SHA256HighVerifiedSignal 83/100
75404543de25513b376f097ceb383e8efb9c9b95da8945fd4aa37c7b2f226212
Location
First Seen
Feb 27, 2023
Last Seen
Jun 16, 2026
Found in 6 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
83%
Signal Score
83 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
6 reports83% confidence
6
Source reports
83%
Confidence score
Category tags
aa23-352aabuseacademic institutionsacscaddressadfindaes-rsaaitm serveralienvault_ransomwareamos steakeramos stealeranydesk modulearchive fileargentinaatomic httpsatomic stealeraustraliaautomotive manufacturingbankingbcttbha006blockboinc c2bootkitty iocsbotnetbrazanbamboo c2brazilbuilding constructionburnsrat cc2 addressc2 domainc2 httpc2 httpsc2 ipc2 serverc2 serverscheat enginechecks-user-inputcisacisa advisorycisa alertcivil servicesck techniquescloud computingcloud migrationcloud securitycloud servicescloud storagecobalt strikecode executioncode injectioncode issuescode snippetscommand and controlcommand executioncommercial real estatecommunication protocolcommunications networkscompromise noteconstruction materialsconstruction safetyconstruction technologycredential accesscredential harvestingcredit card servicescritical infrastructurectacthulhu stealercvecyber threatsdamndarkracedatadata breachdata encryptiondata encryptordata exfiltrationdata gatheringdata theftdatabase securitydefanged filedefense systemsdetailsdigital signaturedirect-cpu-clock-accessdistributed attacksdonexdouble extortiondownload urldownloaderdropperduoyieducational resourceseducational serviceseducational technologyeldoradoelectronic health recordselectronics manufacturingemergency servicesencryptionenergy systemseuropeexploitexploit public vulnerabilityexploitationextortionfacilities managementfake captchafake chromefilefile-hashfileobjfilesfinaldraft elffinancefinancial servicesfinancial systemsfinancial technologyfindfingerprintfirstfirst seenfirst stagefleet managementfooterfreight servicesgermanygh0stratghostgambitghostsocksgithubgithub usersgmergoogle meetgovernment facilitiesgovernment technologygrixbaguidloaderhashhasheshashes payloadhealth care and social assistancehealth information technologyhealthcare information systemshelldown linuxhidden rootkithigher educationhornshospital managementhta filehta md5hta scripthtmlhtml payloadhttp attackhttp scannericonidleimpactindicatorindicatortypeindustrial automationindustrial iotindustrial productioninformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinitial accessinjection attacksinstalliobitiociocsiocs filesiocs hashiocs helldowniocs maliciousiocs zipips httpsipv4ipv4 addressit infrastructureitalyjs downloadk-12 educationl fileslandinglateral movementlatin americalinkslinuxlnk fileloaderlocallockbitlumma payloadmalicious downloadmalicious linksmalicious powershell activitymalicious softwaremalwaremalware c2malware distributionmalware hashmalware signingmanufacturing technologymaritime transportmediamedical servicesmekotio bankingmintsloader c2mitre attmlpeamoneromonitormsimsi filemulti-cloud managementna majesticna starkneshtanetwork ipnoopldr type1noopldr type2north americaoceaniaoperating systemopswat oesisor fileosintpanelpassenger transportationpathloaderpatient carepayloadpayload hostpayload urlpayment processingpeexeperuphishingphishing attackphishing urlsphobosphpsertphpsert variantplayplay attplay ransomwareplay ransomware activityplaycryptpluginplugxplugx c2portspost-exploitationpowershower c2privilege escalationprocess injectionprocess manufacturingproperty investmentproperty managementpscppsexecpublicpublic administrationpublic infrastructurepublic policypullquality controlquite solsjoasquocraasrail transportransomransom noteransomwareransomware activity detectedreal estatereal estate developmentreal estate marketreal estate technologyreddelta c2redditregistry keysregulatory agenciesremcos trojanremote accessremote servicesresearchedresidential real estaterhadamanthys c2sample sha256samplesscripting attackssearchseenserver httpserversservice dllsftp attackshell commandssimilar sha256sitesitessocial engineeringsoftware developmentsoftware exploitationsoftware integritysolo airfieldsouth americassh accessstarstealc c2stealc payloadstixstopransomwarestrike loadersstrongstudio codesupply chain managementsystem disruptionsystembct1003t1005t1016t1021t1021.001t1027t1027.001t1027.002t1027.003t1027.005t1041t1048t1053t1053.005t1055t1059t1059.001t1059.003t1068t1069.001t1070t1071t1071.001t1078t1078.001t1086t1105t1110.002t1112t1133t1189t1190t1203t1204t1204.001t1204.002t1210t1218t1218.011t1484t1486t1490t1496t1499.001t1499.002t1499.003t1518t1530t1535t1547t1547.001t1552t1554.001t1554.003t1560t1560.001t1562t1562.001t1565t1566t1566.001t1566.002t1566.003t1567t1567.002t1569.002t1570t1587.001t1590.001threat actortls certificatetokentoolstransportation and warehousingtransportation infrastructuretransportation networkstransportation technologytrojanizedtrojanspytype nameunited statesurlsurls httpurls httpsv4 removalvantvbshower c2versionversion bversion cversion dversion eviewvisual studiovssadmin deletevulnerabilitywater systemswealth managementweb securityweb trafficwebdavwin32 malwarewindows malwarewindows payloadwinrarwinscpzipmsi
Activity Timeline
Jun 16Jun 16
Threat Activity Heatmap
· Peak: 2026-06-16LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
83
SIGNAL
Signal Score
83%
Confidence
6
Reports
First seenFeb 27, 2023
Last seenJun 16, 2026
Verified IOC
VirusTotal
Not checked
WHOIS
- description
- PE32 executable (GUI) Intel 80386, for MS Windows
- references
- https://www.ic3.gov/CSA/2025/250604.pdf, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a, https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/stopransomware-play-ransomware, https://www.cisa.gov/sites/default/files/2025-06/AA23-352A_StopRansomware-Play-Ransomware.stix_XML.xml, Bootkitty, Glove-Stealer, Fake Discount Sites Exploit Black Friday, Helldown Ransomware, HawkEye Malware, PXA Stealer, Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack, BrazenBamboo, SpyGlace, RustyStealer and New Ymir Ransomware, PyPI-AIOCPA, Python NodeStealer, romcom-exploits-firefox-and-windows, Rockstar-Phishing, Silent Skimmer Gets Loud (Again), SteelFox Trojan, WezRat Malware, Avast-Anti-Root-KIt, Winos4.0 RAT, APT36, WolfsBane Backdoor, APT-K-47, Remcos RAT, babbleloader, Bitter APT, UAC-0194’s Exploitation of CVE-2024-43451 in Ukraine for Phishing, CloudScout_ Evasive Panda scouting cloud services, clickfix-tactic, Akira Ransomware, Bumblebee Malware, ELDORADO RANSOMWARE, Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan, Demodex rootkit, BugSleep Malware, HotPage.exe (malware), Qilin Ransomware, NOOPDOOR Malware, Shadowroot Ransomware, play ransomware, MALLOX RANSOMWARE, New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users, ACR Stealer, Suspicious Domains Exploiting the Recent CrowdStrike Outage!, Gh0stGambit, MEKOTIO BANKING TROJAN, TAG-100, Fake game sites lead to information stealers, Chrome Extensions Hijacked, 2.6 Million Users Impacted, macOS Users Targeted by the New Variant of Banshee Infostealer, Hundreds of fake Reddit sites push Lumma Stealer malware, GamaCopy APT Group Mimicking GamaRedon, InvisibleFerret Malware Leveraging Python for Targeted Attacks, Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer, REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors, Phishing Campaigns Fuel Compiled AutoIt Malware Distribution, The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads, New Star Blizzard spear-phishing campaign targets WhatsApp accounts, RansomHub Affiliate leverages Python-based backdoor, Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques, Advanced Evasion Techniques Used by NonEuclid RAT, The Return of PlugX Malware with Fresh Tricks, The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts, Weaponized Software Targeting Chinese Organizations, Threat Surge as Lumma Stealer Expands Its Reach, Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain, MintsLoader_Stealc, North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks, North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware, Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques, Salt Typhoon Target U.S. Telecom Networks, SecTopRAT, Stealers on the Rise, Snake Keylogger, AsyncRAT Reloaded, The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation, FatalRAT, SystemBC RAT Poses New Risks to Linux System, Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations, FERRET Malware Targets macOS in Sophisticated North Korean Attacks, Espionage Campaign Targeting South Asian Entities, Astral Stealer Strikes Again Stealing More Than Just Your Cookies, The New Ransomware Menace Vgod Gains Momentum, Microsoft Advertisers Phished via Malicious Google Ads, LegionLoader Malware Expands Global Reach, NEW.txt, From Stealers to Ransomware PureCrypter Delivers It All, New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs, FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux, LockBit Ransomware Attack Leveraging Cobalt Strike, Rspack_Compromised_Packages, SmokeLoader, Sock5Systemz-PROXY-AM, solana-backdoor, U.S. Organization in China Targeted by Attackers, UAC-0185 attacks warned by CERT-UA, BellaCpp, bootkitty(logofail), Visual Studio Code Remote tunnels, Cloud Atlas seen using a new tool in its attacks, Christmas-Themed LNK Files Used for Malware Delivery, DarkGate, MirrorFace Campain, horns-hooves, Developers Targeted by New ‘OtterCookie’ Malware with Fake Job Offers, NetSupport RAT and BurnsRAT, Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery, MUT-1244-GitHub, Phobos ransomware, Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data, PUMAKIT, OtterCookie used by Contagious Interview, Ransomware-Lockbit3-IOCs.csv, TI Advisory No-ESAF-SOC-TI-249-FBI Warns of Play Ransomware Outbreak.txt, https://community.riskiq.com/article/210daec3, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a?&web_view=true, https://www.cisa.gov/sites/default/files/2023-12/aa23-352a-stopransomware-play-ransomware.pdf
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
highFirst detected 3 years ago · Last seen 18 days ago
Appeared in 6 threat reports