IOC Radar
SHA1MediumSignal 100/100

b97d2acda8170017cad8f80301f4ccdad5aa3510

Location
PeruPeru
First Seen
Jul 6, 2025
Last Seen
Jan 29, 2026
Jul 6
First Seen
358d ago
Jan 29
Last Seen
151d ago
4
Reports
source reports
99%
Confidence
medium
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-1 Hash
SHA-1 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA1
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

44 techniques

Feed Intelligence Summary

4 reports99% confidence
4
Source reports
99%
Confidence score
Category tags
aaaaabuseaccount compromiseadobe stockadobe systemsantiguaappleapple webkitapple_webkitascii textaustria austriaavast avgbad trafficbarbuda asnbodybrowserbrowser hijackingcexpxg .xyzchromeck idck matrixcloud servicescloud storagecnccode executioncode injectioncomkxjs .xyzcommandcommand and controlcommand executioncommunication technologiesconnections droppedcontacted hostscreation datecredential theftcrlf linedata accessdata copyingdata encryptiondata exfiltrationdata theftdata transferdefense evasiondesktopdiv divdropbox 4xxdropbox plusdropbox spywaredynamicloaderentrieserreurerroret malwareexfiltrationexploitextortionfailurefile-hashfilesfiles showflagfoundgoogle safehighhookwowlow junindicatorinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingress tool transferinput validation bypassit infrastructurelearnlinklocallowfilummamalicious linksmalicious softwaremalwaremediummetadata analysismitre attmobile carriersmobile networksmovedmsilmultiple attacksname tacticsnetwork trafficnextnext associatednitrogennorth americaoperating systemorg domainspacwpw .xyzpassive dnspath traversalpattern matchpeexeperupetyaphishingphotos cs3present aprpresent julpresent junprocess detailsprocess injectionproxyransomransomwarerelated cncremote servicesresearchedresults aprrozenascriptsearchserver responseserversshowshow processshow techniqueshowingsnakesocial media securitysoftware developmentsouth americaspanspan spanspawnssqgzl .xyzstatusstealerstealer relatedsteamsteam communitystock photossynapsesystem disruptiont1005t1011t1021t1021.001t1027t1030t1036.003t1041t1045t1053t1055t1057t1059t1068t1069.001t1070t1071t1071.001t1078t1081t1083t1105t1189t1190t1204t1204.001t1210t1218t1480t1480 executiont1486t1490t1499.001t1547t1553t1555t1560t1565t1566t1566.001t1566.003t1568t1587.001t1590.001t1590.002telecom servicestelecommunicationsthemida juntls handshaketls snitrojan malwaretrojandroppertrsuv .xyzunitedunited statesunurew .xyzurarfx .xyzurlsvirgin islandswaveweb application exploitationweb securitywin32 malwarewindowwindows malwarewriteyara detections

Activity Timeline

1 total obs
Jan 29Jan 29

Threat Activity Heatmap

· Peak: 2026-01-29
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
4
Reports
First seenJul 6, 2025
Last seenJan 29, 2026

VirusTotal

Not checked

WHOIS

description
PE32 executable for MS Windows (console) Intel 80386 32-bit
references
146.112.61.107 (146.112.48.0/20) AS 36692 ( CISCO UMBRELLA ) US, IDS Detections: Win32/Lumma Stealer Related • CnC Domain in DNS Lookup (pacwpw .xyz), Lumma Stealer CNC {FILEHASH SHA256 bc9c5c8dfdcf0d2a321478207b0870274fba25b93075fc987768623237973646} t.me / Dropbox, Win32/Lumma Stealer Related CnC Domain in DNS Lookup (comkxjs .xyz) (unurew .xyz) (trsuv .xyz), Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sqgzl .xyz) (cexpxg .xyz) (cexpxg .xyz) (urarfx .xyz), Win.Exploit.Rozena {FileHash-SHA256 21fb4fdce85ab75430e18d9362a35f61dcaeb628c28836403472c054d6ceab8c}, Lumma Stealer https://t.me/pizdenka202020 / t.me, Query to a *.top domain - Likely Hostile 192.168.122.95 1.1.1.1 SHOWING 1 TO 22 OF 22 ENTRIES HTTP Request Get 1 Post 2 Put 0 Delete 0 URL HOST PORT METHOD USER AGENT https://steamcommunity.com/profiles/76561199863199067 steamcommunity.com 443 GET N/A { "src": "192.168.122.95", "sport": 49227, "dst": "23.59.52.127", "dport":, "protocol": "https", "method": "GET", "host": "steamcommunity.com", "uri": "/profiles/76561199863199067", "status": 200, "request": "GET /profiles/7656119986319, Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Safari/537.36, (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 30038 Host: accsrf.top

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 11 months ago · Last seen 5 months ago
Appeared in 4 threat reports