiteuropeeurope/asiaevil corpevilproxyexcelexecutable fileexecutes akiraexfiltrationexitendififexotic lilyexpert perspectiveexploitexploitation activityexploits & vulnerabilitiesexport functionextortionfailfalconfalcon completefalsefastfeaturefeodo trackerficker stealerfigurefilefile-hashfilejustfileless malwarefilesfillerfin7finalfinance and insurancefindfinspyfireeyefirstfirst detectionfishmasterfivehandsflexfooterfoozerforceforeign affairsformformatfortunefrancefrom karakurtfrontfrpfunctiong o2gap analysisgasgategate variantgaussgeckogeneric.933739germanyget requestgetchilditemgetoperandvaluegif headergithubgithub projectglobal funcgnu cgo downloadergogogolanggold blackburngoogle chromegoogle cloudgoogle docsgoogle drivegootkitgootkit loadergootloadergotrojgozigozi malwaregrabffgrantedaccessgrapeloadergriffongroup policygroupexchangegrouprevilgroupuchebkacguardguloaderhackhackermanhacking teamhadeshaixi mongolhancitorhancitor c2hancitor dllhancitor exehandoverharpyharvesterhashhatching triagehavocheaderheadlineshellhellohello packethellokittyhidehidedrvhighesthikithillhivehoneymytehong konghookhookshta filehtmlhtml filehtml objecthttphttp c2http gethttp methodhttp posthttp traffichttpshttps traffichumanhuntershwinithlwhydraicedidicedid malwareicedid payloadiceidicmpida proidentity & access exploitationidleigosiis workeriit appil fileil messaggioimages evidenceimpactimportincident responseindia-chinaindicatorindonesiainfectionidinfoinfostealerinitial accessinitial contactinjectinjection activityinjectorinstallintelintro contiinvestigation servicesinvestigationsioc510iocindicatoriocsiot securityipcountipv4iso fileiso filesystemiso imageissuer cusissuer orgit teamitaliaitalyitw nameja3ja3sjames haughomjan rubnjapanjarmjarm signaturejarsjasonjavascript codejitterjohnjs filejson objectjssloaderkarakurtkaspersky icskazakhstankazuarkerrdown samplekeyplugkhalesikhtmlknightkoadickoreankportscankronoslaterlateral movementlatinlazagnelearnlearn morelegallegezolemon duckleviathanlifelikholimelinodelinuxlinux systemlivinglnk filelnklnklnklnkloaderlocallockbitlockbit blacklog4jlog4shelllogiclogmeinlokibotlolbaslolbinslpwstr lpbufferlsasslsass memorylsass processltexasluckyluckymouseluminousmothmac osmacawmachinescalemachomacosmacromagicmail bombmailtomainmain entrymakadocsmakesmalaysiamalcatmaldocmalicious filemalicious powershell activitymalicious softwaremalspammalwaremalware descriptionsmalware technologiesmalwarebazaarmanagemanaged xdrmarchx8664 gmaremarkmaskmatanbuchusmatches nomatrixmazemaze ransomwaremcafeemediamedremeetingmegamespinozamessenger appmetasploitmeterpretermethodmethodologymexicomichaelmicromicrobackdoormicrosoft docsmicrosoft wordmidst intrusionmindminermitre attmobile threatmodelmodule stompmongoliamonitoringmonovmmonpassmonpass clientmonpass webmorphisec labsmortomotcmotnugmountlockermovingmozillams windowsmsbuildmsbuild processmsbuild projectmsf downloadermsf shellcodemshtml enginemsiemssqlmssql processmssql servermuddywatermultiplemustang pandamyanmarmyrtusmz headern c2n cobaltn httpsnaganamename filenarilamnation-state activitynativezonenbtscannebulaneitherneshtanetbiosnetcatnetscannetspynetsupport managernetsupport ratnetwalkernetwirenetwork forensicsnevernew zealandnewsnextnexusngrokngrok tunnelnightnim malwarenim programmingnimgrabbernimrevnimrodnimrodnimzanimzaloadernltestnobeliumnonamenopacnorth americansantdsntlmntlm hasho2 o2ocean lotusoceanlotusoffensivenimoilrigololone marketplaceoniondukeonlinoofficeopenopen processopen sourceopenfieldopensopenssloperating systemoperation pawnoperationsopsecor filefullnameoracle weblogicorionos versionoveroverlayownerp4bnzr0palo altopandapartpasspatchpathpawn stormpayloadpayloadbinpcappdf documentpe headerpeexeperuphasephishingphishing attackphotoloaderpingpinkslipbotpioneerpipespl shellcodeplatform sha256pleadpleaseplinkplugxplugx backdoorplugx implantpoisonpoliceponypoortryportpos softwareposhc2postpost bodypost methodpotential scanpowerpowershellpowershell ratprefecturepress enterprimary threatpriorprivacyprivilege escalationprocess hackerprocess injectionprojector libraprophetprophet spiderprotectproxyproxyshellpsexecpsrppublicpunk spiderputtypymafkapysapysa ransomwarepythonpython scriptpyxieqakbotqakbot binaryqakbot malspamqakbot malwareqbotquasarquesto certquick assistquietexitraasradarradminragnarlockerraindrop loaderrandomransomransom virusransomexxransomhubransomwarerapid7rararchiveraspberry robinratrat trojanratsrazyrc4 encryptionrclonereaves6 minreconrecon villagereconnaissanceredlineredline stealerreferregszregwriterelatedtoremcomremcosratremote servicesremoverenamereportreportsrequestresearchresearchedretail tradereturn addressrevilrevilcontiritarobinhoodrollcoastrootrozenarsa-4096rubeusrubyrun registryrussiarustrustockrustybuerryukryuk domainryuk hostryuk ransomwareryuk threatsabbathsafetykatzsagesandboxsandbox reportscalescams & fraudscan behavioralscannerscoutscriptscripting attacksscriptsseadukeseatbeltsecure shellsecurexsecurity groupssecurity operationssekhmetsekurselectserbiaserverserver helloserviceservice mainservice scanservice workerset currentsfx codesfx fileshadowshadow chasersharpkatzshathakshellshellcodeshownshutsignsignedsilentsilent breaksilent trinitysilentbreaksizeskycloaksleepsleepexslingshotsliverslovakslovakiasmadavprotect32smallsmb beaconsnakesnortsnowsoarsocgholish netsupportsocial engineeringsocssodinokibisofacysoftethersoftware exploitationsolarstormsolarwindssomniasourceimagesouth africasouth americaspamsparklinggoblinsparkratspawnspear phishingspeedsphwspidersprite spiderspyeyesslblstabuniqstackstagestagerstagesstarstarkstarsstarted servicestartwstatastatestdoutstealerstellarparticlestoneboatstopstormstorm-1811storm1567storystreamstrikestrike activitystrike beaconstrike loaderstrike payloadstringstringsstrongstrontiumsttxstuxnetsublime editorsummarysuncryptsupernovasupply chain attacksvchostswedishswiftsyscallsysdigsystem disruptionsystembcsyswhispers2szdrft1001t1003t1003.001t1003.003t1003.004t1003.007t1007t1012t1016t1016.001t1016.002t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1021.007t1025t1027t1027.002t1027.003t1033t1036t1036.001t1036.002t1036.003t1036.004t1036.005t1036.006t1036.007t1041t1046t1047t1049t1053t1053.001t1053.002t1053.003t1053.004t1053.005t1053.007t1055t1055.001t1055.002t1055.003t1055.004t1055.008t1055.011t1055.012t1055.013t1056t1056.001t1056.003t1056.004t1057t1059t1059.001t1059.002t1059.003t1059.004t1059.005t1068t1069.001t1070t1070.001t1070.002t1070.003t1070.004t1070.005t1070.006t1070.007t1071t1071.001t1071.002t1071.003t1071.004t1071.005t1078t1078.001t1078.002t1078.003t1078.004t1082t1083t1086t1090t1095t1098t1098.001t1098.002t1098.003t1102t1102.001t1102.002t1102.003t1105t1106t1110t1110.001t1110.002t1110.003t1112t1113t1134t1134.001t1134.002t1134.003t1134.004t1134.005t1136t1136.001t1136.002t1136.003t1140t1185t1187t1189t1190t1195t1197t1202t1203t1204t1204.001t1204.002t1213t1213.001t1213.002t1213.003t1218t1222t1486t1490t1496t1497t1498t1499.002t1499.003t1531t1543t1543.001t1543.002t1543.003t1543.004t1543.005t1546t1546.001t1546.002t1546.003t1546.004t1546.005t1546.006t1546.007t1546.008t1546.009t1546.010t1546.011t1546.012t1546.013t1546.014t1546.015t1547t1547.001t1547.009t1550t1550.001t1550.002t1550.003t1550.004t1555t1555.003t1555.004t1560t1562t1562.001t1562.002t1562.003t1562.004t1564t1564.001t1564.002t1564.003t1564.004t1564.005t1564.006t1564.007t1565t1566t1566.001t1566.002t1566.003t1568t1569t1569.002t1570t1571t1572t1573t1574t1574.001t1574.002t1574.004t1574.005t1574.006t1574.008t1574.009t1574.010t1574.011t1583t1587t1588t1588.001t1588.002t1588.003t1588.004t1588.005t1588.006t1588.007t1590t1590.001t1590.002t1590.003t1590.004t1590.005t1590.006t1591t1591.001t1591.002t1591.003t1592t1592.001t1592.002t1592.003t1592.004t1595t1595.001t1595.002t1595.003t1598t1598.001t1598.002t1598.003t1598.004ta471ta551ta578ta800talostargettargeted attackstargetimagetask managertcp portteamteamt5teamt5 teamt5techtelecomtelecommunicationstemptencentthetheftthemidathorthreatthreat actorthreat advisorythreat alertthreat analysisthreat analysis servicethreat feedthreat gridthreat intelligencethreat researchthreat responsethreat spotlightthreat-intelligencethreatsthreatsonarthreatsonar anti-ransomwarethreatvisionthrowbacktimetinbatipstldstls clienttls servertoolstor directorytor nodetouchtracingtrackertransferxl urltransferxl urlstravelextrellotrend microtrend visiontrickbottrickbot c2trickbot crewstrickbot grouptrickbots crewtrickbots cstriggertrinidad and tobagotrinitytrojantrojanspytrumptrustttpsturkishturlatvrattwittertycoontypeuac0056ukraineunc1151unc2165unc2190unc2190 beaconunc2198unc2452unc2465unc2589unc3381unified accessunitunusual porturisurlcampourlsurls httpurlshxxpursnifuse sectionuserpcnameuuid variantuuidsuwagavaporragevariantvaronisvaronis threatvatetvawtrakvba macrovbs scriptvhashvidarvietnamviewvincssvision onevmwarevmware commandvmware esxivmware horizonvmware identityvmware xfervnc activityvobfusvoicevoidvollgarvscodevulnerability scanwaf rulewandering spiderwdigestweb application attackwebdavweblogic accesswebshellwherewin32 malwarewin32.agentwin32.bitcoinminerwinapiwinapi callwindwindowwindowswindows binarywindows contextwindows eventwindows exewindows hostwindows logonwindows malwarewindows ntwindows remotewindows servicewindows systemwineloaderwinidswinntiwinnti groupwinrarwinrmwinscpwiperwirelurkerwizard spiderwmiwmicwmiexecwordword documentworkspace onewormwritewscriptx.509xll filexmrigxor algorithmsxss attackxtunnelxyzcampobb hxxpyahxzyanluowangyarayara rulez85 ascii85z85 httpszbotzenpakzeuszip filezloaderzscaler cloudzusyzxkbdklakv
Activity Timeline
May 20May 20
Threat Activity Heatmap
· Peak: 2026-05-20LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreLow Risk
33
SIGNAL
Signal Score
33%
Confidence
5
Reports
First seenJan 19, 2025
Last seenMay 20, 2026
Verified IOC
VirusTotal
Not checked
WHOIS
- description
- PE32+ executable (console) x86-64, for MS Windows
- references
- https://securelist.ru/tr/leek-likho-hunting-for-data-with-tor-and-llms/115601/, https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/, https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g, https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/, https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/, https://blog.talosintelligence.com/manjusaka-offensive-framework/, https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html, https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/, https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html, https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/, https://cloud.google.com/blog/topics/threat-intelligence/spear-phish-ukrainian-entities/, https://www.threatdown.com/blog/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/, https://cert.gov.ua/article/703548, https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/, https://isc.sans.edu/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824, https://cert.gov.ua/article/619229, https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/, https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html, https://blog.talosintelligence.com/avoslocker-new-arsenal/, https://isc.sans.edu/diary/rss/28752, https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html, https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/, https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions, https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis, https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee, https://thehackernews.com/2022/05/malware-analysis-trickbot.html, https://www.sonatype.com/blog/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux, https://asec.ahnlab.com/en/34549/, https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664, https://raw.githubusercontent.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/refs/heads/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md, https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf, https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf, https://isc.sans.edu/diary/28636, https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html, https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/, https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/, https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html, https://blog.talosintelligence.com/mustang-panda-targets-europe/, https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/, https://security.macnica.co.jp/blog/2022/05/iso.html, https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns/, https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt, https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf, https://cloud.google.com/blog/topics/threat-intelligence/unc2452-merged-into-apt29/, https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/, https://thedfirreport.com/2022/04/25/quantum-ransomware/, https://www.morphisec.com/blog/vmware-identity-manager-attack-backdoor/, https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html, https://www.varonis.com/blog/hive-ransomware-analysis, https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/, https://vanmieghem.io/blueprint-for-evading-edr-in-2022/, https://www.cynet.com/blog/orion-threat-alert-flight-of-the-bumblebee/, https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/, https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html, https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI, https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/, https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/, https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64, https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf, https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire, https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/, https://isc.sans.edu/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448, https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/, https://www.arashparsa.com/catching-a-malware-with-no-name/, https://cert.gov.ua/article/37704, https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments/, https://thedfirreport.com/2022/03/07/2021-year-in-review/, https://www.cynet.com/security-foundations/attack-techniques/new-wave-of-emotet-when-project-x-turns-into-y/, https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage, https://cyber.wtf/2022/03/23/what-the-packer/, https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes, https://asec.ahnlab.com/en/31811/, https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/, https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489, https://www.cybereason.com/blog/research/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike, https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/, https://blog.sekoia.io/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/, https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/, https://www.security.com/threat-intelligence/yanluowang-ransomware-attacks-continue, https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/, https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/, https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/, https://www.trendmicro.com/en_gb/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html, https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks, https://www.threatdown.com/blog/a-multi-stage-powershell-based-attack-targets-kazakhstan/, https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1, https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf, https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/, https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia, https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/, https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671, https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/, https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3, https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/new-apt-group-chamelgang/, https://www.cynet.com/security-foundations/attack-techniques/understanding-squirrelwaffle/, https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/, https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf, https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf, https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/, https://istrosec.com/blog/apt-sk-cobalt/, https://www.crowdstrike.com/en-us/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/, https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/, https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/, https://securelist.com/apt-luminousmoth/103332/, https://isc.sans.edu/diary/rss/27618, https://www.gendigital.com/blog/insights/research/decoding-cobalt-strike-understanding-payloads, https://www.gendigital.com/blog/insights/research/backdoored-client-from-mongolian-ca-monpass, https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/, https://www.crowdstrike.com/en-us/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/, https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/, https://cloud.google.com/blog/topics/threat-intelligence/darkside-affiliate-supply-chain-software-compromise, https://www.sentinelone.com/labs/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/, https://www.cisa.gov/news-events/analysis-reports/ar21-148a, https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-148a, https://www.lac.co.jp/lacwatch/report/20210521_002618.html, https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf, https://www.guidepointsecurity.com/blog/from-zloader-to-darkside-a-ransomware-story/, https://thedfirreport.com/2021/05/12/conti-ransomware/, https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/, https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/, https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/, https://blog.talosintelligence.com/lemon-duck-spreads-wings/, https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/, https://www.netresec.com/?page=Blog&month=2021-04&post=Analysing-a-malware-PCAP-with-IcedID-and-Cobalt-Strike-traff, https://isc.sans.edu/diary/27308, https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c, https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/, https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures, https://www.qurium.org/alerts/targeted-malware-against-crph/, https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware, https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/, https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811, https://www.crowdstrike.com/en-us/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout, https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations/, https://raw.githubusercontent.com/AmnestyTech/investigations/refs/heads/master/2021-02-24_vietnam/README.md, https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060, https://thedfirreport.com/2021/01/31/bazar-no-ryuk/, https://www.security.com/threat-intelligence/solarwinds-raindrop-malware, https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/, https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/, https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618, https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html, https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach, https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/, https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/, https://isc.sans.edu/diary/rss/26862, https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf, https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf, https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware, https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/, https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/, https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/, https://raw.githubusercontent.com/ThreatConnect-Inc/research-team/refs/heads/master/IOCs/WizardSpider-UNC1878-Ryuk.csv, https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/, https://cloud.google.com/blog/topics/threat-intelligence/kegtap-and-singlemalt-with-a-ransomware-chaser/, https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/refs/heads/master/China/APT/Chimera/Analysis.md, https://thedfirreport.com/2020/10/08/ryuks-return/, https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/, https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/, https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf, https://www.security.com/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos, https://blog.talosintelligence.com/indigodrop-maldocs-cobalt-strike/, https://www.zscaler.com/blogs/security-research/targeted-attack-leverages-india-china-border-dispute-lure-victims, https://www.sentinelone.com/labs/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/, https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/, https://blog.talosintelligence.com/building-bypass-with-msbuild/, https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html, https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf, https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A, https://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html, https://www.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf, https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/, https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf, https://contagiodump.blogspot.com/2014/11/onionduke-samples.html, https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/, https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a, https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know, https://darktrace.com/blog/black-basta-old-dogs-with-new-tricks, https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta, https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies, https://www.cve.org/CVERecord?id=CVE-2020-1472, https://www.cve.org/CVERecord?id=CVE-2021-34527, https://www.cve.org/CVERecord?id=CVE-2021-42278, https://www.cve.org/CVERecord?id=CVE-2021-42287, https://www.cve.org/CVERecord?id=CVE-2024-1709, https://www.cve.org/CVERecord?id=CVE-2024-26169, https://www.cve.org/CVERecord?id=CVE-2022-30190, https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/, https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/, https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta, https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/?utm_campaign=sm-ETR&utm_source=linkedin,twitter&utm_medium=organic-social
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
highFirst detected 1 year ago · Last seen 1 month ago
Appeared in 5 threat reports