SHA256MediumSignal 100/100
bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56
Location
BrazilFirst Seen
Jun 19, 2025
Last Seen
May 16, 2026
Found in 15 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
15 reports99% confidence
15
Source reports
99%
Confidence score
Category tags
abuseabysskillerabyssworkeracademic institutionsactive scanactive scanningaddress vpnaerospace & defenseagendacryptakiraakira ransomwarealienvault_ransomwareandroidanti-analysisanti-rootkit abuseantivirus bdapianydeskappearanceapt groupsarctic wolfarmillaria loaderasahiascii markerashen lepusasiaastaroth banking malwareattackautomated attackav killersav/edr evasionbad reputationbeyondbitcoinaddressbitsblackbastablackcatbotnetbotnet activitybrazilbrute forcebyovdchacha20checkqilincisco talosclient ipcodecode executioncode injectioncommand and controlcommand executioncommunication protocolcompromised credentialscpu tuning toolcredential accesscredential dumpingcredential harvestingcredential stuffingcryptocurrencycrytoxcsocctrcyber herodata encryptiondata exfiltrationdata store exposuredead-avdefensedefense contractingdefense evasiondefense evasion techniquesdefense evasion toolsdefense logisticsdefense systemsdefense technologydesktopdevmandigital signaturedistributed attacksdll injectiondragonforcedriver abusedriver exploitationdriver manipulationdriversdwordedr bypassedr evasionedr killeredr killersedr-freezeedrsilencereducationeducational resourceseducational serviceseducational technologyembargoencryptionendpoint protection bypasseseteset researcheuropeexfiltrationexploitexploitation activityexplore byexternal remote servicesextortionfigurefilefile-hashfirmware updatefirstfooterformatftpgermanyghostdrivergithubgithub advancedgreenguloaderhacking toolshighhigher educationhktlhttp scannerhttpshunteridentity & access exploitationimpactindiaindicatorindicators of compromiseinformation technologyinfostealerinitial accessinjection activityinput validation bypassinterlockintroioctl codeioctlsiot securityipv4 addressit infrastructureitm systemjameswt_wtk-12 educationkernel mode attackskernel modulekillerlateral movementlazagnelockbitlokibotluca stealermakopmakop ransomwaremalicious activitymalicious powershell activitymalicious softwaremalwaremalware analysismalware campaignmalware family: akiramalware family: lockbitmalware family: medusalockermalware family: qilinmalware family: ransomhubmalware loadermalware signingmanagemasscanmedusamedusalockermfa bypassmicrosoft defendermilitary operationsmobilemobile securitymobile threatmoremustang pandanational securitynativenetpassnetscannetwork intrusionnetwork probingnetwork protocolnetwork scanningnlbruteopenoperating systempackerpathpath traversalpayload extractionpeexeperuphishingphishing attackphobospocspost-exploitationpower deliverypowershellprivilege escalationprivilege escalation toolsprocessprocess injectionpsexecpython malwareqilinquantaquick healransom demandransomhubransomwareransomware affiliatesransomware operationsrdp exploitationreconnaissanceremote accessremote servicesresearchedrhysidarockrootkitrsa-4096rundll32 executionrustrweverythingsandboxscannerscanning activityscripting attackssecurity operationssecurity product disablementsecurity toolssednitservice scanshellsignsmallsocial engineeringsoftware developmentsoftware exploitationsoftware integritysouth americassh attackssl vpnstarstealit ratstefanstopstrongsusanoosystem disruptionsystem monitort1003t1014t1016t1018t1021t1021.001t1021.002t1027t1027.002t1027.005t1027_002t1037t1037.001t1046t1049t1053.005t1055t1059t1059.001t1059.003t1059.006t1064t1068t1069.001t1070t1070.001t1070.004t1071t1071.001t1076t1077t1078t1078.002t1086t1087.001t1087.002t1102t1105t1106t1110t1110.002t1112t1127t1133t1135t1136t1140t1189t1190t1203t1204t1204.002t1213t1218t1219t1222.001t1486t1489t1490t1496t1499.002t1499.003t1505t1529t1530t1543t1543.003t1547.001t1547.006t1548.002t1553t1553.005t1554.001t1554.003t1555t1560t1562t1562.001t1562.002t1562.006t1563t1565t1566t1566.001t1566.002t1566.003t1569t1569.002t1570t1572t1590t1592t1595t1595.001t1595.002t1595.003t1622tfsysmon-killerthemidathreat actorthreat actor groupthreat actor: warlockthreat intelligencetipstitletor nodeutilityviewvpnvpn clientvpsvulnerabilityvulnerability scanvulnerable driverswarlockwarlock ransomwareweb application attackweb application exploitationweb trafficwin32 malwarewin64vulndriverwindowswindows malwarewindows pewindows summarywinrarwolfwritexloaderyarazero
Activity Timeline
May 16May 16
Threat Activity Heatmap
· Peak: 2026-05-16LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
15
Reports
First seenJun 19, 2025
Last seenMay 16, 2026
VirusTotal
Not checked
WHOIS
- description
- SHA256 of ce1b9909cef820e5281618a7a0099a27a70643dc
- references
- https://www.guidepointsecurity.com/blog/gritrep-akira-sonicwall/, https://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/, https://www.huntress.com/blog/exploitation-of-sonicwall-vpn, https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/, https://www.truesec.com/hub/blog/akira-ransomware-exploiting-potential-zero-day-in-sonicwall-ssl-vpn, https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 1 year ago · Last seen 1 month ago
Appeared in 15 threat reports