SHA256HighVerifiedSignal 78/100
688754743476df47e612190ef790105efab8c611a5b5e2cbecb3c6b764bb9dd7
Location
UkraineFirst Seen
Jun 6, 2025
Last Seen
Apr 16, 2026
Found in 5 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
78%
Signal Score
78 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
5 reports78% confidence
5
Source reports
78%
Confidence score
Category tags
aaaaabuseaccount compromiseaccount securityactive scanadobe stockadobe systemsanomalous_deletefileantiguaantivirus evasionapache licenseappleapple webkitapple_webkitascii textaustria austriaauthentihashavast avgbad reputationbad trafficbarbuda asnbelarusbilety onlineblitzblitz botblitz malwarebodybotnetbotnet activitybrowserbrowser hijackingbrute forcecexpxg .xyzcheatchromeck idck matrixclasscloud infrastructurecloud servicescloud storagecnccode executioncode injectioncode repositoriescomkxjs .xyzcommandcommand and controlcommand executioncommon namecommunication technologiesconnections droppedcontacted hostscountry codecreation datecredential stealingcredential stuffingcredential theftcrlf linecryptocurrencycryptocurrency miningdata accessdata copyingdata encryptiondata exfiltrationdata store exposuredata theftdata transferddosdefense evasiondelete cdesktopdetect-debug-environmentdigital signaturediscorddistributed attacksdiv divdns attackdropbox 4xxdropbox plusdropbox spywaredynamicloaderelysium cheatencryptionentityentrieserreurerroret malwareeuropeexfiltrationexploitexploitation activityextortionfacefailurefigurefile-hashfilesfiles showflagforgot emailfoundfunctiongame cheatgame cheatsgeneratorgithubgoogle incgoogle llcgoogle safegoogle signgrumhighhookwowlow junhugging faceidentity & access exploitationimphashindicatorinformation gatheringinformation stealinginformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinput validation bypassinteliot securityit infrastructurelearnlicenselinklocallowfilummamalicious linksmalicious powershell activitymalicious softwaremalwaremalware signingmediummetadata analysisminermitre attmobilemobile carriersmobile networksmobile securitymobile threatmountain viewmovedmsilmultiple attacksname serversname tacticsnation-state activitynetwork trafficnextnext associatednitrogennorth americanumberoperating systemoperating system securityorg domainspacwpw .xyzpassive dnspath traversalpattern matchpe anomalype32 executablepeexepehashperupetyaphishingphotos cs3portpresent aprpresent julpresent junprocess detailsprocess injectionprocmem_yarapromiseproxypushransomransomwarerecord valueregexprelated cncremote access trojanremote servicesresearchedresults aprrozenascriptscripting attackssearchserver responseserversshowshow processshow techniqueshowingsnakesocial media securitysoftware developmentsoftware integritysoftware supply chainsouth americaspacespacesspanspan spanspawnssprzeday biletwsqgzl .xyzssdeepstatic_pe_anomalystatusstealerstealer relatedsteamsteam communitystock photosstreamsupply chain attacksynapsesystem disruptiont1005t1011t1021t1021.001t1027t1030t1036.003t1041t1045t1047t1053t1055t1057t1059t1059.001t1059.007t1060t1064t1068t1069.001t1070t1071t1071.001t1071.002t1078t1081t1083t1086t1105t1106t1189t1190t1204t1204.001t1204.002t1210t1218t1480t1480 executiont1486t1490t1496t1499.001t1499.002t1499.003t1547t1553t1554.001t1554.003t1555t1560t1565t1566t1566.001t1566.003t1568t1573.001t1587.001t1588.002t1590.001t1590.002telecom servicestelecommunicationsthemida junthird-party scriptthreat actortls handshaketls snitofseetor nodetridenttrojan malwaretrojan:win32/zombie.atrojandroppertrsuv .xyztypeof symbolukraineunit androidunitedunited statesunurew .xyzurarfx .xyzurlsus stateusersversionvhashvirgin islandsvulnerability scanwaveweb application attackweb application exploitationweb exploitationweb securitywebsite securitywin32 malwarewindowwindows malwarewithoutwritexmrigyara detectionsyara rule
Activity Timeline
Apr 16Apr 16
Threat Activity Heatmap
· Peak: 2026-04-16LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
78
SIGNAL
Signal Score
78%
Confidence
5
Reports
First seenJun 6, 2025
Last seenApr 16, 2026
Verified IOC
VirusTotal
Not checked
WHOIS
- description
- PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
- references
- https://unit42.paloaltonetworks.com/blitz-malware-2025, 146.112.61.107 (146.112.48.0/20) AS 36692 ( CISCO UMBRELLA ) US, IDS Detections: Win32/Lumma Stealer Related • CnC Domain in DNS Lookup (pacwpw .xyz), Lumma Stealer CNC {FILEHASH SHA256 bc9c5c8dfdcf0d2a321478207b0870274fba25b93075fc987768623237973646} t.me / Dropbox, Win32/Lumma Stealer Related CnC Domain in DNS Lookup (comkxjs .xyz) (unurew .xyz) (trsuv .xyz), Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sqgzl .xyz) (cexpxg .xyz) (cexpxg .xyz) (urarfx .xyz), Win.Exploit.Rozena {FileHash-SHA256 21fb4fdce85ab75430e18d9362a35f61dcaeb628c28836403472c054d6ceab8c}, Lumma Stealer https://t.me/pizdenka202020 / t.me, Query to a *.top domain - Likely Hostile 192.168.122.95 1.1.1.1 SHOWING 1 TO 22 OF 22 ENTRIES HTTP Request Get 1 Post 2 Put 0 Delete 0 URL HOST PORT METHOD USER AGENT https://steamcommunity.com/profiles/76561199863199067 steamcommunity.com 443 GET N/A { "src": "192.168.122.95", "sport": 49227, "dst": "23.59.52.127", "dport":, "protocol": "https", "method": "GET", "host": "steamcommunity.com", "uri": "/profiles/76561199863199067", "status": 200, "request": "GET /profiles/7656119986319, Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Safari/537.36, (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 30038 Host: accsrf.top, http://bilety.polregio.pl, https://bilety.polregio.pl, http://www.salesmanago.pl/static/sm.js, https://unit42.paloaltonetworks.com/blitz-malware-2025/
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
highFirst detected 1 year ago · Last seen 2 months ago
Appeared in 5 threat reports