SHA256MediumSignal 100/100
a0882d1f404bbdd46a993a93cc3def0327b733e408df2264d43f0cc4822a38fe
Location
First Seen
Jun 12, 2025
Last Seen
Mar 21, 2026
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
4 reports99% confidence
4
Source reports
99%
Confidence score
Category tags
.cc domainaaaaacceptaccount compromiseaccount discoveryaccount profilingaccount securityaccount takeoveractive scanningaddress rangeadvanced searchaerospace & defenseagentalertsall ipv4allocation typeamerica asnamerica flaganalysis dateanalysis ob0001analysis ob0002applying aiascii textasiaav detectionsbabylonbad gatewaybad trafficblack bastablack-bastabodybody doctypebody htmlbotnetbotnet activitybrian sabeyca creationcanada flagcanada hostnamecanada unknowncapturecat ozerosslcatalog treecheckschinachina unknownchromecidrcjutxgck idck techniquesclick-based attackclockcloudfront xcnamecnmicrosoft ecccnzerossl ecccode executioncode injectioncolorscommandcommand and controlcommand executioncommunication protocolcommunication technologiescontent typecontrol ta0011covacova cryptbotcph50 c2creation datecredential accesscredential harvestingcryptbotcus subjectczechia unknowndarkcometdatadata accessdata copyingdata encryptiondata exfiltrationdata oc0004data transferdata uploadddosdefensedefense contractingdefense evasiondefense logisticsdefense systemsdefense technologydelete deletedelphidenial of servicedga domainsdigitaldistributed attacksdiv divdiv tddnsdockdock zonedoddod networkdoesdomainabusedomains topdrive by downloaddynamicloaderencryptentity amazon4entity dnicentrieserrorerror httpset infoet trojanetl trojaneuropeevasionevasion ta0005exchange metaexpiration dateextortionextra datafailedfailurefile-hashfilesfiles domainfiles locationfiles relatedfindfirst seenfollow bot activityfor privacyfoundryfrom win32biosg2 tlsgeckoget httpget httpsghostgooglegoogle gmailgoogle safegoogle tagh1 centerhandlehighhigh defensehoney nethostname addhostname enumerationhow searchhtml documenthtml internethttp scannerhybridicmpids detectionsiframe tagsimages signimpact ta0040include reviewincognito modeindicatorinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinput validation bypassintelinvalid urlipv4ipv4 addit infrastructureitaly unknownjavascript injectionjavascript srckey identifierkhtmllauncherlearnlearn xmlless whoislevellinkloadinglookuplowfimalicious downloadmalicious linksmalicious powershell activitymalicious softwaremalwaremalware distributionmedia centermediummetadata analysismilitary operationsminemitre attmobile carriersmobile networksmodule loadmovedmsdosmsiemsilmullvad browsern bethsedaname redactedname serversname tacticsnanjingnational securitynetwork namenetwork probingnetwork scanningnextnext associatednorth americanumberob0007 impactob0012 fileobserved dnsomicrosoft copenopen redirectopen threatoperating systemoperating system securityorg datapacking t1045passive dnspath traversalpe resourcepeexeperuphishingphishing attackpingpleaseportpost httpspotential-c2present augpresent febpresent julpresent junpresent octprivacyprivacy cityprivacy countryprocess injectionprocess oc0003process32nextwpulse pulsespulse submitpulses nonepythonpython wheelqueryransomwareread creconnaissancerecord valueredacted forrelated nidsrelated tagsremote servicesreportrequestresearchedresolved ipsresults augreverse dnsrsa sha256runtime-modulesscript domainsscript scriptscript tagsscript urlsscripting attacksse bethsedasearchsearch helpsearch searchserver caserver headerserver responseserversservicesettings searchshowshowingsite caslcc2social engineeringsocial media attacksocial media manipulationsocial media securitysoftware developmentsoftware exploitationsouth americaspanspan pspan spanspawnsstarfieldstatusstatus okstealerstore gmailstringsstwa lredmondsubject publicsubmit urlsystem disruptionsystem oc0001t1005t1021t1021.001t1027t1030t1031t1045t1053t1054t1055t1056t1057t1059t1059.001t1060t1068t1069.001t1071t1071.001t1078t1082t1086t1089t1105t1112t1119t1129t1143t1158t1189t1190t1203t1204t1204.001t1204.002t1486t1490t1496t1499t1499.002t1499.003t1565t1566t1566.001t1566.002t1566.003t1567t1573t1583t1583.001t1587.001t1588.002t1589t1589.001t1590.001t1595t1595.001t1595.002t1595.003ta0004 defenseta0009 commandtags twittertelecom servicestelecommunicationstitletitle errortls handshaketlsv1toolstop destinationtop sourcetor browsertrojan malwaretrojandroppertucows domainstulachtwittertype sizeukraineunfurl sitesunique tldsunitedunited statesunix timeunknown nsupdate secureurlsuser agentuser executionuuupupuv3 serialvaluewannacrywannacry dnsweb applicationweb application exploitationweb crawlerweb crawlingweb securityweb trafficwhois lookupwhois serverwin32 malwarewindows malwarewindows ntwormwritex cachex poweredyara detectionsyara rule
Activity Timeline
Mar 21Mar 21
Threat Activity Heatmap
· Peak: 2026-03-21LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
4
Reports
First seenJun 12, 2025
Last seenMar 21, 2026
VirusTotal
Not checked
WHOIS
- description
- Surprised: Follow bot account affects threat researcher(s)account(s). % path , attempts DoS. Threatening account name,. (00285c99b52d41679b1aa3b8a80895b037df8a7500f4ad97ce06068eac4a95b7 | = follow) || {2025-05-20_bf3a6ba6e3421a7214ffbfe97642a578_amadey_black-basta_cova_cryptbot_elex_luca-stealer FastCopy5.9.0.exe} ET DNS Query for .cc PROTOCOL-ICMP PATH MTU denial of service attempt PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 1 year ago · Last seen 3 months ago
Appeared in 4 threat reports