SHA1MediumSignal 100/100
cc1b8b44d5b69e8bddfd902b54d7000b3188caea
Location
First Seen
Jul 18, 2025
Last Seen
May 5, 2026
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-1 Hash
SHA-1 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA1
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
4 reports99% confidence
4
Source reports
99%
Confidence score
Category tags
.plaaaaacceptaccessaccess ta0001access ta0006account securityactive scanactivity miraiaddressaddress domainadwareadware malwareafricaag albertoag ingoair forcealertsall quietall scoreblueall searchanalyzer pasteandarielandroidanomalous fileappleas35994 akamaiasiaasnone dnsasnone germanyasnone relatedasnone unitedaustraliaaustriaav detectionsavg clamavbackdoorbad reputationbelgiumbiosbitsbodybotnet activitybrazilbrian sabeyc2capecatalog treecharter communicationscheckinchilechina unknownchromeclickable urlscloud infrastructurecnamecnapple publiccnc beaconcodecode executioncode injectioncommandcommand & controlcommand and controlcommand executioncommunication protocolcontent typecontrol ta0011cookiecopycp buscreation datecrypcur conocyber folkscyber warfareczechia unknowndarkwatchmandata accessdata copyingdata exfiltrationdata redacteddata store exposuredata transferddosddos attacksdefense evasiondeletedelete cdelete shadowsdelphidemonbotdenverdenver coloradodetected m1discovery e1082div divdns attackdockdomaindrive-by compromisedynamicloadere1203 datae1564 hiddenecho requestee edcje4jekyxeemailsemails infoencryptencryptionentrieseofaeerroretpro malwareeuropeeurope/asiaevasion ob0006expiration dateexpires thuexploitexploit noneexploitationexploitation activityfakedout threatfederation asnfile-hashfilesfiles domainfiles ipfiles locationfiles matchingfin ivdoflag unitedfor privacyformatfoundgafgytgermanygoogle safegrumguardguatemalahashes capehelloworldhichinahide artifactshighhitmenholidaycheck aghome networkhondurashostinghostnamehostname enumerationhttphttp attackhttp headershttp hosthttp requesthttp scannerhuawei hg532huawei remotehungaryicmp trafficids detectionsimmobilien agimpact ob0008impact ta0040inboundindicatorindonesiainformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinjectioninjection activityinstallinternet of thingsiocsiosiot botnetiot securityiot/ics attackipv4irelandireland unknownissuing cait infrastructurejapanjavascript injectionkenyakraupakurt waltherlabs pulseslicesslnmplnmp alookm1magic pdfmail spammermainmalicious downloadmalicious linksmalicious powershell activitymalicious softwaremalwaremalware distributionmalware trafficmalware wormmedia centermediummemory patternmetametadata analysismethod statusmexicominiigd upnpmiraimirai botnetmirai variantmitmmitre attmobilemobile securitymobile threatmodule loadmoroccomovedms windowsmsdefender aprmsiename serversnation-state activitynetherlandsnetwork scanningnetwork traffic analysisnextnidsnondnsnorth americaob0005 defenseoceaniaodigicert incopenoperating systemoperating system securityotx scoreblueoverlayoverview ippacking t1045passive dnspattern domainspayload hellopdb pathpdf documentpdf executionpe resourcepedrazpeexeperuphishingphy samopleasepolandpoland unknownpornportpostpowershellprocess injectionprocess32nextwproject pipulse pulsespulse submitpulsespuma sepushquantum fiberransomransomwareread crealtek sdkreconnaissancerecord typerecord valuerecycle binredacted forrelated nidsrelated pulsesremote accessremote servicesresearchedresolverrorreverse dnsrpcsrsa tlsrussiarussian federationsabeysamplessandboxscams & fraudscan endpointsscript domainsscript urlsscripting attackssearchserce internetuserverserver caserver errorserversshellshowshowingsingaporesinkhole cookieslcc2slovakiasoap commandsocial engineeringsocial media securitysoftware developmentsoftware exploitationsouth americaspainspamspammerssdeepssl certificatestatusstreamsuspsweepswippert1003t1005t1012t1021t1021.001t1023t1027t1030t1036t1040t1045t1047t1055t1057t1059t1059.001t1059.007t1060t1064t1069.001t1071t1071.001t1078t1082t1086t1089t1105t1106t1112t1119t1129t1133t1140t1143t1189t1189 foundt1190t1203t1204t1204.001t1204.002t1210t1485t1486t1496t1499.002t1564t1565t1566t1573t1587.001t1589.001t1590.001taiwanthailandthreat actortimo salzsiedertitletofseetoolstor nodetotaltptjswtrid adobetrojantrojan featurestrojan malwaretrojandroppertrojanspytsara brashearsttl valuetulachtype getunitedunited kingdomunited statesupdated dateurlsurls httpurls httpsusersvalue snkzvhashvietnamvirtoolvirusvulnerability scanweb exploitationweb injectionweb securityweb trafficwhoiswin32 malwarewindowswindows malwarewindows ntworldwritewrite cwsasendx cachexe exportyara detectionsyara ruleyomi hunterzenbox
Activity Timeline
May 5May 5
Threat Activity Heatmap
· Peak: 2026-05-05LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
4
Reports
First seenJul 18, 2025
Last seenMay 5, 2026
VirusTotal
Not checked
WHOIS
- description
- SHA1 of b68cf46ecddc3003a2a3ecfd545dce6de29afebfa93e914e15416d99ab93d454
- references
- DISTINCTIO8.pdf, FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string, IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set, Tofsee: 'google.com' | https://www.gov50.icu |, ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...), Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk, Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing, hubt.pornhub.com | www.pornhub.com | pornative.com, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/, www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/, Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da, IDS Detections: WGET Command Specifying Output in HTTP Headers, IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution, Yara Detections: is__elf , DemonBot, Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout, FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c, IDS Detections: Andariel Backdoor Activity (Checkin), Alerts: dead_host nids_malware_alert network_icmp nolookup_communication, DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2, IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound, IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST, IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy, http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/, https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com, apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com, autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com, * https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit, https://tulach.cc/ | tulach.cc |, http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com, google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl, 18teen.net | teensnow.com | grannies-porn.net | pornmd.com, www.pornhubselect.com | pornhub.software
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 11 months ago · Last seen 1 month ago
Appeared in 4 threat reports