IOC Radar
SHA256HighVerifiedSignal 92/100

c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

Location
PeruPeru
First Seen
Jan 19, 2021
Last Seen
Mar 26, 2026
Jan 19
First Seen
1990d ago
Mar 26
Last Seen
98d ago
6
Reports
source reports
92%
Confidence
high
Found in 6 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
92%
Signal Score
92 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

48 techniques

Feed Intelligence Summary

6 reports92% confidence
6
Source reports
92%
Confidence score
Category tags
aaaaacademic institutionsaccess controlaccount discoveryaccount hijackingaccount profilingaccount takeoveracintactive relatedadded activeaerospace & defenseagentalertsalexaalexa topall industriesameranalysis dateaptapt28artemisascii textasiaattackautomotive manufacturingav detectionsazorultbackdoorbad actorbank securitybankingbehavbinary filebinderblacklist httpbodybotnetbrontokbuilding constructionbusiness impersonationchinacisco umbrellacivil servicesck idck idsck techniquescleanerclick-based attackcobalt strikecode executioncommandcommand and controlcommand executioncommunication protocolconduitconstruction materialsconstruction safetyconstruction technologycontent lengthcontrol servercopy md5copy sha1copy sha256creation datecredential accesscredential harvestingcredential theftcredit card servicescrypto cybercyberdata accessdata copyingdata encryptiondata exfiltrationdata transferdefencedefensedefense contractingdefense logisticsdefense systemsdefense technologydelphidetect-debug-environmentdetection listdirect-cpu-clock-accessdistributed attacksdownldrdroppeddroppereducational resourceseducational serviceseducational technologyelectronics manufacturingencryptenigmaentriesentries peet exploiteurope/asiaexploitextortionfareitfile-hashfiles locationfinancefinancial institutionfinancial servicesfinancial technologyflag unitedfraudgeneric malwaregovernment technologygroup earthheadlace malwareheurhighhigher educationhistorical sslhong konghostname enumerationhours agohtml documenthttp attackhttp scannerhttpshybrididleids detectionsiframeindicatorindustrial automationindustrial iotindustrial productionindustries/all industriesinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinitial compromiseinput validation bypassiobitiocsipv4it infrastructurek-12 educationkeygenknown-distributorlearnlegitlivelocalmalicious activitymalicious downloadmalicious hostmalicious linksmalicious powershell activitymalicious sitemalicious softwaremalwaremalware distributionmalware droppermalware sitemalware/headlacemanufacturing technologymarkusmediummilitary operationsmillionmitre attmockbinmovednamename tacticsnanocore ratnational securitynetwork scanningnextnext associatednircmdnjratnone filenymaimoccamyoperating systempacked executablepassive dnspastepath traversalpattern matchpawn stormpayment processingpeexeperuphishingphishing attackphishing siteponypremiumpresent marpresent novprocess injectionprocess manufacturingprotectpsexecpublic administrationpublic infrastructurepublic policypulse pulsespulsespulses nonepulses urlqakbotquality controlquasarramnitransomwarereconnaissanceredline stealerregulatory agenciesrelated nidsrelated pulsesrelated tagsremote accessremote servicesreport spamresearchedrole titlerostpayruntime-modulesrussiarussian threat actorryuksafe sitesamplesscripting attackssearchsecrisksecurity policyserviceshowshowingsimdasitesizeskynetsmallsocial engineeringsoftware developmentsoftware exploitationsouth americaspawnsspringshellssl certificatesteg iconsstringssummarysupply chain managementsuspswrortsystem disruptiont1005t1021t1021.001t1027t1030t1055t1057t1059t1059.001t1059.005t1060t1069.001t1071t1071.001t1078t1086t1105t1113t1133t1189t1190t1192t1203t1204t1204.001t1204.002t1480t1486t1490t1496t1499.001t1499.002t1499.003t1547.001t1553t1565t1566t1566.001t1566.002t1566.003t1567t1567.001t1569.002t1583t1587.001t1589t1589.001t1590.001ta422tag countteamthreatthreat actorthreat preventionthreattype/malwarethreattype/phishingthreattype/russian threat actortiggretimetitle addedtld counttrojan malwaretrojandroppertrojanspytrustedtwittertype indicatorunionunitedunruyunsafeurlsurls httpsursnifuser executionuss cusvwusvwuvirutvt graphwacatacwealth managementweb application exploitationweb securityweb trafficweekwhoiswhois recordwin32 malwarewindowswindows malwarewinrarwritextratyarayara detectionszbotzpevdo

Activity Timeline

1 total obs
Mar 26Mar 26

Threat Activity Heatmap

· Peak: 2026-03-26
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreHigh Risk
92
SIGNAL
Signal Score
92%
Confidence
6
Reports
First seenJan 19, 2021
Last seenMar 26, 2026
Verified IOC

VirusTotal

Not checked

WHOIS

description
PE32+ executable (GUI) x86-64, for MS Windows
references
https://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure, https://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/, https://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/#:~:text=Threat%20Alliance.-,Indicators%20of%20Compromise,-HTML%20page%20hosted, https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center, https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

high
First detected 5 years ago · Last seen 3 months ago
Appeared in 6 threat reports