IOC Radar
SHA256MediumSignal 91/100

ce6c33a36731b021708d1c6e0bc7d34f2c89df24253e27a6abed15dec3d25c84

Location
GermanyGermany
First Seen
Feb 25, 2026
Last Seen
Apr 17, 2026
Feb 25
First Seen
109d ago
Apr 17
Last Seen
58d ago
4
Reports
source reports
91%
Confidence
medium
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
91%
Signal Score
91 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

23 techniques

Feed Intelligence Summary

4 reports91% confidence
4
Source reports
91%
Confidence score
Category tags
aaaaacceptaccess typeactive scanaddress domainalertsall domainall filehashalvoesamericaarialascii textasiaasia pacificav detectionsbackdoorbb c7bc a1binarybinary filebotnetbotnet activityc tmpsamplec2 ipc2 resolutioncallcallscanadacc fdcertcert validitychainck idck idsck matrixclickcloudflare dnscodecommandcommand & controlcontactcopycreation dated4 dcdata uploadddosdefense evasiondeletedelphidirectoi t1222div divdive intodns attackdohdomaindomainsdownloaderdynamic dnsdynamicloaderedgeview driveelf executableelf geomielf64 operationencryptencryptionenoughentrieserroreuropeexchange allexcludeexclude dataexclude suggesexeexec amd6464executable fileexploitation activityexternal ipextrf4 cafailedfastfastest privacyfilefile-hashfiler datafiler filehuonfilesfiles ipfilet cefilet filerfilet filetfindfind cfind sfirst dnsformatfull reportsgeckogermanyget helloget icarusglobalgolanggoogle dnsguardh1256hackingtrio uahandlehelloheurhighhktlhostnamehostshttp performshttp traffichttpshttps domainhua muicalulhybridids detectionsinboundincludeinclude datainclude reviewindicatorindicatoreinfection dnsinfointeliot securityipv4 addkey usagekhtmllabs pulseslayer protocollearnlesslinuxloaderloadslocalmalwaremanualymatches datamatches edolavdmatches matchesmediummemory patternmetamiraimirai variantmitre attmitre attackmodelmodify systmodify systemmozillams windowsnamename serversname tacticsnetwork infonew threatnextnext associatedno entrinorth americanumberogoogle trustopenotx logootx telemetryoutboundpassive dnspathpe sectionpe32 executablepeexepegasusperforms dnsperuponmocup postpostprivate serverproc indicativeproccpuinfoprocess createprocess lpulsepulse pulsespulsesransomwarereadread creadsreads cpurecord valuereference idrelated tagsremc t1070report publishresearchedreview excludereview occsearchserver caserversserviceshellshowshowingsingaporesingapore asnsmuxsoftware supplysouth americaspanstatusstopstreamstringsstwasuggestsuggested ocssuitesystemd servicesysvt1010t1018t1027t1027 masqueract1036t1036 indicatort1047t1055t1056t1057t1070t1071t1082t1083t1095t1190t1497t1499t1518t1543t1547t1562t1573t1574t1609threat actortico datatitletls snitls versiontocstuttop destinationtop sourcetor nodetraefik defaulttraffic tcptrojantwittertyp datatyp filettyp innicatadtypeunique ruunitedunixunix shellunknown nsurlsusrbinid idv3 serialvaluewindirwindowsworldwormwritexoryarayara detectionsyara rulezergzergecazergeca botnet

Activity Timeline

1 total obs
Apr 17Apr 17

Threat Activity Heatmap

· Peak: 2026-04-17
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
91
SIGNAL
Signal Score
91%
Confidence
4
Reports
First seenFeb 25, 2026
Last seenApr 17, 2026

VirusTotal

Not checked

WHOIS

description
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
references
www.joewa.com, Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name, Yara Detections: MacSync_AppleScript_Stealer , UPX ,, Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser, apple.k8s.joewa.com • joewa.com • http://apple.k8s.joewa.com/ • https://apple.k8s.joewa.com/, Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO, blackbox-exporter.lenovo-k8s.home.local.advena.io, http://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena/, Calls an API typically used to retrieve function addresses, load a resource T1129 Shared Modules Execution Adversaries may execute malicious payloads via loading shared modules. Learn more, Loads modules at runtime Looks up procedures from modules, (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007, https://cloudflare-dns.com/dns | cloudflare-dns.com, https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522, https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com, https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f, 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file), ‘Can't access file’ Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca, ‘Can't access file’[Found in Zergeca Botnet], IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI), IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io), Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections, IP’s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56, Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org, Crowdsourced SIGMA Below:, Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke, Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems), Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community, Crowdsourced IDS Below:, Matches rule ET POLICY External IP Lookup ipinfo.io, Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io), Matches rule ET INFO External IP Check (checkip .amazonaws .com), Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt, Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI), Unique rule identifier: This rule belongs to a private collection., geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi, https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO, Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/, crypto-pool.fr, iبامسلمون لمهمملممنامصناءواممساند | مطعم+ ممامام, Muslims have built, supported, and assisted. or Muslims: Support and Solidarity, LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado, IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST, IDS Detections: MVPower DVR Shell UCE • HackingTrio UA (Hello, World), IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution, IDS Detections: HackingTrio UA (Hello, World) • HTTP traffic on port 443 (POST), IDS Detections: Mirai Variant User-Agent (Inbound) • HackingTrio UA (Hello, World), IDS: Observed Suspicious UA (Hello, World), Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,, Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections, Alerts: cape_detected_threat, IP’s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184, IP’s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248, Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0], https://dns.google/resolve?name=SELECT, 31.6.16.33 • network.target [Found in Zergeca Botnet], multi-user.target • ootheca.top • network.target • ootheca.pw [Found in Zergeca Botnet], 84.54.51.82 • http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet], Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets, Since September 2023, according to an analysis by cyber security firm XLab CTIA., Address shows an place of origin: Broomfield , Co, Believed to be originating from Germany and Russia, BGP Hurricane Electric seen, Potentially Pegasus related . Found to be affecting an IOS device, Indicators seen may have affected a few OTX users. Is ongoing, Zergeca related URLs , URI’s , Domains, inaccessible files referenced, apple.k8s.joewa.com • joewa.com • com.apple, This pulse is so huge it’s a mess. Will break down.

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 3 months ago · Last seen 1 month ago
Appeared in 4 threat reports