IOC Radar
SHA256LowSignal 53/100

d3fc2019b1e5bd9b14c5e0330b2bd563b277ca444adfa0fad7ec51b16aa21d0c

Location
ArmeniaArmenia
First Seen
Mar 21, 2025
Last Seen
Mar 31, 2026
Mar 21
First Seen
451d ago
Mar 31
Last Seen
76d ago
4
Reports
source reports
53%
Confidence
low
0/70
VirusTotal
detections
Found in 4 reports. Confidence: low. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
53%
Signal Score
53 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

55 techniques

Feed Intelligence Summary

4 reports53% confidence
4
Source reports
53%
Confidence score
Category tags
abuseacceptaccessaccess attaccount securityactive scanadded activeadresadresy urlagent teslaalexander karpall scoreblueamerykianalysis ob0001analysis ob0002ansiantivmappleapple abuseapple computerapple musicaptarmeniaartemisascii textassociated urlsattackauthentihashautorunautorun keysavast avgazorultb0001 softwarebackdoorbad reputationbaopbardzo dugabinary filebitcoinblockchainbochsbodybody lengthbootborland delphibotnetbotnet activitybrian sabeybrowserbrute forcebundledc2 communicationca datacapturecapture e1113checkcheck internetchi2christoper ahmannchristopher poolchromecityck idclassclear fileclick-based attackclosecnamecode executioncode injectioncodes firecommandcommand & controlcommand and controlcommand executioncommodity contracts intermediationconsole foundrycontactcopy md5copy sha1copy sha256corecorporate lawcoupons knojicrlf linecrypto exchangecrypto miningcrypto walletcryptocurrencycsc corporatecvecyber defenseczech republicdark cometdark gatedark-cometdarkgatedatadata accessdata copyingdata exfiltrationdata store exposuredata theftdata transferdata utworzeniadata wyganiciadd wrtdded activedecentralized financedecoy systemdelphidelphi genericdenverdetection b0009detections typedigitaldigital certificate analysisdigital currencydiscount codesdistributed attacksdistribution managementdkey englishdns attackdnssecdocument exploitationdroppeddropped filedynamicdynamic dnsdynamicloadereasyelexempty hashenable javascriptencodeencryptionenglish usenoughentriesenumerate guierroret torexe infectionexecuexitexploitation activityfast corporatefile-hashfilesfinal urlfindfirefoxfirm collectionfirst stage payloadfirst-send-petikvxfontformformatfoundfoundryfreight forwardingfromg4 codegeneratorgenericget hostnameget httpget keyboardglasswormgluegoogle safeheadersheaders nelhighhigh processhistorical sslhosthostilehosting omegahostshour frskrathttp attackhttp responsehybridicmp trafficidentity & access exploitationimphashindicatorinformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinjection t1055inno setupinput validation bypassinstallintelintellectual property lawinternet explorerinventory managementiocsiot securityit infrastructurejeffrey reimerknown torlaw practicelearnleasenlegal consultinglegal researchlegal serviceslegal technologylist forlocallocalelogistics technologylogon autostartlookupslord krishnamagic pe32mal_xred_backdoormalicious activitymalicious downloadmalicious linksmalicious softwaremalwaremalware catalog treemalware deliverymalware distributionmanagermatch pebmedia hoekbankmediummemoryfile scanmetadata analysismicrosoft officeminutes agomisc attackmitre attmobilemobile securitymobile threatmozillamuimyappnamename tacticsnetwork trafficnextnisisno datano expirationnode trafficnorth americansisob0003 screenoctoseek reportoffice exploitationonlineopenoperaoperating systemoperating system securityorgidoverlaypacker_unknownpassive dnspath traversalpattern matchpe resourcepe32 compilerpeb idrdatapeexeperupeter theilphishingpng imageporkbun llcpornpremiumprocess injectionprojectpulse submitpulses urlquasiransomwareraw sizeredditregulatory compliancerelated pulsesremote accessremote servicesresearchedresults novrgbarich perightroot g4rtf fileruntime dataruntime processsafarisan josesandboxscan endpointssearchsearch otxsecureserver responseserviceserwer nazwset registryshared modulesshipping servicesshowshowingsignedsigning rsa4096simplesocial engineeringsocial media securitysoftware developmentsoftware exploitationsouth americaspamspam authorspawnsspyware vendorssdeepssl certificatestatic dnsstatus codestick tricksstopstringssubmitsummarysupply chain attacksupply chain managementsweet quadreamst1005t1021t1021.001t1027t1030t1036t1046t1049t1053t1055t1057t1059t1059.001t1060t1064t1069t1069.001t1071t1071.001t1071.002t1071.004t1078t1078.004t1082t1095t1105t1112t1113t1129t1133t1134t1134 boott1158t1189t1190t1203t1204.001t1204.002t1210t1480t1486t1496t1499.002t1499.003t1547t1547.001t1565t1566t1566.001t1573t1583t1583.005t1587.001t1590t1590.001t1592tag countteams apithreat actorthreat intelligencethreat levelthreat rounduptitletop destinationtop sourcetor nodetracetransportation managementtriadtrid win64trojan malwaretrojandroppertulach c2twittertworzytworzy katalogtworzy plikityp plikutype typeunicodeunionunitedunited statesupdaterupxurlsus citizensuser executionuspsvalid fromvhashvirtual machinevirtual sizevt graphvulnerability scanwarehouse operationsweb application attackweb application exploitationweb securitywhois recordwhois whoiswin32 exewin32 malwarewindows getwindows malwarewindows matchwindows ntwininet setwormwritewrite cwriters perxml rtmanifestxredyara detectionsyara rule

Activity Timeline

1 total obs
Mar 31Mar 31

Threat Activity Heatmap

· Peak: 2026-03-31
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreMedium Risk
53
SIGNAL
Signal Score
53%
Confidence
4
Reports
First seenMar 21, 2025
Last seenMar 31, 2026

VirusTotal

0/ 70vendors flagged
0% detection rateJun 8, 2026

WHOIS

description
A look back at some of the key words and phrases used to describe the situation in Italy, as "probacja" (or "democrata), as they were translated into English.
references
https://www.reddit.com/user/, https://www.virustotal.com/gui/url/6a627ce5fd6be7b3c0b5637e6b1facfa92c279d25ff9b1f50fe131c91591d804/summary, Gowi Live Bot.exe, https://www.virustotal.com/gui/file/2ab9e32cd78f2b538c36f145b790f78f1262bcfcf1a5d6d019e7a2a151a24424/summary, https://www.hybrid-analysis.com/sample/d4f0fd95f42482e96d982df3d538f67ee9c8756834486dd2cf33e1679c90af50/65812fd9a34bc52aac0b910f, nr-data.net [New Relic Tracking | Apple Private Data Collection], [w and w.o https] applemusic-spotlight.myunidays.com [Multilingual Portable.exe Apple music compromise], tv.apple.com [Apple Backdoor| Attack | Hacking], name-playatoms-pa.googleapis.com [ nr-data Apple tv tracking], browser.events.data.msn.com | events-sandbox.data.msn.com, https://tulach.cc/ [phishing attacks], tulach.cc [AM | phishing], $RTD4NQU.exe - Sigma Rule: Audit Policy Tampering Via Auditpolicy, $RTD4NQU.exe - Yara rule: INDICATOR TOOL UAC NSISUAC, 3.163.189.120 [Tracking], 86.140.232.148 [scanning_host], https://seedbeej.pk/tin/index.php?QBOT.zip. [ phishing plus], http://iyfsearch.com/&ap=67&be=203&fe=198&dc=198&perf= [phishing], checkip.dyndns.org [command_and_control], 104.86.182.8 [command_and_control], 103.224.182.253 [command_and_control], 103.224.182.246 [command_and_control], www.supernetforme.com [command_and_control], rp.downloadastrocdn.com [command_and_control], ddos.dnsnb8.net [command_and_control], https://www.pay-share.com/, http://www.enable-javascript.com/, https://hybrid-analysis.com/sample/131010821b48a065510fe549e686fdf0ddb1119677e6eabdb025ded0c8bfe70f/61e66f38ad324c267042213a, http://detectportal.firefox.com/vkwf.txt.exe

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

low
First detected 1 year ago · Last seen 2 months ago
Appeared in 4 threat reports