SHA1MediumSignal 81/100

`bc7ce60270a58450596aa3e3e5d0a99f731333d9`

Location

Germany

First Seen

Mar 11, 2024

Last Seen

Apr 30, 2026

Mar 11

First Seen

841d ago

Apr 30

Last Seen

61d ago

Reports

source reports

81%

Confidence

medium

Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

SHA-1 Hash

SHA-1 file hash associated with malicious samples.

MISP Category

Artifacts Dropped

Hash Algorithm

SHA1

Confidence

81%

Signal Score

81 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

62 techniques

Feed Intelligence Summary

4 reports81% confidence

Source reports

81%

Confidence score

Category tags

aaaaacceptaccess controlaccount securityactive scanaddressadobe portableakamaiasn1all octoseekamerica flaganalyzeanchor hrefsandroidantivirus detectionapple iosapple phoneapplication developmentascii textassign functionattackaustraliaauthorityazorultbasicbloodbodybody lengthboomr functionboomrmq stringbotnetbotnet activitybreast cancerbrute forcec&cc2 communicationca1 odigicertcallback functioncivil societyck idck matrixck techniquesclassclickclick-based attackcobalt strikecode executioncommandcommand & controlcommand and controlcommand decodecommand executioncommunication protocolcontactcontacted hostscontacted urlscontrol ta0011cookiecopycopy md5copy sha1copy sha256corecorporate lawcountrycreation datecredential harvestingcredential stuffingcredential theftcritical riskcsc corporatecus cndigicertcus cnmicrosoftcus lsandark powerdata accessdata copyingdata encryptiondata exfiltrationdata store exposuredata transferddosde indicatorsdefense evasiondelphi genericdenverdetect-debug-environmentdetection listdevelopment methodologiesdevopsdistributed attacksdnsdns attackdoctypedocument formatdomaindomainsdos exedos executabledotfuscatorelectronic health recordself collectionemailsemotetempty hashencryptionentrieserroreurodns saeuropeevasion ta0005executable fileexecution attexfiltrationexpiration dateexploit sourceexploitation activityextortionfilefile-hashfilesfiles domainfiles locationfinal urlflagflag unitedformatgandi sasgeckogeneral fullgenericgeneric malwaregeneric windosgermanyget httpgmbh versiongraphhashesheader intelhealth care and social assistancehealth information technologyhealthcare information systemshistorical sslhospital managementhostnamehostname enumerationhrefshtml documenthttphttp attackhttp responsehttp scannerhttpshybridicons libraryidentity & access exploitationidleigmpimphash matchinginc subjectindicatorinfo compilerinformation gatheringinformation stealinginfostealerinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinput validation bypassintelintellectual property lawiocsiot securityipv4irelandja3skdekhtmlkidney cancerknown-distributorlaw practicelayer protocollcc linkerlearnlegallegal consultinglegal researchlegal serviceslegal technologylevellink libraryliver cancerlocallockbitlooklukelumma stealerlung cancermainmalicious activitymalicious downloadmalicious linksmalicious softwaremalwaremalware distributionmarkmonitormatches rulemedical centermedical servicesmemory patternmitremitre attmobilemobile securitymobile threatmonitoringmozillams windowsname md5name servername serversname tacticsnation-state activitynetworknetwork analysisnetwork connectionnetwork scanningnextnjratnumberoc0006 httpoccamyoceaniaodigicert incopenoperating systemoperating system securityoverlaypacked executablepassive dnspassword bypasspastepathpath traversalpatient carepattern matchpdfpdf documentpdf phishingpe resourcepe32 linkerpe32 packerpedllperforms dnsperupetitephiphishingphishing attackpiiplugxpornhubpost httppresent aprpresent febpresent marproblemprocessprocess injectionprocesses treeproduct developmentprostate cancerprotocol h2protocol t1071pulse pulsespythonquality assuranceransomexxransomwareratrat trojanreconnaissancerecord valueredline stealerrefreshregistry keysregulatory compliancerelated nidsrelicremoteremote access trojanremote servicesresearchedresolved ipsresource hashrestartreverse dnsrgbarobotoroot carticon neutralsabeysamplessarcomascan endpointsscanning hostscriptsearchsecurity policysecurity tlsserver caservice privacyserving ipsha2 secureshellshell codeshow techniquesiblings domainsigmasignedsizeskin cancersocial engineeringsoftware architecturesoftware developmentsoftware engineeringsoftware exploitationsoftware testingsouth americaspanspawnsssdpssl certificatestatic ai analysisstatusstatus codestatus pagestatus urlstringssub domainsubjectsummarysuricata ipv4suricata udpv4systemsystem disruptiont1003t1003.001t1003.005t1005t1016t1021t1021.001t1027t1027.002t1030t1041t1046 sendst1047t1053t1055t1057t1059t1059.001t1059.005t1064t1068t1069.001t1071t1071.001t1078t1078.004t1082t1083t1105t1113t1129t1140t1189t1190t1203t1204t1204.001t1204.002t1480t1486t1490t1496t1497t1499.002t1499.003t1518t1547t1547.001t1553t1555t1555.003t1565t1566t1566.001t1566.002t1566.003t1568t1569.002t1583t1587.001t1589.001t1590t1590.001ta0002 defenseta0004 defenseta0007 commandta0007 networkta0009 commandtag counttargetsthreatthreat actorthreat preventionthreat reportthreat rounduptlstls rsatoolstor nodetrojantrojan malwaretrustedtsara brashearstulachtwittertypeunicode textunitedunited kingdomurlsursnifuser executionutf8 textvalueverdictverifyvulnerability scanweb application attackweb application exploitationweb securityweb trafficwhois recordwhois whoiswin16 newin32 dynamicwin32 malwarewindowswindows malwarewindows ntwininet c0005wiperyarayara ruleyoutube account compromise

Activity Timeline

1 total obs

Apr 30Apr 30

Threat Activity Heatmap

· Peak: 2026-04-30

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Dormant

3mo

Minimal

Threat ScoreHigh Risk

SIGNAL

Signal Score

81%

Confidence

Reports

First seenMar 11, 2024

Last seenApr 30, 2026

VirusTotal

Not checked

WHOIS

description: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
references: https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians, https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea, www2.megawebfind.com [command and control], http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing], 20.99.186.246 [exploit source], https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic], Win32:RATX-gen [Trj] identified., CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades), CS Sigma Rules: Disable UAC Using Registry by frack113, http://45.159.189.105/bot/regex [ tracking | botnet], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems], 0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org, https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing], CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), Remote Access Trojan

`bc7ce60270a58450596aa3e3e5d0a99f731333d9`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey