IOC Radar
SHA256MediumSignal 96/100

a0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff526

Location
United KingdomUnited Kingdom
First Seen
Dec 21, 2024
Last Seen
Jun 3, 2026
Dec 21
First Seen
559d ago
Jun 3
Last Seen
30d ago
11
Reports
source reports
96%
Confidence
medium
51/75
VirusTotal
detections
Found in 11 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
96%
Signal Score
96 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

60 techniques

Feed Intelligence Summary

11 reports96% confidence
11
Source reports
96%
Confidence score
Category tags
abuseacademic institutionsactive scanactive scanningaes keyakiraalienvault_ransomwareapplication developmentaptattack campaignauthentication abuseautomotive manufacturingbad reputationblackbotnetbotnet activitybrute forcebuilding constructionc2 servercanadachecks-user-inputcivil servicescode executioncommand & controlcommand and controlcommand executioncommand shellcommercial real estatecommunication protocolconstruction materialsconstruction safetyconstruction technologyconsumer goodscontrolcredential accesscredential brute forcingcredential stuffingcrimecrystal eyecyber extortiondata encryptiondata exfiltrationdata store exposureddosdenial of servicedeveloped countriesdevelopment methodologiesdevopsdistributed attackseducational resourceseducational serviceseducational technologyelectronic health recordselectronics manufacturingemotetencryptionenergyenergy distributionenterprise organizationsenterprise targetingeuropeexeexecutable fileexploitationexploitation activityextortionfacilities managementfast deploymentfile-hashfoodftpftp brute forcefunctiongermanygovernment technologyhealth care and social assistancehealth information technologyhealthcare information systemshigher educationhospital managementhttp brute forcehttp scannerhttpsidentity & access exploitationidleindependent operationindicatorindicatorsindustrial automationindustrial iotindustrial productioninformation technologyinitial accessinjection activityiocsiot securityit infrastructurek-12 educationlateral movementlockbitlockbit affiliationlogin attempt analysislolbinslolbins usagemalmalicious activitymalicious powershell activitymalicious softwaremalwaremanufacturing technologymediamedical servicesmeowmid-size enterprisemspsmultiple threat actorsnation-state activitynetwork attacksnetwork intrusionnetwork intrusion attemptnetwork probingnetwork protocolnetwork scanningnetwork securityno raasnon-raasnorth americaoil & gasonionsoperating systemopsecpasspatient carepedllperuphishingpodaon siapost-exploitationpower generationpower systemsprivilege escalationprocess injectionprocess manufacturingproduct developmentproperty investmentproperty managementprotocol exploitationpsexecpublic administrationpublic infrastructurepublic policyqilinquality assurancequality controlraasransomransomwarereal estatereal estate developmentreal estate marketreal estate technologyreconnaissancered piranharegulatory agenciesremote accessremote servicesrenewable energyresearchedresidential real estateretail tradesafepaysafepay ransomwaresafepay ransomware activitysafepay ransomware attackscripting attacksserviceshadowshellsmb scanningsmbssoarsoftware architecturesoftware developmentsoftware engineeringsoftware exploitationsoftware testingsouth americassh attacksupply chain attacksupply chain managementsystem disruptiont1005t1018t1021t1021.001t1021.002t1027t1040t1046t1047t1048t1053t1053.005t1055t1059t1059.001t1069.001t1070t1071t1071.001t1076t1077t1078t1083t1086t1090t1105t1110t1110.002t1133t1135t1140t1190t1202t1203t1204t1204.002t1213t1218t1486t1490t1496t1499.002t1499.003t1543.003t1547t1547.001t1548t1560t1562t1562.001t1563t1565t1566t1566.001t1573t1589t1595t1595.001t1595.002t1595.003targeted attacktcp scanningtelnet threatthisthreat actortor nodettpsubuntuunauthorized login attemptsunited kingdomunited statesweb trafficwin32 malwarewindows malwarewinrar

Activity Timeline

1 total obs
Jun 3Jun 3

Threat Activity Heatmap

· Peak: 2026-06-03
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
96
SIGNAL
Signal Score
96%
Confidence
11
Reports
First seenDec 21, 2024
Last seenJun 3, 2026

VirusTotal

51/ 75vendors flagged
68% detection rateJun 11, 2026

WHOIS

description
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
references
https://www.bitdefender.com/en-us/blog/businessinsights/safepay-ransomware-attacks-ttps, Julypt1.pdf, https://redpiranha.net/news/what-is-safepay-ransomware-everything-you-need-know, https://www.acronis.com/en-us/tru/posts/safepay-ransomware-the-fast-rising-threat-targeting-msps/, https://threatview.io/Downloads/Experimental-IOC-Tweets.txt, https://justpaste.it/bnukk, https://x.com/RakeshKrish12/status/1859844498030985402, https://github.com/TheRavenFile/IOC/blob/main/Safepay%20Ransomware

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen 1 month ago
Appeared in 11 threat reports