IOC Radar
MD5MediumSignal 98/100

6a58b52b184715583cda792b56a0a1ed

Location
AfghanistanAfghanistan
First Seen
Jun 17, 2021
Last Seen
Jun 1, 2026
Jun 17
First Seen
1824d ago
Jun 1
Last Seen
14d ago
10
Reports
source reports
98%
Confidence
medium
Found in 10 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
MD5 Hash
MD5 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
MD5
Confidence
98%
Signal Score
98 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

88 techniques

Feed Intelligence Summary

10 reports98% confidence
10
Source reports
98%
Confidence score
Category tags
a serviceabcdabuseacademic institutionsacceptaccessaccountacidrainactive directoryactive scanactive scanningad environmentad groupadfindadministratoradvanced portadvanced port scanneradvancedportscanneraes keyafghanistanafricaagentahnlabai securityaitbakiraakira iocsakira ransomware attackalbaniaalbanianalexalienvault_ransomwarealiveallegatoalphvamadeyamsi telemetryanalyzeanchoranchordnsandroidanunakanydeskanydesk remoteapacheapache tomcatapi callapi hashapi hashingappdataappeappearanceaptapt 27apt groupapt19apt27apt29apt29 activityapt29 conductapt41aquatic pandaarcanearctic wolfarmeniaartefactsfolderartemisascii valueascii85asec analysisasiaasnsasyncratateraatera agentatomatomicattackattack overviewauroraautoitautomotive manufacturingav evasionavastavosavoslockerazaz09azorultbackbackdoorbackup destructionbad rabbitbad reputationbankbankingbasebase64base85basecampbatloaderbazaarbazaloaderbazarbazar c2bazar loaderbazarbackdoorbazarcallbazarloaderbazarloader dllbeaconbeacon dllbeacon payloadbeacon typebeacon versionbeaconloaderbeapybearbeatdropbec attackbec phishingbeerbelarusbelowbeyondbitcoinbitsblackcatblackshadesblisterblobbluenoroffboatlaunchbodybokbotbookmark serverboommicbotnetbotnet activitybrazilbreachbridgebrowserbrute forcebughatchbuildbumblebee c2bumblebee dllbypassc activityc serverc2 datac2 dropboxc2 profilec2 serverc2 trafficcaesarcampocampo loadercanadacanthroidcaploadercapturecarbon spidercashcec listcenterallcephalus ransomwarecerbercertchachachamelgangchanitorchaprochatchecks-usb-buschimerachinachina chopperchinese-speaking cybercrimechiselchm filecisacisa kevcisco asacisco securecisco taloscisco threatcivil servicesck techniqueclassclassloadercleanupclickclosecloudcnc servercnuserscobaltcobalt strikecobalt strike loadercobalt strikescobaltstrikecodecode executioncoinminercolor1cometcommandcommand & controlcommand and controlcommand executioncommentcommercial bankingcompilecompromised websitescomputer securitycomspecconceptconficonfigconfluence dataconsoleconsumer goodscontcontactcontentconticonti affiliateconti gangconti groupcontributorscontrolcookiecookie valuecopycorecore impactcortex xdrcovewarecovid19cp1250credential accesscredential harvestingcredential phishingcredential stuffingcredential theftcredit card servicescrowdstrikecrphcryptercryptocurrencycs loaderctrltcubacuba ransomwarecustomerloadercvecvsscybercyber attackscyber espionagecyber espionage solutionscyber newscyber security newscyber security updatescyber threat hunterscyber threatscyber updatescybercrime hascybereason xdrcybersecurity architectcyclopsczechiadark cometdarkcometdarkgatedarkhoteldarkshelldarksidedatadata breachdata centerdata encryptiondata exfiltrationdata riskdata store exposuredata theftdatopdatoploaderdaveshelldc serverdclocalddosdeadeyedecoydecryptdef condefenderspynetdefensedefense evasiondefraydefray777delphidemodenis legezodesktopdestination managementdetectdetect-debug-environmentdexterdfdownloaderdfir reportdfir teamdiavoldiceloaderdidier stevensdigital certificatesdircreatedirect systemdirect-cpu-clock-accessdirectorydiscorddisplaynamedistributed attacksdkmcdkmc frameworkdll filedll librarydll payloaddll sideloadingdllentry ratdllsdnc hackdnc networkdns attackdoesndomaindonald trumpdonedonutdoormedoorme backdoordoppelpaymerdoradorkbotdos headerdouble extortiondownloaderdownragedpiawaredridexdropboxdropbox loaderdropperdrops cobaltduckdukedumpduqudustpandwordearth wendigoeasyeasylookedr hooksedreppeducationeducational resourceseducational serviceseducational technologyefnoegregoregregor payloadelectronic health recordselectronics manufacturingelfeliteemerging threatemissary pandaemotetemotet campaignemotet coreemotet epochemotet payloademotet runempireenableencoderencryptencryptionendpoint1energyenglishenjoyenterpssessionentropyentry pointepochepochsepochtimeerik hjelmvikerroreseteset researcheset securityestoniaesxiet cncet exploiteuropeeurope/asiaevil corpexcelexecutable fileexfiltrationexitendififexotic lilyexpert perspectiveexploitexploit avaliableexploitationexploitation activityexport functionextortionfailfalconfalcon completefalsefastfeaturefeodo trackerficker stealerfigurefilefile-hashfilejustfileless malwarefilesfillerfin7finalfinancefinancial servicesfinancial technologyfindfinspyfireeyefirstfirst detectionfishmasterfivehandsflexfogfog ransomwarefooterfoozerforceforeign affairsformformatfortunefrom karakurtfrontfrpftp brute forcefunctiong o2gap analysisgasgategate variantgaussgeckogeneric.933739georgiagermanyget requestgetchilditemgetoperandvaluegif headergithubgithub projectglobal funcgnu cgo downloadergogogolanggold blackburngoogle chromegoogle cloudgoogle docsgoogle drivegootkitgootkit loadergootloadergotrojgovernment technologygozigozi malwaregrabffgrantedaccessgrapeloadergreecegriffongroup policygroupexchangegrouprevilgroupuchebkacguardguloaderhackhacker newshackermanhacking newshacking teamhadeshaixi mongolhancitorhancitor c2hancitor dllhancitor exehandoverharpyharvesterhas expiredhashhatching triagehavocheaderheadlineshealth care and social assistancehealth information technologyhealthcare information systemshealthcare sectorhellhellohello packethellokittyhidehidedrvhigher educationhighesthikithillhivehoneymytehong konghookhookshospital managementhospitality serviceshostname enumerationhow to hackhta filehtmlhtml filehtml objecthttphttp brute forcehttp c2http gethttp methodhttp posthttp traffichttpshttps traffichumanhuntershwinithlwhydrahypervicedidicedid malwareicedid payloadiceidicmpida proidentity & access exploitationigosiis workeriit appil fileil messaggioimages evidenceimpactimportin the wildincident responseindia-chinaindicatorindonesiaindustrial automationindustrial iotindustrial productioninfectionidinfoinformation gatheringinformation securityinformation technologyinfostealeringress tool transferinitial accessinitial contactinjectinjection activityinjectorinnoinstallintelintro contiinvestigation servicesinvestigationsiocioc510iocindicatoriocsiot securityipcountipv4iran, islamic republic ofiso fileiso filesystemiso imageissuer cusissuer orgit infrastructureitaliaitalyitw nameja3ja3sjames haughomjan rubnjapanjarmjarm signaturejarsjasonjavascript codejitterjohnjs filejson objectjssloaderk-12 educationkalikarakurtkaspersky icskazakhstankazuarkeenadukerrdown samplekeyplugkhalesikhtmlknightknown hostnameskoadickoreakorea, democratic people's republic ofkorea, republic ofkoreankportscankronoslabslaterlateral movementlatestlatinlatvialazagnelearnlearn morelegallegezolemon duckleviathanlifelimelink manipulationlink phishinglinodelinuxlinux systemlithuanialnk filelnklnklnklnkloaderlocallockbitlockbit blacklog4jlog4shelllogiclogmeinlokibotlolbinslong-sleepslpwstr lpbufferlsasslsass memorylsass processltexasluckyluckymouseluminousmothlynxmac osmacawmachinescalemachomacosmacromagicmailtomainmain entrymakadocsmakesmalaysiamalcatmaldocmalicious attachmentmalicious downloadmalicious filemalicious powershell activitymalicious softwaremalspammalwaremalware deliverymalware descriptionsmalware distributionmalware technologiesmalwarebazaarmanagemanaged xdrmanufacturing technologymarchx8664 gmaremarkmaskmatanbuchusmatches nomatrixmazemaze ransomwaremcafeemediamedical servicesmedremedusalocker ransomware activitymeetingmegamespinozametasploitmeterpretermethodmethodologymexicomfa bypassmichaelmicromicrobackdoormicrosoft docsmicrosoft wordmidst intrusionmindminermitre attmobile threatmodelmodule stompmongoliamonitoringmonovmmonpassmonpass clientmonpass webmorphisec labsmortomotcmotnugmountlockermovingmozillams windowsmsbuildmsbuild processmsbuild projectmsf downloadermsf shellcodemshtml enginemsiemssqlmssql processmssql servermuddywatermultiplemustang pandamyanmarmyrtusmz headern c2n cobaltn httpsnaganamename filenarilamnation-state activitynativezonenbtscannebulaneitherneshtanetbiosnetscannetspynetsupport ratnetwalkernetwirenetwork forensicsnetwork reconnaissancenetwork scanningnetwork securitynevernew zealandnewsnextnexusngrokngrok tunnelnightnim malwarenim programmingnimgrabbernimrevnimrodnimrodnimzanimzaloadernltestnobeliumnonamenorth americansantdsntlmntlm hasho2 o2ocean lotusoceaniaoceanlotusoffensivenimoilrigololone marketplaceoniondukeonlinoofficeopenopen processopen sourceopenfieldopensopenssloperating systemoperation pawnoperationsopsecor filefullnameoracle weblogicorionos versionoveroverlayownerp4bnzr0palo altopandapartpasspassword attackpatchpathpatient carepawn stormpayloadpayloadbinpayment processingpcappdf documentpe headerpeexeperuphasephishingphishing attackphishing attemptphishing campaignphotoloaderpingpingcastlepinkslipbotpioneerpipespl shellcodeplatform sha256play ransomwarepleadpleaseplinkplugxplugx backdoorplugx implantpoint companypoisonpolandpoliceponypoortryportpos softwareposhc2postpost bodypost methodpotential scanpowerpowershellpowershell ratprefecturepress enterprimary threatpriorprivacyprivilege escalationproceedprocess hackerprocess injectionprocess manufacturingprojector libraprophetprophet spiderprotectproxyproxyshellpsexecpsrppublicpublic administrationpublic infrastructurepublic policyputtypymafkapysapysa ransomwarepythonpython scriptpyxieqakbotqakbot binaryqakbot malspamqakbot malwareqbotquality controlquasarquesto certquietexitraasradarradminragnarlockerraindrop loaderrandomransomransom virusransomexxransomhubransomwareransomware attack eventrapid7rararchiveraspberry robinratrat trojanratsrazyrc4 encryptionreaves6 minreconrecon villagereconnaissanceredlineredline stealerreferregszregulatory agenciesregwriterelatedtoremcomremcosratremote accessremote servicesremoverenamereportreportsrequestresearchresearchedretail tradereturn addressrevilrevilcontiritarobinhoodrollcoastrootrozenarubeusrubyrun registryruntime-modulesrussiarussian federationrustrustockrustybuerryukryuk domainryuk hostryuk ransomwareryuk threatsabbathsafetykatzsagesandboxsandbox reportscalescams & fraudscanscan behavioralscannerscoutscriptscripting attacksseadukeseatbeltsecurexsecurity groupssecurity operationssekhmetsekurselectserbiaserverserver helloserviceservice mainservice scanservice workerset currentsfx codesfx fileshadowshadow chasersharpkatzshathakshellshellcodeshownshutsignsignedsilentsilent breaksilent trinitysilentbreaksizesleepsleepexslingshotsliverslovakslovakiasmadavprotect32smallsmb beaconsnakesnortsnowsoarsocgholish netsupportsocial engineeringsocssodinokibisofacysoftethersoftware developmentsoftware exploitationsoftware vulnerabilitysolarstormsolarwindssomniasourcesourceimagesouth africasouth americaspamspam campaignsparklinggoblinsparkratspawnspear phishingspear phishing attackspeedsphwspidersprite spiderspyeyessh attackssl vpnsslblstabuniqstackstagestagerstagesstarstarkstarsstarted servicestartwstatastatestdoutstealerstefanstellarparticlestoneboatstopstormstorystreamstrikestrike activitystrike beaconstrike loaderstrike payloadstringstringsstrongstrontiumsttxstuxnetsublime editorsummarysuncryptsupernovasupply chain attacksupply chain managementsvchostswedishswiftsyn scansyscallsysdigsystem disruptionsystembcsyswhispers2szdrft1003t1005t1016t1018t1021t1021.001t1021.002t1021.004t1027t1046t1048t1053t1055t1056t1057t1059t1059.001t1059.003t1068t1069.001t1070t1071t1071.001t1076t1078t1082t1083t1086t1090t1105t1110t1110.002t1113t1133t1135t1136t1140t1187t1189t1190t1192t1195t1199t1203t1204t1204.002t1210t1213t1218t1485t1486t1489t1490t1491t1496t1497t1499.002t1499.003t1539t1547t1550t1552.001t1555t1560t1561t1562t1562.001t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1569t1569.002t1570t1573t1588t1589.001t1595t1595.001t1595.002t1595.003t1598t1598.003t1598.004ta machineta471ta551ta578ta800talostargettargeted attackstargetimagetask managertcp porttcp scanteamteamt5teamt5 teamt5techtelecomtelecommunicationstemptencentthe hacker newstheftthemidathorthreatthreat actorthreat actorsthreat advisorythreat alertthreat analysisthreat analysis servicethreat feedthreat gridthreat intelligencethreat researchthreat responsethreat spotlightthreat-intelligencethreatsthreatsonarthreatsonar anti-ransomwarethreatvisionthrowbacktinbatipstldstls clienttls servertooltoolstor directorytor nodetouchtourism marketingtourist attractionstoxtracingtrackertransferxl urltransferxl urlstransparent tribetransportation servicestraveltravel agenciestravel bookingtravel experiencetravel technologytravelextrellotrend microtrend visiontrickbottrickbot c2trickbot crewstrickbot grouptrickbots crewtrickbots cstriggertrinidad and tobagotrinitytrojantrojanspytrumptrustttpsturkeyturkishturlatvrattwittertycoontypeuac0056udp scanukraineunc1151unc2165unc2190unc2190 beaconunc2198unc2452unc2465unc2589unc3381unified accessunitunited kingdomunited statesunusual porturisurlcampourlsurls httpurlshxxpursnifuse sectionuserpcnameutoxuuid variantuuidsuwagauxxxxxxvaporragevariantvaronisvaronis threatvatetvawtrakvba macrovbs scriptveeamveeam backupvhashvidarvietnamviewvincssvision onevmwarevmware commandvmware horizonvmware identityvmware xfervnc activityvobfusvoicevoidvollgarvpnvpn appliancevpn exploitationvpn kalivscodevulnerabilityvulnerability scanwaf rulewdigestwealth managementweb application attackweblogic accesswebshellwhaling attackwherewin32 malwarewin32.agentwin32.bitcoinminerwinapiwinapi callwindwindowwindowswindows binarywindows contextwindows eventwindows exewindows hostwindows logonwindows malwarewindows ntwindows remotewindows servicewindows systemwineloaderwinidswinntiwinnti groupwinrarwinrmwinscpwiperwirelurkerwizard spiderwmicwmiexecwolfwordword documentworkspace onewormwritewscriptx.509xll filexmrigxor algorithmsxss attackxtunnelxyzcampobb hxxpyahxzyanluowangyarayara rulez85 ascii85z85 httpszbotzenpakzenseczeuszip filezloaderzscaler cloudzusyzxkbdklakv

Activity Timeline

1 total obs
Jun 1Jun 1

Threat Activity Heatmap

· Peak: 2026-06-01
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
98
SIGNAL
Signal Score
98%
Confidence
10
Reports
First seenJun 17, 2021
Last seenJun 1, 2026

VirusTotal

Not checked

WHOIS

description
In the latest episode of the LNK forensic analysis series, we look at how a malicious file was linked to a Chinese-speaking threat actor, who then modified the file to target a powershell program.

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 14 days ago
Appeared in 10 threat reports