IOC Radar
SHA256MediumSignal 97/100

c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37

Location
PeruPeru
First Seen
Jul 24, 2021
Last Seen
Jun 9, 2026
Jul 24
First Seen
1804d ago
Jun 9
Last Seen
24d ago
9
Reports
source reports
97%
Confidence
medium
Found in 9 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
97%
Signal Score
97 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

114 techniques

Feed Intelligence Summary

9 reports97% confidence
9
Source reports
97%
Confidence score
Category tags
abuseacceptactive scanningactorsadfindaerospace & defenseafricaagent teslaahnlab securityanydeskappleapt attackapt groupasecasiaattack caseattacksautomotive manufacturingbabukbackdoorblackbastablueshellbotnetbrute forcebudwormc serverc2c2 servercapture wi-fi passwordcasescivil servicesclosecloudcloud computingcloud migrationcloud securitycloud servicescloud storagecobalt strikecobaltstrikecobintcobint backdoorcode executioncommand and controlcommand executioncommunication technologiesconsumer electronicscorecredential accesscredential dumpingcredential harvestingcredential stuffingcurlcvecyber aicyber securitydalbitdalbit groupdata encryptiondata exfiltrationdata theftdatabase securityddos attacksdebian ltsdefensedefense contractingdefense logisticsdefense systemsdefense technologydemodesktopdetect-debug-environmentdistributed attacksdropperdtrackeazy clientelectronic componentselectronic designelectronic engineeringelectronic manufacturingelectronic testingelectronics manufacturingembedded systemsemissary pandaenergyenergy distributionet exploiteurope/asiaexeexfiltrationexploitexploitation activityexploitation attemptsextortionfilefile-hashfinance and insurancefrpcftpfuturegithubgo languagegoogle newsgovernment technologygrouphackscracks iothead marehktlhome threatimpactindicatorindustrial automationindustrial iotindustrial productioninformation technologyinfostealerinfrastructure sharingingress tool transferinisafewebssoinjection attacksinput validation bypassinternet of thingsiocsiot botnetiot/ics attackit infrastructurekeepkimsukykorealateral movementlinuxlinux advisorylinux malwarelocallockbitlockbit 3.0lookbacklookingfroglovelsassmacmalwaremacosmailboxmainmalicious activitymalicious powershell activitymalicious softwaremalwaremanufacturing technologymetasploitmeterpretermiddle eastmilitary operationsmimicmimic ransomwaremin readminermirai botnetmobilemobile carriersmobile networksmobile securitymulti-cloud managementmusicmy emailnational securitynebulanetscannetwork intrusionnetwork probingnetwork scanningnetwork service scanningnew customnewsnews cloudnonamenorth americaoil & gasoperating systemosintoutlookoutlook ostoverlaypassword stealerpassworddumperpath traversalpeexeperuphantomjitterphasephishphishing attackpleasepost-exploitationpower generationpower systemsprivilege escalationprocess injectionprocess manufacturingproxylogonproxyshellpublic administrationpublic infrastructurepublic policypythonqakbotquality controlransomhubransomwarercereconnaissanceregulatory agenciesremote accessremote code executionremote servicesrenewable energyresearchedrootkitrpcssruntime-modulesrussiarussian federationsafebaesatacomscriptscripting attackssecond stagesecure mysecurity newssecurity operationssemiconductor technologyservicesharpdecryptpwdshellsigmasliversocial engineeringsocks5software developmentsoftware exploitationsouth americasparkratspikesssh attackssl certificatesteganographic techniquestock exchangestrategiesstrongsupply chain managementsysmonsystem disruptionsystembct1003t1003.001t1003.005t1007t1012t1016t1016.001t1018t1021t1021.001t1021.002t1027t1027.005t1033t1036t1041t1047t1049t1053t1053.005t1055t1056t1057t1059t1059.001t1059.003t1059.004t1059.007t1064t1068t1069t1069.001t1070t1070.004t1071t1071.001t1074.001t1076t1078t1078.002t1082t1083t1086t1087t1102t1102.002t1105t1106t1110t1110.002t1112t1114.001t1114.002t1133t1134t1135t1136t1136.001t1140t1187t1189t1190t1195t1199t1203t1204t1204.002t1210t1213t1219t1485t1486t1490t1496t1499.002t1499.003t1505t1543t1543.003t1547t1547.001t1548.002t1552.001t1553t1555t1555.003t1562t1562.001t1562.004t1563t1564.003t1565t1566t1566.001t1566.002t1566.003t1567.001t1567.002t1569t1569.002t1573t1574t1574.002t1583t1584t1588t1588.002t1590t1591t1592t1595t1595.001t1595.002t1595.003ta410targetteamtelecomtelecom servicestelecommunicationsthailandthreatthreat actorthreat hunterthreat intelligencetipstoolstoolsettorrenttrends securitytricks securetrojan malwaretroytsara brashearsttptwelvetwitteruaeunited statesunknown fileupdate siemusagevulnerabilityweb application exploitationweb attackweb exploitationwebshellwhoamiwhois whoiswin32 malwarewindowswindows malwarewitchettyx4youtubezero trust

Activity Timeline

1 total obs
Jun 9Jun 9

Threat Activity Heatmap

· Peak: 2026-06-09
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
97
SIGNAL
Signal Score
97%
Confidence
9
Reports
First seenJul 24, 2021
Last seenJun 9, 2026

VirusTotal

Not checked

WHOIS

description
PE32 executable (console) Intel 80386, for MS Windows
references
https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware, https://securelist.com/head-mare-twelve-collaboration/115887/, https://asec.ahnlab.com/ko/56715/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-tool-update-telecoms-govt, https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/, https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#initial-access, https://www.security.com/threat-intelligence/ransomhub-betruger-backdoor, EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint, https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell, discord.com, api.anonfiles.com, checkip.dyndns.org, checkip.dyndns.com, DNS Query for Anonfiles.com Domain, INDICATOR SUSPICIOUS_EXE_WirelessNetReccon, INDICATOR SUSPICIOUS_EXE_CC_Regex, Traffic 13.107.4.52:80 (TCP), MALWARE_Win_StormKitty, qbittorrent.exe, EaZy Client.exe, https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community, September 07th 2023 - CryptoGen Cyber Threat Intelligence Advisory #3202 -BlueShell Malware Targets Operating Systems.pdf, https://labs.inquest.net/iocdb, https://asec.ahnlab.com/en/56941/, https://community.riskiq.com/article/ed670670, https://gbhackers.com/hackers-using-blueshell-malware/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 24 days ago
Appeared in 9 threat reports