IOC Radar
SHA256MediumSignal 100/100

a89639b784c7f6b839b56d2b0420541140e2f7aab2a9e5da03bbfba54b1408eb

Location
ArmeniaArmenia
First Seen
Mar 21, 2025
Last Seen
Feb 13, 2026
Mar 21
First Seen
469d ago
Feb 13
Last Seen
139d ago
4
Reports
source reports
99%
Confidence
medium
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

57 techniques

Feed Intelligence Summary

4 reports99% confidence
4
Source reports
99%
Confidence score
Category tags
abuseacceptaccessaccountaccount securityadded activeadfunctionadresadresy urlagent teslaamazonamerykiandroidiansiapacheapple musicaptaqb1armeniaarrayattackattrauthentihashazorultbaopbardzo dugabdedberbewbodybody lengthbooleanbotnetbrowserbubblebundledca datacacacdfunctionchi2childchromecivilcivil servicesclassclick-based attackcloseclosure librarycode executioncodes firecommand and controlcommand executioncommunication protocolcontactcontent apicoupons knojicredential harvestingcrimecsc corporatecyber defenseczech republicdata exfiltrationdata utworzeniadata wyganiciadded activeddfunctionddos attacksde summarydecoy systemdeltadetections typedigitaldigital certificate analysisdiscount codesdistributed attacksdistribution managementdkey englishdnsdnssecdocument exploitationdom nodedownload godroppeddropped fileedgeenable javascriptencrypted connectionsendgameendrenglish usenterprise securityentriesenumerroret toreu cyber policieseuropeexitfalsefast corporatefatfacefederico zivolofile-hashfilesfinal urlfirefoxfirm collectionfirst stage payloadflipfocusformformbook stealerfreight forwardingfromfull urlfunctiong4 codegeckogeneratorgenericglobalgluegooglegovernment technologyhackersheadersheaders nelhiddenhistorical sslhosthosting omegahostshour frskrathrefhtmlhtml smugglinghtml_smugglinghttp attackhttp responsehttp scannerhttpshybridiframeillegal inputimphashindicatorinfrastructure acquisitionreconnaissanceingress tool transferinputinput validation bypassinstallintelligence agency surveillanceinternet explorerinternet of thingsinventory managementiocsiosiot botnetiot/ics attackipadiipodijeengjhnew iajs foundationkhtmlknown torlaw enforcement surveillancelearnleasenlegendlinuxlist forlocallocalelogistics technologylookup golord krishnamacmagic pe32mainmainnavmalicious activitymalicious downloadmalicious linksmalicious softwaremalwaremalware campaignmalware deliverymalware distributionmanagermathmedia hoekbankmemoryfile scanmetadata analysismicrosoft officemilanminutes agomirai botnetmisc attackmit licensemjquerymobilemobile securitymotor vehiclemozillamsiemuimultiplenamenavitemnextnisisno datano expirationnode trafficnsisnsonso groupnumberobjectoctoseek reportoffice exploitationonlineopenoperaoperating systemoperating system securityopredgeoverlayparagonparispatch managementpath traversalpattern matchpe resourcepeexepegasuspeopleperupfunctionphishingpleasepluginprocess injectionprojectpseudopublic administrationpublic infrastructurepublic policypulses urlr300raw sizeredditredirects linksreflectregexpregional securityregulatory agenciesrelated pulsesreloadremote servicesrescan addresearchedreverse dnsrich perightroot g4runtime dataruntime processsafarisamsungsan josesandboxscan urlscriptscrollsearchsearch domainsearch otxsearch urlsecuresecurity operationsselectserwer nazwsessionexpiressessiontokenshipping servicesshowshow navigationshowingshownsigning rsa4096similar domskynetsocial engineeringsocial media securitysoftware exploitationsoftware vulnerabilitiessonysouth americaspam authorspanssdeepssl certificatestartrstatictstatus codestealerstick tricksstopstringstringsstrongsubmitsummarysupply chain managementsymbolt1001t1011t1018t1019t1021t1021.001t1021.006t1027t1036t1046t1055t1055.001t1059t1059.001t1059.004t1059.007t1064t1069.001t1071t1071.001t1071.004t1078t1078.004t1082t1088t1094t1095t1105t1114.002t1189t1190t1192t1202t1203t1204.001t1204.002t1218.001t1486t1496t1499.002t1499.003t1547.001t1553.004t1563.002t1565t1566t1566.001t1566.002t1566.003t1566.004t1573t1587.001t1588t1590.001t1595t1596.001t1596.004tag counttargettbodyteams apitexttfoottheadthisthreat actorthreat intelligencethreat leveltim pooltimcasttraffic maskingtransportation managementtrid win64tridenttriggertrojan downloadertrojan malwaretulach c2twittertworzytworzy katalogtworzy plikityp plikutypetype typetypeemailtypeoftypeof ctypeof dtypeof definetypeof etypeof ftypeof htypeof moduletypeof ntypeof requiretypeof tu0027u0259u2113unicodeunionupdaterupxuser executionvalid fromvalueverdict reportverifyversionvhashvirtual sizevoidvt graphwarehouse operationsweb application exploitationweb securityweb trafficwebkitwfunctionwhois recordwhois whoiswidgetwin32 exewin32 malwarewindowwindows malwarewindows ntwindows phoneiwixwriters perxdfunctionxfunctionxml rtmanifest

Activity Timeline

1 total obs
Feb 13Feb 13

Threat Activity Heatmap

· Peak: 2026-02-13
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
4
Reports
First seenMar 21, 2025
Last seenFeb 13, 2026

VirusTotal

Not checked

WHOIS

description
A look back at some of the key words and phrases used to describe the situation in Italy, as "probacja" (or "democrata), as they were translated into English.
references
https://www.reddit.com/user/, https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary, Gowi Live Bot.exe, https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary, https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f, nr-data.net [New Relic Tracking | Apple Private Data Collection], [w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise], tv.apple.com [Apple Backdoor| Attack | Hacking], name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking], browser.events.data.msn.com | events-sandbox.data.msn.com, https://tulach.cc/ [phishing attacks], tulach.cc [AM | phishing], $RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy, $RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC, 3.163.189.120 [Tracking], 86.140.232.148 [scanning_host], https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus], http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing], checkip.dyndns.org [command_and_control], 104.86.182.8 [command_and_control], 103.224.182.253 [command_and_control], 103.224.182.246 [command_and_control], www.supernetforme.com [command_and_control], rp.downloadastrocdn.com [command_and_control], ddos.dnsnb8.net [command_and_control], cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap, https://www.pay-share.com/, http://www.enable-javascript.com/, xfe-IP-78.142.35.163-stix2-2.1-export.json, xfe-URL-Enom.com-stix2-2.1-export.json, xfe-URL-4vendeta.com-stix2-2.1-export.json, https://4vendeta.com/assets/js/jquery.min.js, https://4vendeta.com/assets/js/popper.min.js, https://4vendeta.com/assets/js/bootstrap.min.js, https://4vendeta.com/assets/js/meanmenu.min.js, https://4vendeta.com/assets/js/parallax.min.js, https://4vendeta.com/assets/js/ajaxchimp.min.js, https://www.googletagmanager.com/gtag/js?id=UA-92521958-1, https://www.googletagmanager.com/gtag/js?id=G-W8YD4P2ENY&l=dataLayer&cx=c, https://www.gstatic.com/recaptcha/releases/QENb_qRrX0-mQMyENQjD6Fuj/recaptcha__en.js, https://www.googletagmanager.com/gtm.js?id=GTM-5SN6BRV, https://static.zdassets.com/ekr/snippet.js?key=7342b695-e394-4f25-89a0-da9d262a48da, https://cp.enom.com/js/jquery-3.5.1.min.js, https://cp.enom.com/responsive/_js/knockout-3.3.0.min.js, https://cp.enom.com/js/global-functions.js, https://cp.enom.com/js/punycode.min.js, https://cp.enom.com/js/jquery.disableonsubmit.min.js, https://cp.enom.com/js/jquery.cookie.min.js, https://cp.enom.com/js/cart.minicart.min.js, https://cp.enom.com/js/openWin.min.js, https://cp.enom.com/js/jquery.jgrowl.min.js, https://cp.enom.com/scripts/Session.min.js, https://cp.enom.com/responsive/_js/init.min.js, https://cp.enom.com/responsive/_js/bootstrap.js, https://cp.enom.com/WebResource.axd?d=6rtXrDcnyiYD-9dFDFOkxTRcPVSrAN8fR-cHKzNqPTy7bHic-2LLMHDnielTzEI-sd1KplHrRBudcZJOm0-lxubO7k41&t=637453818340000000, https://cp.enom.com/ScriptResource.axd?d=fVjQa-0YyNqO6JmV36bw6eBJdTjE2YSdtcunOWcKYcBNn73MOJKQA_rxX3YMhcxLTgyDsGTKy0p9NEPvxzpqEpBKtm3GLb2GgI1LFYMC0Xr2lh71ZCttzgNGFnc5mS_Fc_DY5UH0M19Mr958h1jvmK4kzAM1&t=363be08, https://cp.enom.com/ScriptResource.axd?d=lDjPFfAIWSrEAVNgTHTrISQmLEFmHAaibvNJQuGRZDbWpGFPLrFwaGVpjCUsI6HkqzbpwmaAa0cJCrq8f0eqEvIsQM8lvN_dVYVyESnohON4oTvdMZHDmwG83uJA4m2oqykP8TTTSIeV2oaNrlIXaX8cOxC5Cv6aGmjpdB2u-227wdn30&t=363be08, https://cdn.optimizely.com/js/26241557.js, https://cp.enom.com/verisign-seal.htm, https://cp.enom.com/global/TopMenu.ascx.js, http://alp-vision.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1, http://alp-vision.com/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=7.4.4, http://alp-vision.com/wp-content/cache/autoptimize/js/autoptimize_78b4f9b28399aa3c8a405e45931ad058.js, http://alp-vision.com/wp-includes/css/dist/block-library/style.min.css?ver=5.7.6, http://fonts.googleapis.com/css?family=Abril+Fatface%3Aregular&subset=latin%2Ccyrillic&ver=5.7.6, http://alp-vision.com/wp-content/themes/alp-vision/css/bootstrap.css?ver=1.0, TarrantCounty3df.pdf, TarantCounty2df.pdf, TarrantCounty4df.pdf, TarrantCounty5df.pdf, tarrant23df.pdf, TarrantCounty1df.pdf, tarrantcounty.com:en:elections:Voter-Information:Voter- Registration.html%22,.pdf, TarrantCounty6df.pdf, TarrantCounty7df.pdf, TarrantCounty10df.pdf, TarrantCounty9df.pdf, TarrantCounty17df.pdf, TarrantCounty15df.pdf, TarrantCounty12df.pdf, TarrantCounty14df.pdf, tarrantcounty8df.pdf, TarrantCounty18df.pdf, TarrantCounty19df.pdf, TarrantCounty21df.pdf, tarrantcounty22df.pdf, TarrantCounty20df.pdf, tarrantcountydf.pdf, https://hybrid-analysis.com/sample/131010821b48a065510fe549e686fdf0ddb1119677e6eabdb025ded0c8bfe70f/61e66f38ad324c267042213a, http://detectportal.firefox.com/vkwf.txt.exe

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 year ago · Last seen 4 months ago
Appeared in 4 threat reports