IOC Radar
SHA1HighVerifiedSignal 100/100

699da768b166cd3c3dc7923bbffe61ef65940e65

Location
IrelandIreland
First Seen
Dec 5, 2021
Last Seen
Feb 3, 2026
Dec 5
First Seen
1664d ago
Feb 3
Last Seen
142d ago
5
Reports
source reports
99%
Confidence
high
Found in 5 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
SHA-1 Hash
SHA-1 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA1
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

110 techniques

Feed Intelligence Summary

5 reports99% confidence
5
Source reports
99%
Confidence score
Category tags
aaaaabuseacceptaccept encodingaccess controlaccount compromiseaccount securityacintactive scanningadaptertypeid0adaptivebeeaddressadloadadmin cityadmin countryadmin postaladobe portableadultadult contentadwareaerospace & defenseagentairpods tvalertsalexaalexa topaliasall octoseekall scorebluealpine objectaltaramerica flaganalysis dateanalysis ob0001analyzeanalyzer pasteanalyzer threatanomalyantivirus detectionapacheapi blogappdataappleapple cardapple iosapple storeapple tradeapple watchapt27arcaneartemisascii textascioasnone unitedassociated urlsattackattorneyaufrufeaustraliaauthentihashautoitautopayav detectionav detectionsavailable fromavalancheavast avgazorultb imageb0001 memoryb0002 guardbackbackdoorbad trafficbandoobangladesh httpbank securitybankerbazaloaderbeach researchbeastbehavbestbuy databinderbitrepblackblacklist httpblacklist httpsblacknet ratblastblazeblockerbodybody doctypebody lengthboneboost mobilebotnetbotnetworkbrazilbrian sabeybrontokbrute forcebrute force attackbrute force attacksbuildsbunnybyvalc2c2 communicationcabcallcallingcallscalls-wmicanadacanada canadacancel anytimecapecarnagecasecash amtincartcatalog treecelinecf e8cf movchaoscharmchase personalchatcheckcheck registrycheckincheckschecks-bioschecks-memory-availablechecks-network-adapterschecks-usb-buschecks-user-inputchi2child pornographerchina cobaltcins activecirclecisco umbrellack idck matrixck techniquesclasscleanerclick-based attackclipclosecnamazon rsacnamecnccnc feodocnc servercobalt strikecobaltstrikecode executioncode injectioncode issuescoinminercoldcolemancomicommandcommand and controlcommand decodecommand executioncommentcommunication protocolcompromised onedriveconduitconfigcontactcontacted hostscontacted urlscontent typecontrol servercontrol ta0011cookiescopy md5copy sha1copy sha256corecorporate lawcorpsecovid19covid19 scamcrazycreation datecredential accesscredential harvestingcredential stuffingcredential theftcryptobitcryptocurrency threatscryptojackingcrystalcsc corporatecus subjectcutwailcyber harassmentcyber threatcyber threatscybervolkczechd0 addd0 movd3 movdaddydaisydaisy colemandaisy diamonddamagedatadata accessdata collectiondata copyingdata encryptiondata exfiltrationdata redacteddata theftdata transferdata uploaddatasetdbatloaderdch vddosddos attacksdeaddeath threatsdefault browserdefender cdefensedefense contractingdefense evasiondefense logisticsdefense systemsdefense technologydeletedelete appdelete cdelete servicedelphidemondescription siddesktopdetect-debug-environmentdetection b0009detection listdetections alfdevdevelopment attdiablodiablo iiidiablo immortaldigital mediadigital signaturedirect-cpu-clock-accessdisplaynamedistributed attacksdll sideloadingdlls defensedlls privilegednssecdocs pricingdocument formatdos batchdos batch filedos/hellspawndotfuscatordownerdownldrdownload csvdownload jsondownloaderdrive by attacksdropdropperdruiddynamic expiresdynamicloadere1203 windowseasyecheloneclipseedgesf1edgev1el9kmelectronic health recordself collectioneliteemailsemotetencoderencryptenergyenergy distributionengineeringenjoyenomenterprise securityentertainment technologyentityentriesentries elfentropyenvironeroticerroresp4et infoeternaleuropeevasion attevasion ta0005evasiveevasive_marked_cleanevent categoryexclude suggesexecution attexfiltrationexitexpiration dateexploitexploit sourceextortionextraextra dataf1 jlf9 movfacefacebook urlfailedfailurefalconfalcon sandboxfalsefareitfastly errorfearfear tacticsfeastff c0ff d5ff fffilefile-hashfilesfiles domainfiles ipfiles locationfiles matchingfinal urlfinancefinancial institutionfinancial servicesfindfirstflagflag unitedflow t1574floxiffoodfooterformformatformbook cncformiesr02 httpforumsfound httpsframeframe c0bcfrancefraud servicefraud urlsfreefreezefromfrozenftpfueryfull namefull-spectrumfuryfusioncoregalaxygames cgandigandi sasgasgawk gawkgctigeneratorgenericgeneric malwareget fwlinkget h2ghost ratgingergirlsgithubgithub pagesglobalgopherguardguest systemhackershall render denverharmonyhashhasheshatredhawkheader targetheaders nelhealthhealth care and social assistancehealth information technologyhealthcare information systemsheathellheodoheurhighhigh securityhistorical sslhome internethornhospital managementhosthostinghostname addhostname enumerationhsbchtm alignhtml infohttp attackhttp headerhttp requesthttp responsehttp scannerhunthunterhybridhydraicmp trafficids detectionsiframeigmpimpair defensesimphashimphash matchinginclude reviewincluded iocsindex0indextab ogindicatorinfoinfo compilerinfo stealerinformation gatheringinformation stealinginformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinhalteinjectorinput validation bypassinstagram urlinstallintelintellectual property lawinteractive mapinternet of thingsiobitiocsiosiot botnetiot/ics attackiphoneiphone unlockeripv4ipv4 addiratairelandit infrastructurejahrjahrenjfif standardjohnnyjpeg imagejson datajson samplejumpk wersvcgroupk wsappxkelenkey algorithmkey identifierkeygenkeyloggerkgs0kittykls0knightknown-distributorkrissy lynnladderlateral movementlawlaw practicelearnlegallegal consultinglegal researchlegal serviceslegal technologylegitlicenselifelightlimitlinelinkcode u002dloaderidlocallockbitloginlogololkeklong term campaignlong-sleepslookslookupslowfiluciferluckylynnm01 oamazonm02 oamazonmachine intelmacro-powershellmagicmagic pe32mail spammermainmakermakopmalicious activitymalicious downloadmalicious hostmalicious linksmalicious powershell activitymalicious sitemalicious softwaremalicious taggingmalicious url repositorymalvertisingmalvertizingmalwaremalware distributionmalware genericmalware hostmalware hostingmalware servicemalware signingmalware sitemark brian sabeymarkmonitormatsnumediamedia & entertainmentmedia centermedia distributionmedical servicesmediummemory patternmenu cmenuprograms cmeta tagsmetadata analysismeterpretermetrometro storemetro t-mobilemile high mediamilitary operationsmillionminermirai botnetmitre attmls seasonmobilemobile securitymodelmodify registrymodule loadmonatenmonitoringmoralmost viewedmothermovedmozillamr.looquermsiemsilmsil/pstanomaly.amultimedia productionmutexesname servername serversname tacticsname verdictnanocore ratnatalienational securitynetwork analysisnetwork intrusionnetwork probingnetwork scanningnetwormnew collectionnextnext associatedninitenircmdnjratnode tcpnoname057noominorth americanotes clamavnumbernushellnymaimobserved emailoc0006 httpoccamyoceaniaoil & gasoilrigonedrive compromiseopenoperating systemoperating system securityorkutoverlayp2404packed executablepacked malwarepacking t1045pamelapandoraparampasspassive dnspassword attackpassword attackspastepatch managementpatcherpath traversalpatient carepattern matchpayment securitypayment system attackpaypalpdfpdf documentpdf phishingpe packerpe resourcepe sectionpeexepeexe cpersonal dataperuphishingphishing attackphishing chasephishing googlephishing intelligencephishing sitephotosplaypleasepluginspoisonponypoor reputationpornporn videospornoportpossible malware activitypostpost h2potuspower generationpower systemsprayerpremiumpresent aprpresent augpresent febpresent julpresent junpresent marpresent octpresent sepprivacy nameprivilege escalationprobeprocess injectionprocesses treeproxypsexecpss spullpulse pulsespulse submitpushqakbotquasarquasar ratqzidradar ineractiverageramnitrankransomransomexxransomwarerapaceratravenraxrbprdpwrapreadreadsreality kingsrealmreconnaissancerecord typerecord valuerecycle binredacted forredlineredline malwareredline stealerreferen dataregistrant faxregistrant nameregistry runregistry techregulatory compliancerelated nidsrelated pulsesreloadremcos trojanremote accessremote servicesrenewable energyreportrequest idresearchedresolved ipsresource hijackingreverse dnsrgbarich permsrobotorogue threatrticonrticon englishruntime processruntime-modulesrussia unknownryuk ransomwaresabeysabey data centerssaboteursafe sitesafebaesalitysameorigin xsamplessandboxscan endpointsscanning activityscanning hostschoolscorescriptscript domainsscript scriptscript urlsscripting attackssea xsearchsearch liveseasonsecrisksecurity operationssecurity policyselect indexselect uuidselfself-deleteserver appleserver responseserversserviceservice urlserving ipsexshadowshellshell commandsshopshowshow techniqueshowingsignals mutexessignedsigning casilent logsimdasitesizeskullskynetslcc2sliverslowsmlensmoke loadersmokeloadersmssneaky serversoc httpsoc httpssocial engineeringsocial media securitysoftware developmentsoftware exploitationsoftware integritysoftware vulnerabilitiessolarsolosoulsouth americaspammerspansparkspawnsspeedspinnerspiritsrclangsrcurlssdeepssh attackssl certificatestaged datastalkerstarstatic ai analysisstatic enginestatusstatus codestealerstealthsteamsteam routestonestopstrangestreamstreaming servicesstreamminingexstrikestringsstrongsub domainsubject keysuidmsummarysummersuricata alertssuricata ipv4suricata udpv4sweet heartswrortsymantec sha256symantec timesynapticssystem disruptionsystem processsystem propertyt matrixt1003t1003.001t1003.005t1005t1007t1010t1012t1016t1018t1021t1021.001t1027t1027.002t1030t1031t1033t1040t1041t1045t1046t1047t1053t1055t1056t1057t1059t1059 usest1059.001t1059.003t1059.004t1059.007t1060t1063t1064t1064 executest1068t1069.001t1070t1071t1071.001t1071.004t1076t1078t1078.004t1082t1083t1086t1090t1102t1105t1106t1110t1110.001t1110.002t1110.003t1110.004t1113t1114t1119t1129t1133t1140t1143t1189t1190t1201t1203t1204t1204.001t1204.002t1480t1480 executiont1486t1489t1490t1496t1499.001t1499.002t1499.003t1518t1546t1547t1547.001t1553t1554.001t1554.003t1555t1555.003t1562t1563t1564t1565t1566t1566.001t1566.002t1566.003t1568t1569.002t1573t1583t1585.001t1587.001t1588t1588.002t1588.006t1589.001t1590t1590.001t1595t1595.001t1595.002t1595.003t1614ta0002 commandta0007 commandtag counttagentaq booleantargettcp trafficteamteam httpteam maliciousteam phishingteams apiteentelefonica cotelefonica perutemptexttext cthird eye tvthreatthreat actorthreat analyzerthreat intelligencethreat networkthreat preventionthreat reportthreat roundupthreats ettiggretitletitle appletitle errortls handshaketls snitmobiletofseetokyotokyo lynntooltop ratedtor knowntor nodetor relayroutertrackertracker malwaretraffictrang chtriagetrier partrine dyrholmtrojan malwaretrojandroppertrojanproxytrojanspytrojanxtsara brashearsttf cttl valuetulachtwitchtwittertypeu002d2ubuntuukraineunauthorizedunauthorized accessunauthorized devicesunicodeunicode textunionunitedunited kingdomunited statesunknown nsunruyunsafeurllangurlsurls httpursnifusageuseruser agentuser executionusersutc entryutiladsv3 serialvaluevendor findingverdictvhashvidarvideosviewviewsvirtoolvirtual machinevirutvisitor objectvoidvt graphvulnerability scanw32/moonlight.wormwacatacwarpwatchwatch visionwaveweb application exploitationweb exploitationweb securityweb trafficwebshellwennwhere index0whois recordwhois sslcertwhois whoiswin32 dllwin32 exewin32 malwarewin32/enosch.awin32/lywerwin32/malynfitswin32/nivdortwin32/ymacco.aa50win32autoit marwin32bioswin32upatre augwindwindowwindowswindows autowindows malwarewindows ntwindows startupwininet c0005withoutwormwritewrite cx framex22x22x509v3 keyxratxrat1xss protectionxtratyarayara detectionsyara ruleyixunyoutubeyoutube account compromisezbotzpevdozutritt

Activity Timeline

1 total obs
Feb 3Feb 3

Threat Activity Heatmap

· Peak: 2026-02-03
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
5
Reports
First seenDec 5, 2021
Last seenFeb 3, 2026
Verified IOC

VirusTotal

Not checked

WHOIS

description
PE32+ executable (GUI) x86-64, for MS Windows
references
https://www.virustotal.com/graph/g7b18ba360e7d4bb4ba09e89439dd5886823147fbdc6f4dbaa99c7f59efd08ce0, https://www.virustotal.com/graph/embed/g515da5bcd1fe459da00aad57869cb1a1ff48684736f249efaa7846c02bd486b2?theme=dark, Researched: Malwarebytes.Premium.v5.1.6.RePack.by.xetrin.zip, MALWARE BANKER TROJAN EVADER Researched: block.malwarebytes.com, Crowdsourced IDS rules: Matches rule (port_scan) UDP portsweep, Crowdsourced Sigma: Matches rule Registry Persistence via Service in Safe Mode by frack113, Crowdsourced Sigma: Matches rule Hiding Files with Attrib.exe by Sami Ruohonen | Matches rule Non Interactive PowerShell Process Spawned by Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements, Crowdsourced Sigma: Matches rule New Root Certificate Installed Via Certutil.EXE by oscd.community, @redcanary, Zach Stanford @svch0st, Crowdsourced Sigma: Matches rule Powershell Defender Exclusion by Florian Roth (Nextron Systems), Crowdsourced Sigma: Matches rule Windows Defender Exclusions Added - PowerShell by Tim Rauch, Elastic (idea), Crowdsourced Sigma: Matches rule Potential Persistence Via Custom Protocol Handler by Nasreddine Bencherchali (Nextron Systems), VirTool:Win32/Injector.gen!BQ - FileHash-SHA256 e3244c33eac9709cac1840b1b131ea25bb7c32652c7badbefe94a06038e2778e, Antivirus Detections: Win.Trojan.Carberp-6809884-0 , VirTool:Win32/Injector.gen!BQ Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 Yara Detections generic_shellcode_downloader Alerts injection_inter_process injection_create_remote_thread cape_detected_threat, IDS Detections: Backdoor.Win32.Shiz.ivr Checkin Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz, IDS Detections: Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0, Yara Detections: generic_shellcode_downloader, Alerts: injection_inter_process injection_create_remote_thread cape_detected_threat cape_extracted_content, Silent Uninstalling.cmd | DosS | PUA.HackTool | FileHash-SHA256 26b6f985a431cbb246f62f6058958990bb468a79487c502e5815e78d6e88fe53, https://tria.ge/240402-zjrcladb42, https://www.virustotal.com/gui/collection/700447bddc504b041ac32dac79a319f3f1768fe5fd3c5ef5fa1ad9bf296b3749, https://www.virustotal.com/gui/file/a34050bc317c14db27c23a31d3b492847736e8dbbf3165b46e377f2f5b25abd2/behavior, https://bbs.archlinux.org/viewtopic.php?id=294456, workers.dev [extraction • GET request attack], ddos.dnsnb8.net [command_and_control], www.supernetforme.com [command_and_control], https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html, http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing • python], https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network • Data collection • phishing], https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing • virus network • Apple data collection ], CVE: CVE-2023-23397, 0-129-112027imap-intranet-pv-175-166.matomo.cloud, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption • unlocker], https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512, https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017, https://twitter.com/PORNO_SEXYBABES, sex-ukraine.net, http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg • humani-teens.com, feedercontroller.webcrawlingeap-prod-co4.binginternal.com, accessoire-telephones.fr • bks-tv.ru [telecom] • coltel.ru [telecom] • ceptelefondata.com.tr [data collection • USA] ts-astra.ru [telecom] wifi.ru, nexus.b2btest.ertelecom.ru, Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k, Tracking: trackyouremails.com • https://adservice.google.com.uy/clk, http://micrologin.ogspy.net/track/dhl-information-contact.html, https://otx.alienvault.com/otxapi/pulses/65708aacc81003c0b481e48f/export/?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ik1hY2hpZGlhbjQ1IiwidmFsdWUiOlsiNjU3MDhhYWNjODEwMDNjMGI0ODFlNDhmIiwib3BlbmlvYzEuMCJdLCJleHAiOjE3MDMzMzUxNTJ9.eVQqvck_mp6D_RYF8_QXzX9VK7fPg7Ne9iZi2a0khHI&format=openioc1.0, https://www.apple.com/qtactivex/qtplugin.cab, https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad, https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting], http://www.screensaver.com/ruxitbeacon, https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data], http://dns1.whitelist.camect.com [interesting], https://www.jbits.courts.state.co [interesting], http://www.sos.state.co/ [interesting], https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary, https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary, Crowdsourced YARA Rulesets, Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems, Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security, Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth, https://www.malwarebytes.com/blog/detections/trojan-floxif, 20.190.160.2 Microsoft [exploit_source], 20.190.160.67 Microsoft [exploit_source], 20.190.160.73 Microsoft [exploit_source], watson.events.data.microsoft.com [traffic manager], http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash], watson.telemetry.microsoft.us [Data traffic manager], www.anyxxxtube.net [tracking], https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup], https://hybrid-analysis.com/sample/a1b9247b6ad18f1cda0304e406333459d4000fced5753f91e5c046f6577c388a, https://www.hallrender.com/attorney/brian-sabey, safebae.org, poemhunter.com, http://www.hallrender.com/resources/blog/, http://benjamin.xww.de/, http://alohatube.xyz/search/tsara-brashears, https://www.anyxxxtube.net/search-porn/tsara-brashears/, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, Hybrid Analysis, wTools, Research, https://www.milehighmedia.com/legal/2257, https://metro-tmo.com/, Alienvault OTX, Data Analysis, https://github.com/chronicle/GCTI/blob/main/YARA/Sliver/Sliver__Implant_32bit.yara, https://github.com/chronicle/GCTI/blob/main/YARA/Sliver/Sliver__Implant_64bit.yara, https://github.com/chronicle/GCTI/tree/main/YARA/CobaltStrike, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Artifact32_and_Resources_Dropper_v1_45_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Artifact32svc_Exe_v1_49_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Artifact64_v1_49_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bind64_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bind_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Browserpivot_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_Dll_v4_0_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Browserpivot_x64_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_x64_Dll_v4_0_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuac_Dll_v1_49_to_v3_14_and_Sleeve_Bypassuac_Dll_v4_0_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuac_x64_Dll_v3_3_to_v3_14_and_Sleeve_Bypassuac_x64_Dll_v4_0_and_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuactoken_Dll_v3_11_to_v3_14.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuactoken_x64_Dll_v3_11_to_v3_14.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Covertvpn_Dll_v2_1_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Covertvpn_injector_Exe_v1_44_to_v2_0_49.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Dnsstager_Bin_v1_47_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Elevate_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_Dll_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Elevate_X64_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_X64_Dll_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Httpsstager64_Bin_v3_2_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Httpsstager_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Httpstager64_Bin_v3_2_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Httpstager_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Reverse64_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Reverse_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Smbstager_Bin_v2_5_through_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_Py_v3_3_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_Sct_v3_3_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_Vbs_v3_3_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template__x32_x64_Ps1_v1_45_to_v2_5_and_v3_11_to_v3_14.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Template_x86_Vba_v3_8_to_v4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Xor_Bin__32bit_v2_x_to_4_x.yara, https://github.com/chronicle/GCTI/blob/main/YARA/CobaltStrike/CobaltStrike__Resources_Xor_Bin__64bit_v3_12_to_4_x.yara, https://www.virustotal.com/gui/file/018ef51a2af287a3d665e5057e6367eb0a5d5ef5a807af6c255eba26d20b4ccf/community, Axelo - vaet.com.json, Axelo - Robtex.com.csv, https://www.virustotal.com/gui/collection/threatfox_win_cobalt_strike, ThreatFox - Raspberry Robin.stix, Axelo - Stolec kradnie krypto.stix, ThreatFox - BRATA.stix, ThreatFox - Sliver.stix, ThreatFox - RM3.stix, https://github.com/bartblaze/Yara-rules/blob/master/rules/hacktools/RDPWrap.yar, Axelo - Robtex.com.stix, cobalt.json, ThreatFox - IRATA.stix, ThreatFox - Sorillus RAT.stix, ThreatFox - FTCODE.stix, ThreatFox - Nymaim.stix, ThreatFox - Erbium Stealer.stix, ThreatFox - Brute Ratel C4.stix, ThreatFox - Lumma Stealer.stix, ThreatFox - PrivateLoader.stix, <html><head><meta charset=%22UTF-8%22><meta content=%22width=device-width….pdf, https://www.virustotal.com/graph/gf379170e2b17454ba4088d6d6e0f3379fd716d4ff5e94b38b12ee3af4ce860d8, Democracy.works_3.23.22..pdf, DEMOCRACY.WORKS.pdf

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

high
First detected 4 years ago · Last seen 4 months ago
Appeared in 5 threat reports