IOC Radar
SHA256MediumSignal 47/100

a14c467a5912a1dcc5749a361072a17e0b7de95947f9f2a89082e83321cd8085

Location
DenmarkDenmark
First Seen
Apr 17, 2026
Last Seen
Apr 17, 2026
Apr 17
First Seen
77d ago
Apr 17
Last Seen
77d ago
2
Reports
source reports
47%
Confidence
medium
Found in 2 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
47%
Signal Score
47 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

8 techniques

Feed Intelligence Summary

2 reports47% confidence
2
Source reports
47%
Confidence score
Category tags
acceptaccess ta0001active scanadded activealibaba cloudall domainall hostnameall reportanchoranchor httpsappleartifacts vascioaslrattack networkbackdoorbad reputationbasicbrian sabeysbrothbypasscalls processchecks creationchristopher ahmannck idck matrixclickcodecode integritycommandcommand linecrypdata uploaddelete servicedenmarkdns attackdoin itdomaindomainsdopple aidynadot llcemailsencryptencryptionenter sceuropeexclude suggesexpiration httpexploitation activityextr dataextr pleaseextra dataextra infofailedfile-hashfilesfiles cfiles domainfiles relatedflagformfull pathfull reportsget httpgoogleguest systemhall evanshelp dnshichinahostnamehtml documenthtml internethttphttpshunterhybrididron anviframeinclude datainclude reviewindicatorindicators showinfo initialinfo processesinitial accessinquest labsinsurance carriers and related activitiesinteliocsiot securitylaw enforcementlearnlearn moreliberalliberal friendslink initiallucas achamalwaremetamitre attms windowsmutexes nothingname serversname tacticsnamecheap incnextnone googleotx descriptionotx logopackingpalantirian abuseparent pidpassive dnspathpe filepe32 executablephishingplease subpoemporkbun llcporn revengepresent decpresent febpresent janprotectquasi governmentread registryreaqtareferenregistry keysreimerrelated pulsesrelated tagsreport spamresearchedrl httprole titlesabeysabey data centerssabey pornsafe browsingsc datasc pulsescanse httpsnitspamspam brianspam deletespawnsssl certificatestop showstringsswippert1018t1056t1071t1082t1095t1105t1189 networkt1497t1518tbmvidthe brother sabeythreat actortitletor nodetrojantyp domaintype indicatorultimate fileunicode textunitedurlsutc8 networkutf8 textvessel statevictim won casevirtoolwindows ntwindows sandboxwormxxx videoszenbox verdict

Activity Timeline

1 total obs
Apr 17Apr 17

Threat Activity Heatmap

· Peak: 2026-04-17
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreMedium Risk
47
SIGNAL
Signal Score
47%
Confidence
2
Reports
First seenApr 17, 2026
Last seenApr 17, 2026

VirusTotal

Not checked

WHOIS

description
hive
references
https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_ReaQta-Hive.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404544&Signature=LCRNjms1qthotVXcKmffBD10Y7DKisr7k%2BlVYrTjCank6HB3%2ByH%2F1sAynrAczQNJMFvSCN5berXjisgbRQS12Ua0xWRr9S8WNELQIpaix5s1ZmT%2F20DZy3aPTFnkYjLEAbwCqct2rNETUFlznOBprz2NuaYDQTMU%2BBIuWQmPBconTM%2Bl3i3R2ijpm8NB74T2%2FHObuJDy9Q6nZLrypCtVXWXhM%2FFXBVbGbSnv8YuAN1knzyCy7, https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_VenusEye%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404740&Signature=UTWPNbGAoA9TgTHQiId%2B2IX5vXvrJW9JEMICUB8TIsjB%2F%2FqCyeDRc4kvJNYPqQxTrStjGw64eO9p5qPWO6VtkqSnCJfMhO67pVlA8pr2ftHKAGXBV5zwKVkKMUZEs45BhHkY1DLOe0o69EkrN5SlNTblrAVGT5Q6ZG54BbmLetpACp804v%2F9sfa7RgSTZBnItoA9xHcNnivoqRtyhreowE%2FTLFAXboIqs9cti95uwbKKhqzb, https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404830&Signature=xTx%2BpDgPVcC%2F9bas7r9zOD2cjhR8moW2kepUI6Dfmz5WrCrWqUpFCtn3pgbDYZqdfFa8HCluzOBpUA8ULheNBisUcHil3cplF57DdYR1C1d9uPgSqqOrjpYXoL3OtlzZFv8X00%2Ft7xwGwRgS9BohRtLi8EFvJTAJ7RC7EOm9FpG49dFxcnvjNDFSixUo2g9P0f4m0li3fkcR9onjdL2WmM1vSmAJBiaVxCMHhG8K49Ro3AwUrT9AV2uG9CnH%2Bu, https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404848&Signature=WmTL2fYm%2FkDYVa9Qo9Nz9RPF1sK%2BSfCJJtstGHcUos0pBsz0gehytubNXzwSckZACwulvt8Ye%2BDV3Q82C9WedSfmtisHhwbJuUC69xdfCcBiGcZjiEl%2FCDYoT5bQr16cZP7weWAn%2Beg8YFq4S5VWlVp3M7vNlHJSPy%2Bt4RNKiO6O5wHc74tX7b5Hvl08W9i%2F6vQ8iTmB0OFx21UK%2FG4wdLMIrBbhaxVD3zWi81iu0vgOU9, https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776404928&Signature=tWjsWqqnoY%2FioSmCeqIaZY4021%2Bm6UFV%2BEiTdTHnMx6FcCgc4YRDjhGLoV24Vk%2Bq8%2Fz0qx1OAHNDq3adCrUxmP%2BTR0vYWjYEiuy%2F6hg7oSF9eiX%2BAEgRS7vQzZdiOy7%2BoKaLRFGet0HWmKoQkMYLyrY9Yu4k5mnQmOG4oecchl9baESpYfESVVfol0t7Xn%2FZCVd%2FH5gn%2BCysfY7lTC07sxIs0Cc6%2F%, The Brothers Sabey – Conservatives with Liberal Friends • https://thebrotherssabey.com/, http://watchhers.net/index.php, http://212.33.237.86/images/1/report.php, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, https://webmail.police.govmm.org/owa/, https://pks.wroclaw.sa.gov.pl:1443/ • portal.bialystok.sa.gov.pl, https://tulach.cc/ phishing • 45.32.112.220 scanning_host • 45.76.79.215, Mark Brian Sabey, Melvin Sabey, Christopher P ‘Buzz’ Ahmann, Ronda Cordova, Unknown Persons impersonating Private Investigators (plural), Quasi Government Case, Victim silenced. Struck by Car Driven by male police let walk, Denver Police let this attempted murder walk. Cited him as a ghost driver, Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora, Sexual and Physical Assaulter - Jeffrey Scott Reimer, Reimer was a PT. Unknown whereabouts , name or job description, Denver Police Department Major Crimes closed investigation, Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim, I bring up the personal nature of the crime because a delete service has been used, More than 1000 IoC’s including pulses have been ILLEGALLY removed, All IoC’s originate from sources named. There are some unknown attackers, This is a serious crime. I’m certain God WILL pay them., https://palantirwww.sweetheartvideo.com Mar 21, 2026, 2:06:10 PM 3 domain palantir.io Mar 21, 2026, 2:06:10 PM 34 URL https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ • www.palantir.com, http://palantirwww.sweetheartvideo.com/ (weirdness), http://foundry2-lbl.dvr.dn2.n-helix.com • https://foundry2-lbl.dvr.dn2.n-helix.com, foundry2-lbl.dvr.dn2.n-helix.com Mar 21, 2026, 2:06:10 PM 29 URL https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ Mar 21, 2026, 2:06:10 PM 8 URL http://datafoundry.com Mar 21, 2026, 2:06:10 PM 9 URL http://foundry2sdbl.dvr.dn2.n-helix.com Mar 21, 2026, 2:06:10 PM 17 URL https://209-99-40-223.fwd.datafoundry.com Mar 21, 2026, 2:06:10 PM 27 domain datafoundry.com Mar 21, 2026, 2:06:10 PM 40 hostname 209-99-40-223.fwd.datafoundry.com Mar 21, 2026, 2:06:1, https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx, https://www.datafoundry.com/data-center-contamination-control/, https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/, http://foundry2-lbl.dvr.dn2.n-helix.com/, https://207-207-25-201.fwd.datafoundry.com/, http://datafoundry.com • http://foundry2sdbl.dvr.dn2.n-helix.com • https://209-99-40-223.fwd.datafoundry.com • datafoundry.com • 209-99-40-223.fwd.datafoundry.com • beabetta.ifoundry.co.uk.s7b2.psmtp.com • foundry2sdbl.dvr.dn2.n-helix.com • fwd.datafoundry.com • 207-207-25-154.fwd.datafoundry.com • 207-207-25-156.fwd.datafoundry.com 207-207-25-160.fwd.datafoundry.com • 207-207-25-163.fwd.datafoundry.com • 207-207-25-164.fwd.datafoundry.com • 207-207-25-165.fwd.datafoundry.com Mar 21, 207-207-25-166.fwd, http://datafoundry.com • https://209-99-40-223.fwd.datafoundry.com datafoundry.com • 209-99-40-223.fwd.datafoundry.com Mar 21, 2026, 2:06:10 PM 13 hostname beabetta.ifoundry.co.uk.s7b2.psmtp.com Mar 21, 2026, 2:06:10 PM 12 hostname foundry2sdbl.dvr.dn2.n-helix.com Mar 21, 2026, 2:06:10 PM 18 hostname fwd.datafoundry.com Mar 21, 2026, 2:06:10 PM 8 hostname 207-207-25-154.fwd.datafoundry.com Mar 21, 2026, 2:06:10 PM 19 hostname 207-207-25-156.fwd.datafoundry.com Mar 21, 2026, 2:06:1, https://rdweb.datafoundry.com/, http://foundry2sdbl.dvr.dn2.n-helix.com/, Updated | What’s left after theft, 207-207-25-167.fwd.datafoundry.com • 207-207-25-168.fwd.datafoundry.com • 207-207-25-169.fwd.datafoundry.com, 207-207-25-170.fwd.datafoundry.com • 207-207-25-171.fwd.datafoundry.com • 207-207-25-201.fwd.datafoundry.com, https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse, https://www.datafoundry.com/category/news/press-releases/, 207-207-25-209.fwd.datafoundry.com • 207-207-25-212.fwd.datafoundry.com • 207-207-25-213.fwd.datafoundry.com • 209-99-64-53.fwd.datafoundry.com, 209-99-69-91.fwd.datafoundry.com • dns1.datafoundry.com • dns2.datafoundry.com • rdweb.datafoundry.com, www.go.datafoundry.com • http://207-207-25-209.fwd.datafoundry.com, http://209-99-64-53.fwd.datafoundry.com • http://dns2.datafoundry.com • http://fwd.datafoundry.com, http://pdns1.datafoundry.com/ • http://rdweb.datafoundry.com • http://rdweb.datafoundry.com/, https://rdweb.datafoundry.com/ • http://www.datafoundry.com • https://207-207-25-163.fwd.datafoundry.com •, https://207-207-25-209.fwd.datafoundry.com • https://209-99-40-224.fwd.datafoundry.com/, https://209-99-64-53.fwd.datafoundry.com • https://dns1.datafoundry.com • https://dns2.datafoundry.com • https://fwd.datafoundry.com, Some may may find this content is very disturbing and offensive

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 months ago · Last seen 2 months ago
Appeared in 2 threat reports