IOC Radar
MD5MediumSignal 81/100

b2ec54b9a0813282302fc35680c1f179

Location
GermanyGermany
First Seen
Mar 11, 2024
Last Seen
Apr 8, 2026
Mar 11
First Seen
836d ago
Apr 8
Last Seen
79d ago
4
Reports
source reports
81%
Confidence
medium
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
MD5 Hash
MD5 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
MD5
Confidence
81%
Signal Score
81 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

42 techniques

Feed Intelligence Summary

4 reports81% confidence
4
Source reports
81%
Confidence score
Category tags
aaaaacceptaccess controlaccount securityactive scanaddressakamaiasn1all octoseekanalyzeanchor hrefsapple iosapple phoneapplication developmentassign functionattackauthorityazorultbasicbloodbodybody lengthboomr functionboomrmq stringbotnetbotnet activitybreast cancerbrute forcec&cca1 odigicertcallback functioncivil societyclassclick-based attackcobalt strikecode executioncommandcommand & controlcommand and controlcommand executioncommunication protocolcontacted urlscontrol ta0011cookiecorecorporate lawcountrycreation datecritical riskcus cndigicertcus cnmicrosoftcus lsandark powerdata accessdata copyingdata encryptiondata exfiltrationdata store exposuredata transferddosde indicatorsdefense evasiondelphi genericdenverdetect-debug-environmentdetection listdevelopment methodologiesdevopsdistributed attacksdnsdns attackdoctypedos exedos executableelectronic health recordself collectionemotetempty hashencryptionerroreurodns saeuropeevasion ta0005executable fileexfiltrationexploit sourceexploitation activityextortionfile-hashfilesfinal urlgandi sasgeckogeneral fullgenericgeneric malwaregeneric windosgermanyget httpgmbh versiongraphhashesheader intelhealth care and social assistancehealth information technologyhealthcare information systemshistorical sslhospital managementhostname enumerationhrefshtml documenthttp attackhttp responsehttp scannerhttpshybridicons libraryidentity & access exploitationinc subjectindicatorinfo compilerinformation gatheringinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjection activityintelintellectual property lawiocsipv4ja3skdekhtmlkidney cancerlaw practicelayer protocollcc linkerlegal consultinglegal researchlegal serviceslegal technologylevellink libraryliver cancerlocallockbitlooklukelumma stealerlung cancermainmalicious activitymalicious downloadmalicious linksmalicious softwaremalwaremalware distributionmarkmonitormatches rulemedical centermedical servicesmemory patternmitremitre attmobilemobile securitymobile threatmonitoringname md5nation-state activitynetworknetwork connectionnetwork scanningnextnjratnumberodigicert incopenoperating systemoperating system securityoverlaypassive dnspassword bypasspastepatient carepattern matchpdfpdf documentpe resourcepe32 linkerpe32 packerpedllperforms dnsperupetitephiphishingpiiplugxpornhubpost httpproblemprocessprocess injectionprocesses treeproduct developmentprostate cancerprotocol h2protocol t1071pulse pulsespythonquality assuranceransomexxransomwareratrat trojanreconnaissancerecord valuerefreshregistry keysregulatory compliancerelicremoteremote access trojanremote servicesresearchedresolved ipsresource hashrestartreverse dnsrevoked-certroot carticon neutralsabeysamplessarcomascan endpointsscanning hostscriptsearchsecurity policysecurity tlsserver caservice privacyserving ipsha2 secureshellshell codesiblings domainsigmasignedskin cancersocial engineeringsoftware architecturesoftware developmentsoftware engineeringsoftware exploitationsoftware testingsouth americaspanssdpssl certificatestatus codestatus pagestatus urlstringssubjectsummarysystemsystem disruptiont1005t1016t1021t1021.001t1027t1030t1046 sendst1053t1055t1059t1059.001t1059.005t1064t1069.001t1071t1071.001t1078t1082t1083t1105t1129t1140t1189t1190t1203t1204t1204.001t1204.002t1486t1490t1496t1497t1499.002t1499.003t1547t1565t1566t1566.001t1566.002t1569.002t1587.001t1589.001t1590.001ta0002 defenseta0004 defenseta0007 networkta0009 commandtag counttargetsthreatthreat actorthreat preventionthreat reportthreat rounduptlstls rsatoolstor nodetrojan malwaretsara brashearstulachtwittertypeunicode textunitedurlsursnifuser executionutf8 textvalueverdictverifyvulnerability scanweb securityweb trafficwhois recordwhois whoiswin16 newin32 dynamicwin32 malwarewindows malwarewindows ntwiperyara

Activity Timeline

1 total obs
Apr 8Apr 8

Threat Activity Heatmap

· Peak: 2026-04-08
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
81
SIGNAL
Signal Score
81%
Confidence
4
Reports
First seenMar 11, 2024
Last seenApr 8, 2026

VirusTotal

Not checked

WHOIS

description
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
references
https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians, https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea, www2.megawebfind.com [command and control], http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing], 20.99.186.246 [exploit source], https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic], Win32:RATX-gen [Trj] identified., CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades), CS Sigma Rules: Disable UAC Using Registry by frack113, http://45.159.189.105/bot/regex [ tracking | botnet], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems], 0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org, https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing], CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), Remote Access Trojan

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 years ago · Last seen 2 months ago
Appeared in 4 threat reports