IOC Radar
SHA256MediumSignal 47/100

987d44d5c10e382e8bede999fc6f805b2be6d84e8547c9db4f21bcbd8ef02da9

Location
Hong KongHong Kong
First Seen
Apr 17, 2026
Last Seen
Apr 24, 2026
Apr 17
First Seen
77d ago
Apr 24
Last Seen
70d ago
2
Reports
source reports
47%
Confidence
medium
Found in 2 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
47%
Signal Score
47 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

8 techniques

Feed Intelligence Summary

2 reports47% confidence
2
Source reports
47%
Confidence score
Category tags
aaaaacceptactive scanantiguaartemisascii textasiaaslrattack networkbackdoorbad loginbarbuda unknownbasicbotnet activitybrute forcecalls processcanada asncanada unknownchromeck idck techniquesclickcloud infrastructurecnccodecommandcommand linecookiecopydeletedelete cdisplaynamedll readdns attackdnssecdomaindrwebdynamicloaderechobotencryptentrieserrorevasion attexpiration dateexploitation activityextra infofarahvpn vlessfile-hashfilesfiles cfiles domainfiles relatedformfull pathfunction readgithubguardguest systemhandlehighhong konghostnamehostname addhrefhttphuawei remotehybridiana registraridentity & access exploitationindicatorinfo processesintelinvalid urliot securityipv4ipv4 addjkvpnkong flaglearnlinkslinux mirailocalmalwaremcafeemedia typemediummetamiraimonitoringmovedms windowsmsiemutexes nothingname serversname tacticsnation-state activitynextnext associatedorg domainspandaparent pidpassive dnspathpattern matchpe filepe32 executablepleaseportpostpresent decpresent febpresent janpresent marpresent novpresent octpresent sepproxypushransomwarerdaprdap databasereadread cread registryreaqtarecord valueregistry keysrelated tagsremote commandresearchedreverse dnsrolesscribdscript urlssearchserversshowsouth koreaspawnsstatusstreamstringst1018t1056t1071t1082t1095t1105t1497t1518taiwan as3462telecomtelnet logintelnet rootthreat actortitletofseetor nodetotaltrojanttl valuetwittertypetypewsultimate fileunitedunknown nsurlsutc8 networkvariant cncviprevirgin islandsvpnwindowswindows sandboxwritewrite cwscriptshellzenbox verdict

Activity Timeline

1 total obs
Apr 24Apr 24

Threat Activity Heatmap

· Peak: 2026-04-24
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Intelligence SummaryAI Generated

This Indicator of Compromise (IOC), a SHA-256 hash, represents a significant threat to organizational security given its high risk score and association with sophisticated malicious activities. Its presence is strongly linked to various backdoor malware families, including Mirai and Tofsee, which are known for enabling remote control, device compromise, and Distributed Denial of Service (DDoS) capabilities. The potential impact of this IOC includes unauthorized access to systems, data exfiltrati…

Threat ScoreMedium Risk
47
SIGNAL
Signal Score
47%
Confidence
2
Reports
First seenApr 17, 2026
Last seenApr 24, 2026

VirusTotal

Not checked

WHOIS

description
hive
references
https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_ReaQta-Hive.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404544&Signature=LCRNjms1qthotVXcKmffBD10Y7DKisr7k%2BlVYrTjCank6HB3%2ByH%2F1sAynrAczQNJMFvSCN5berXjisgbRQS12Ua0xWRr9S8WNELQIpaix5s1ZmT%2F20DZy3aPTFnkYjLEAbwCqct2rNETUFlznOBprz2NuaYDQTMU%2BBIuWQmPBconTM%2Bl3i3R2ijpm8NB74T2%2FHObuJDy9Q6nZLrypCtVXWXhM%2FFXBVbGbSnv8YuAN1knzyCy7, https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_VenusEye%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404740&Signature=UTWPNbGAoA9TgTHQiId%2B2IX5vXvrJW9JEMICUB8TIsjB%2F%2FqCyeDRc4kvJNYPqQxTrStjGw64eO9p5qPWO6VtkqSnCJfMhO67pVlA8pr2ftHKAGXBV5zwKVkKMUZEs45BhHkY1DLOe0o69EkrN5SlNTblrAVGT5Q6ZG54BbmLetpACp804v%2F9sfa7RgSTZBnItoA9xHcNnivoqRtyhreowE%2FTLFAXboIqs9cti95uwbKKhqzb, https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404830&Signature=xTx%2BpDgPVcC%2F9bas7r9zOD2cjhR8moW2kepUI6Dfmz5WrCrWqUpFCtn3pgbDYZqdfFa8HCluzOBpUA8ULheNBisUcHil3cplF57DdYR1C1d9uPgSqqOrjpYXoL3OtlzZFv8X00%2Ft7xwGwRgS9BohRtLi8EFvJTAJ7RC7EOm9FpG49dFxcnvjNDFSixUo2g9P0f4m0li3fkcR9onjdL2WmM1vSmAJBiaVxCMHhG8K49Ro3AwUrT9AV2uG9CnH%2Bu, https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404848&Signature=WmTL2fYm%2FkDYVa9Qo9Nz9RPF1sK%2BSfCJJtstGHcUos0pBsz0gehytubNXzwSckZACwulvt8Ye%2BDV3Q82C9WedSfmtisHhwbJuUC69xdfCcBiGcZjiEl%2FCDYoT5bQr16cZP7weWAn%2Beg8YFq4S5VWlVp3M7vNlHJSPy%2Bt4RNKiO6O5wHc74tX7b5Hvl08W9i%2F6vQ8iTmB0OFx21UK%2FG4wdLMIrBbhaxVD3zWi81iu0vgOU9, https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404928&Signature=tWjsWqqnoY%2FioSmCeqIaZY4021%2Bm6UFV%2BEiTdTHnMx6FcCgc4YRDjhGLoV24Vk%2Bq8%2Fz0qx1OAHNDq3adCrUxmP%2BTR0vYWjYEiuy%2F6hg7oSF9eiX%2BAEgRS7vQzZdiOy7%2BoKaLRFGet0HWmKoQkMYLyrY9Yu4k5mnQmOG4oecchl9baESpYfESVVfol0t7Xn%2FZCVd%2FH5gn%2BCysfY7lTC07sxIs0Cc6%2F%, https://pamchall.com/Telegram@V2ray_Alpha/, Domain: t.me • Email: [email protected], https://t.me/, Win32/Tofsee.AX google.com connectivity check, IDS Detections: Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI), Yara Detections: Cabinet_Archive , SFX_CAB, ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile, Antivirus Detections: ELF:Mirai-AAL\ [Trj] , Unix.Trojan.Mirai-1 , Backdoor:Linux/Mirai.N!MTB, IDS Detections: Observed DNS Query to ELF/Various Mirai Variant CnC Domain Huawei Remote Command Execution (CVE-2017-17215), Huawei Remote Command Execution - Outbound (CVE-2017-17215), Huawei HG532 RCE Vulnerability (CVE-2017-17215), DYNAMIC_DNS Query to *.duckdns. Domain, SUSPICIOUS Path to BusyBox HiSilicon DVR - Default, Telnet Root Password Inbound TELNET login failed root login Bad Login Less, Yara Detections Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai , ECHOBOT, dead_host network_icmp tcp_syn_scan nolookup_communication networkdyndns_checkip writes_to_stdout, IP’s Contacted: 1.0.21.231 1.0.42.181 1.1.116.28 1.10.203.28 1.10.54.62 1.101.0.202, IP’s Contacted: 1.101.184.254 1.103.104.9 1.103.141.89 1.104.104.227, Contacted: newmethcnc.duckdns.org, https://otx.alienvault.com/indicator/file/3215b2d1c44c7114c7f94af1bbcb858707b636baeae2c6752219fdf184c7b00e, https://eurotarget.com/it/auto/toyota/c-hr/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 months ago · Last seen 2 months ago
Appeared in 2 threat reports