SHA256HighVerifiedSignal 94/100
d6d9508ece893b88a9d9b6e40d975e0cd4dfcbe32380925cb7abd7bdae5af5fb
Location
First Seen
Jan 25, 2024
Last Seen
May 5, 2026
Found in 5 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
94%
Signal Score
94 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
5 reports94% confidence
5
Source reports
94%
Confidence score
Category tags
.pla50 typa5ipa9 a8aaaaaamiraiabuseabv0abv01academic institutionsacceptaccessaccess controlaccess ta0001access ta0006accommodation and food servicesaccommodation servicesaccount securityactive relatedactive scanactive scanningactive threatactivity miraiadded activeaddressaddress domainaddress rangeadmin sdkadmitad metaadware malwareafricaag albertoag ingoagent teslaai cloudaigair forceakamai rankakamaiasn1alertsalexaalexa topalgoritalienvault_ransomwarealiveall octoseekall quietall scoreblueall searchallocation typeam ma9eduzpcwamadeyamazons3amd64 acceptamerica flagamerica relatedanalysis dateanalyzeanalyzer pasteanchor hrefsandarielandroidanomalous fileansiantivmapacheapeaksoft iosapi explorerappleapple app capableapple incapple iosapple mobileapple phoneapple rootapple safariapple webapplication developmentaptarialarmyartemisarubaas35994 akamaias834 ipxoascii textascioashburnasiaasnone dnsasnone germanyasnone relatedasnone unitedassign functionattackaustraliaaustriaaustria unknownauthenticodeauthorityautoitautomotive manufacturingav detectionsavg clamavawfulazorultb3viles0 febbackdoorbad reputationbankingbase64 encryptbasicbazarloaderbecbehavior tagsbelarus unknownbelgiumbenjamin cbest currentbg phonebinarybinary databiosbitcoinbitsblacknet ratblockchainbloodbodybody doctypebody htmlbody lengthbombbomb threatsbookboomr functionboomrmq stringbotnetbotnet activitybrazilbreast cancerbrian sabeybringbrowse scanbrute forcebulgaria phonebulzbundledbusiness selectc2 channelc2 checkinca febcallback functioncalls unmanagedcanadacanada unknowncanrebcanvascapecapturecarolcatalog treecc linkercentercenter hrchangedchanged datachaoscharter communicationscheckincheckin tlschilechinachina domainchina educationchina flagchina telecomchina unicomchina unknownchromecidrcisco umbrellacitycity cupertinocivil servicescivil societyck idck matrixclassclickclick-based attackclickable urlsclosecloudcloud computingcloud infrastructurecloud migrationcloud securitycloud servicescloud storagecloudfrontclsid readcnamecnapple publiccnc beaconcnusco sheriffcobalt strikecobaltstrikecodecode executioncode injectioncom laudecomedycommandcommand & controlcommand and controlcommand decodecommand executioncommodity contracts intermediationcommunication protocolcommunication technologiescompany limitedcompanyname gmcompromised devicecompromised systemscomspecconsumer goodscontactcontacted urlscontentcontent lengthcontent typecontrol ta0011controller fakecookiecopycor curacorecorporate lawcorruptcosta ricacountrycountry codecountry uscp buscptbdevcrashcreation datecredential accesscredential harvestingcredential stuffingcredential theftcredit card servicescrime victimscritical riskcro intormationcrypcryptocrypto exchangecrypto miningcrypto walletcryptocurrencycryptocurrency threatscryptojackingcsc corporatectsuculturecur conocus cnamazoncus cndigicertcus cnmicrosoftcus cnr3cve typecyber attackcyber folkscyber threatcyber warfarecyprus unknownczechia unknowndapatodark powerdarklivitydarkwatchmandatadata accessdata copyingdata encryptiondata exfiltrationdata redacteddata store exposuredata transferdata uploaddded activeddosddos attacksde indicatorsdeath threatsdecentralized financeded activedefense evasiondeletedelete cdelete registrydelete shadowsdelphidelphi genericdemonbotdenmark as32934denverdenver coloradodete datadetected m1detection listdetections dnsdetections typedevelopment methodologiesdevice driverdevopsdgadigital currencydisabled hashdiscovery e1082distributed attacksdiv divdnsdns attackdnspionagednssecdockdoctypedocument filedomail showingdomaindomainsdos exedos executabledouglas countydramadrive bydroo anvdroppeddropperdumpsduration cuckoodynamic dnsdynamicloadere1203 datae1564 hiddenec oidecho requesteducationeducational resourceseducational serviceseducational technologyee edcje4jee fcefq78cegw7odekyxeelectronic health recordselectronics manufacturingelf collectionelf contaemailemailsemails infoemotetempty hashen3i8dencryptencryptionendpoints allengineenoughenter scentityentriesenumerateeofaeepic gamesepocherroret exploitetagetproetpro malwareeurodns saeuropeeurope/asiaevaderevasion ob0006exchange lteexcludeexclude suggesexecutable fileexecuted by usaexecutes-dropped-fileexif standardexpirationexpiration dateexpires thuexploitexploit hostexploit kitexploit noneexploit sourceexploitationexploitation activityexternal ipextortionextr referenextraextra lteextri datafailedfailurefakedout threatfastfederation asnff d5file-hashfilesfiles domainfiles hostnamefiles ipfiles locationfiles matchingfiles relatedfiltered personfiltered routefin ivdofinal urlfinancefinance and insurancefinancial servicesfinancial technologyfind sfirstflagflag unitedfloxiffloydfood servicesfor privacyforbidden yaraformformatformatpng febfoundfoundryfragtorfraudfrom validg htppsgafgytgandi sasgeckogecko responsegeneral fullgenericgeneric flagsgeneric malwaregeneric windosgeoid nogermanyget httpsgiftglobalgmbh versiongoglgogl addressgooglegoogle appgoogle chromegoogle hostedgoogle llcgoogle safegoogle searchgoogle taggootloadergovernment technologygraphgraph communitygroupgrumguardguatemalaguest serviceshackedhackershandlehasheshashes capehead bodyhead metaheader intelheader x64headers datehealth care and social assistancehealth information technologyhealthcare information systemshelloworldhelveticaheurhichinahide artifactshighhigh levelhigher educationhighesthighest chighly targetedhistorical otxhistorical sslhistoryhitmenholidaycheck aghome networkhondurashopehospital managementhospitality technologyhosthostinghostnamehostname enumerationhostshotelshourly rlhrefshstrhtmlhtml documenthtml headhtml infohtml iu3html publichttphttp attackhttp headershttp hosthttp requesthttp responsehttp scannerhttpshttps domainhuawei hg532huawei remotehungaryhybridhyper vi6ydgdianaiana idiana specialicannicmpicmp trafficico mainiconico rtgroupiconicons libraryidentity & access exploitationidsids detectionsietfiframeii llcimage exploitationimmobilien agimpact ob0008impact ta0040inboundincludeinclude reviewincluded iocsindicatorindonesiaindustrial automationindustrial iotindustrial productioninfinite loopinflight entertainmentinfoinfo compilerinfo fileinfo headerinformation gatheringinformation technologyinfostealerinfrastructure acquisitionreconnaissanceingestion timeingress tool transferinitial accessinjection activityinput validation bypassinstallintelintellectual property lawinternet accessinternet of thingsinternet stormiocsiocs oiosios devicesiot botnetiot securityiot/ics attackipv4ipv4 urlirelandireland unknownisrael unknownissuerissuer appleissuer validissuing cait infrastructureitaly unknowniz1fbcizt63ja3sjacksonjapanjapan unknownjavajavascript jacjaysje elfje matchesjeffery scott reimerjeffrey scottjoinjpeg imagejsonk-12 educationk0pmbckangenkarmakdekenyakevinkey algorithmkey identifierkey infokey usagekeyloggerkgs0khtmlkidney cancerkls0kraupakum7zkurt waltherl extractionlabs pulseslateral movementlauncherlaunchreslaw practicelayer protocollcc linkerlearnlegallegal abuselegal consultinglegal researchlegal serviceslegal technologylenovoless iplevellicesslifelinklink librarylinuxliveliver cancerlnmplnmp alocallockbitlocuologinlogin0looklookup countrylostlovelowfiltd dbalte alllukelumma stealerlung cancerm1mac osmachine labelmachomacho 64bitmacos devicesmacsync_applescript_stealermagic pdfmail spammermainmalicemalicious activitymalicious downloadmalicious idsmalicious linksmalicious powershell activitymalicious sitemalicious softwaremalwaremalware activitymalware distributionmalware trafficmalware typemalware wormmanaged codemanually adamanually addmanufacturing technologymarkmonitormarkusmatanbuchusmatches rulematches yaramediamedia centermedical centermedical servicesmediummemory patternmemscanmessagemetameta httpmetadata analysismethod statusmetromexicomeymiaxdxmichael robertsmillionmillion alexaminiigd upnpmiraimirai botnetmirai variantmitmmitremitre attmobilemobile carriersmobile networksmobile securitymobile threatmodify accessmodify systemmodule loadmonitored targetmonitoringmonths agomoroccomountain viewmovemovedmoved titlemozillamozilla firefoxmpgph131 hrmpgph131 lgms visualms windowsms wordmsdefender aprmsf stylemsiemulti-cloud managementmusicmyappmyrakezn1 excludenamename domainname md5name servername serversname tacticsnation-state activitynativenemucodneshtaneshta virusneterranetherlandsnetsupport ratnetworknetwork droppednetwork intrusionnetwork manipulationnetwork namenetwork scanningnetwork_icmpneven dilkovnextnidsnjratno entrieotoundno entriesno expirationno redirectnondnsnorth americanovno jannsisnso groupntmzacnumberob0005 defenseobjectsobz4usfn0 httpoceaniaodigicert incofficeoften seenoletonlineonlogon rlopenopeniocoperating systemoperating system securityorg appleorgidos2 executableotx scoreblueotx telemetryouno snioverlayoverview ippa abusecpa statuspackerpacking t1045panamaparent domainparentsparispartpassive dnspassword bypasspastepathpath traversalpatient carepattern domainspattern matchpayload hellopayment processingpcappdb pathpdf documentpdf executionpdf reportpe resourcepe sectionpe32 compilerpe32 executablepe32 linkerpe32 packerpedrazpeexepeexe cpegasuspegasus attacksperforms dnsperupetitephiphishphishingphishing attackphishing paypalphoenixphoneidentifyphy samopiiping requestplaygamepleaseplease referplugxpolandpoland unknownpoppyporkbun llcpornporn malvertizingpornhubportpostpowershellpragmaprecreate readpresent augpresent decpresent janpresent novpresent sepprivateloaderprivilege escalationprivilege httpsprobeprobe ms17010problemproc indicativeprocessprocess injectionprocess manufacturingprocess32nextwprocesses treeproduct developmentprogramproject piprostate cancerprotocol h2protocol t1071psiusapublic administrationpublic infrastructurepublic keypublic policypulse pulsespulse submitpulsespulses nonepulses otxpulses urlpuma sepushputtypythonq htppsq httpsqaeaav0qaexnqakbotqbenxzqbepaxxzqbotqbot qakbotqbot typeqmountquackbotquality assurancequality controlquantum fiberquasarquasar ratquasiqueryramnitrank positionransomransomexxransomwarerapidrar jaysrar youtuberatrat trojanrdap databasereadread creads cpurealtek sdkreconreconnaissancerecord typerecord valuerecycle binred team hackingredacted forredline stealerredlinestealerreferenreferen httpreferer httpsrefreshregistry keysregulatory agenciesregulatory compliancereimer dptrelated nidsrelated pulsesrelated tagsrelations mostrelicremoteremote accessremote access trojanremote servicesreport spamrequestresearchedresolverrorresource hashresource hijackingresponse finalrestartrestaurant operationsretail tradereverse dnsreverse ipreviewreview iocsrights reservedrims httpsriperobert neillrobertsrobotorobotodraftrogersrole titleromania unknownroot carpcsrsa tlsrticon neutralrticon russianruntime modulesrussiarussia unknownrussianrussian federationrwx memoryryuksa victimsabeysabey typesafe sitesahilsamplessandboxsarcomasc carscamscams & fraudscan endpointsscanning activityscanning hostschaansciscriptscript domainsscript urlsscripting attackssearchsecurity centersecurity policysecurity tlsseenserce internetuserverserver amazons3server caserver errorserversserviceservice privacyserving ipset cookieset filesha2 secureshellshell codeshell foldersshowshow techniqueshowingshutdown systemsiblings domainsiendownloadersign upsignerssim unlocksimdasingaporesinkhole cookiesitesite safesite topskin cancerslcc2slovakiasmbds ipcsmokeloadersneaky serversoap commandsocial botssocial engineeringsocial media securitysofiasoftware architecturesoftware developmentsoftware engineeringsoftware exploitationsoftware testingsong culturesourcesouth americasouthwest wifisp1 buildspainspamspammerspanspawnsspoofspoofedspsfsbspywaressdeepssdpssl certssl certificatestatusstatus codestatus issuerstatus pagestealerstepsstixstopstop showstreamstringsstrongstusstyle1subjectsubject keysubject publicsubmitsuggessuggestedinccsummarysummary iocssummersupply chain attacksupply chain managementsuricata ipv4suricata udpv4suspsweepswippersynapticssystemsystem disruptiont07 excludet1003t1005t1012t1018t1021t1021.001t1023t1027t1030t1036t1040t1041t1045t1046 sendst1047t1053t1055t1056t1057t1059t1059.001t1059.007t1060t1064t1068t1069t1069.001t1071t1071.001t1078t1078.004t1082t1083t1086t1089t1105t1106t1110t1112t1113t1119t1129t1133t1140t1143t1189t1189 foundt1190t1195t1203t1204t1204.001t1204.002t1210t1480t1485t1486t1490t1496t1499.002t1499.003t1553t1555t1562t1564t1565t1566t1566.001t1566.002t1566.003t1566.004t1567.001t1568t1569.002t1573t1583t1587.001t1589.001t1590.001t1595t1595.001t1595.002t1595.003t1598ta0007 networktag counttagstaiwantargetstargets sateam identifierteamstelecom servicestelecommunicationstext cthailandthawtethawte codethomaskralowthorthreatthreat actorthreat preventionthreat reportthreat roundupthrough the nightsthumtiff imagetimo salzsiedertitletitle addedtitle errortls handshaketls snitls versiontlsv1 aprtofseetoolstor nodetor roletotaltourismtptjswtracey richtertrid adobetrojantrojan featurestrojan malwaretrojan.cryptedtrojanclickertrojandroppertrojanspytsara brashearstsara lynnttl valuetucowstulachtvnes datatwitchtwittertypetype gettype indicatortype ipv4type nametype readtypeid1typestyposquattingunauthorizedunicode textuniqueunitedunited kingdomunited statesunsafeunverified communicationupdated dateupdaterupgradeupx packerurlsurls httpurls httpsurls urlursnifus registrantuser executionusersutc httputc redirectionutc submissionsutf8 textuwmlifev2 documentv3 serialvalidvalid applevalid fromvaluevalue emailsvalue snkzvariant sidesverdictverdict vpnverifyversion filevhashvietnamvirgin islandsvirtoolvirusvpnvulnerabilitiesvulnerability scanvwdzfew3cdtd htmlw4uninitializedwaitingwarningwealth managementweb application attackweb application exploitationweb exploitationweb securityweb trafficwhitewhoiswhois lookupwhois recordwhois serverwhois sslwhois whoiswifiwifi accesswifi hotspotwifi internetwin16 newin32 dllwin32 dynamicwin32 exewin32 malwarewin32mydoom janwindowswindows getwindows malwarewindows ntwindows policywindows readwindows wgetwiperwith russiaworldwormwritewrite cwritten cwsasendx adblockx cachex machoxcache missxcitium verdictxe exml cxportyarayara deteyara detecteayara detectionsyara detelyara ruleyomi hunteryoutube botyoutube twitterzbotzenboxzercegazergecazergeca botnetzip czip youtubezusy
Activity Timeline
May 5May 5
Threat Activity Heatmap
· Peak: 2026-05-05LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
94
SIGNAL
Signal Score
94%
Confidence
5
Reports
First seenJan 25, 2024
Last seenMay 5, 2026
Verified IOC
VirusTotal
Not checked
WHOIS
- references
- DISTINCTIO8.pdf, FileHash - SHA256 001f0ebe975b5f5a7e5272f53455635cc938a5a0129417f7e79c39df6cf65657 | Yara Detections: stack_string, IDS Detections: Win32/Tofsee.AX google.com connectivity check Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set, Tofsee: 'google.com' | https://www.gov50.icu |, ET TROJAN Win32/DarkWatchman Checkin Activity (POST) ( This is true. They sit around watching, following...), Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun antivm_generic_disk, Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat injection_process_hollowing, hubt.pornhub.com | www.pornhub.com | pornative.com, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian || pin.it || https://pin.it/, www.sweetheartvideo.com || https://www.sweetheartvideo.com/tsara-brashears/, Unix.Trojan.Mirai-6981169-0: FileHash - SHA256 fe00b364b6b8342e3ce0dd146902ac3330ab976e87aca6be666efde39ea485da, IDS Detections: WGET Command Specifying Output in HTTP Headers, IDS Detections: D-Link Devices Home Network Administration Protocol Command Execution, Yara Detections: is__elf , DemonBot, Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication writes_to_stdout, FileHash - SHA256 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c, IDS Detections: Andariel Backdoor Activity (Checkin), Alerts: dead_host nids_malware_alert network_icmp nolookup_communication, DDoS:Linux/Gafgyt : FileHash - SHA256 358c2bd5b9e925dc23894dec18ce486c03d743cde766ce298ac1e2f00d86f0b2, IDS Detection: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound, IDS Detection: Mirai Variant User-Agent (Inbound) WebShell Generic - wget http - POST, IDS Detection: Observed Suspicious UA (Hello-World) Suspicious Activity potential UPnProxy, http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/, https://tulach.cc/ || tulach.cc || www-temp.metrobyt-mobile.com, apple-reactivate.com | appleweb-aem.apple.com | apple.com | revoked-aprtr1-tr1g1.apple.com | network-framework.apple.com, autodiscover.webcompanion.com || avc-gft-dashboard.apple.com || cac1-wwfde-wave.apple.com || demo27.apple.com, * https://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit, https://tulach.cc/ | tulach.cc |, http://hallrender.com/attorney/brian-sabey | www-temp.metrobyt-mobile.com, google.pl | aplikacja.ceidg.gov.pl | imaginecup.pl | microsoft.pl, 18teen.net | teensnow.com | grannies-porn.net | pornmd.com, www.pornhubselect.com | pornhub.software, https://www.virustotal.com/graph/embed/g9e26667333d9418897f0ed8ce09560a6f8c68666f388427fb984306cf72b0125?theme=dark, https://www.virustotal.com/graph/embed/ga6f4f3cb5f1143dba3a0c5c4de4b4253709421851a914925a1512678f1034e9a?theme=dark, https://www.virustotal.com/gui/collection/0c323ad7f87df817719f1709edb03022c6b7fa4d27907b90eef0d5c863c1624a, https://www.virustotal.com/gui/collection/0c323ad7f87df817719f1709edb03022c6b7fa4d27907b90eef0d5c863c1624a/iocs, https://www.virustotal.com/gui/collection/0c323ad7f87df817719f1709edb03022c6b7fa4d27907b90eef0d5c863c1624a/graph, https://www.virustotal.com/graph/embed/gc3d0a481dd64463a889ad9f206727d9d87db106da3c34deb922a2ce7837d6577?theme=dark, https://www.virustotal.com/graph/embed/g99d61feda7554cba94972ae4110efe8acacfea236d6943d0bdc93dcbc7e9b60f?theme=dark, https://www.virustotal.com/graph/embed/ga26f4bba58834344a271a36d59827ec2154f655df6324f939f674b0d49e1290a?theme=dark, https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06, https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/summary, https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/iocs, https://www.virustotal.com/gui/collection/40d6991f82d1a475ac48126d0fe7cd1481611146ae96cd496abf3f80955dda06/graph, https://www.virustotal.com/gui/collection/e49552b5297eb28f2ec7245429e50fb363823c4683606ddb61c1d014b2238a6e, type,id 000d161246615fb8d5b30411c753420f82a881a9d7750639bbace67e1bb270a0 001155a72482c2ddd750b1e9c28633a7e13228e4e2b05f0ba585a395ac852b49 0014425cb6011c2086b6aeca5eee11368431356a68d173c2ff7ffef327c0ba86 0018686a02600f7da1a3f0981ce78bb6982480b14130a0cc2b8c8401bc1b8449 003bfd323f6366ac283b9f922d942d7c8f6070a2f2b919a719af7fc8e7c77995 00434aa911043b208854236a41c8e7a284185710ff67b52eea9f538f4151fa28 0063c0019a4ec47bc251753be3aca37c0d84699d34a99df83963364fe640c795 00651f483b685736596ebc95817b01c34382a4691b81701cc, https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984, https://www.virustotal.com/gui/collection/4b0d82fda81972be3f9373edf863a3bcf426aafc9a53927eedc0b694554de33f, https://viz.greynoise.io/analysis/52a90c2d-0774-46cd-bb66-79cb82c903fe - 07.03.24, https://www.ipvoid.com/whois/, https://leakix.net/search?scope=leak&q=alberta.ca, https://intelx.io/?s=albertandp.ca, http://ci-www.threatcrowd.org/domain.php?domain=albertandp.ca, https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&followup=https%3A%2F%2Fsites.google.com%2Fstudent.concordia.ab.ca%2Fcybersecuritybriefi%2Fhome&ifkv=AdF4I74DbXz0axIgI_8-2HKe5uTaiHcEn5GDXdTMvWumG7pqQExSEV6IUvXUJDoG9Ra0ZgbhrlrC&osid=1&passive=1209600&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1391668132%3A1721034538211512&ddm=0, https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary, https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs, https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark, https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark, https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95, https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore, https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/, https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom, https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate, https://www.virustotal.com/gui/collection/8f896c9d4bbc5f488d41616e169d253f9caa43644a13a94a5f42df5e2cf9cc75/summary, https://www.virustotal.com/graph/embed/gaa065e3cc130494ea44b292fa15ad0b3bda2259393974adf8fed22bbdbfcecf5?theme=dark, https://www.virustotal.com/gui/collection/8f896c9d4bbc5f488d41616e169d253f9caa43644a13a94a5f42df5e2cf9cc75/iocs, https://www.virustotal.com/gui/collection/8f896c9d4bbc5f488d41616e169d253f9caa43644a13a94a5f42df5e2cf9cc75/graph, https://www.virustotal.com/gui/collection/a19bfa2ad298cf90f570d7cdf51d20aa0623af71636f4811d44a782f780d85d9, https://www.virustotal.com/gui/collection/a19bfa2ad298cf90f570d7cdf51d20aa0623af71636f4811d44a782f780d85d9/iocs, https://www.virustotal.com/gui/collection/a19bfa2ad298cf90f570d7cdf51d20aa0623af71636f4811d44a782f780d85d9/graph, https://www.virustotal.com/graph/embed/ga0f29bb3fd4a4235b62a2031e5fbc57ca39fc314565d43f28cbc0d096cc7d19a?theme=dark, https://www.virustotal.com/gui/collection/eb8b56887a4e8962925ce3e96050303382deb55d5e602caa1cfbb81b6297ba2e, https://www.virustotal.com/gui/collection/eb8b56887a4e8962925ce3e96050303382deb55d5e602caa1cfbb81b6297ba2e/iocs, https://www.virustotal.com/gui/collection/eb8b56887a4e8962925ce3e96050303382deb55d5e602caa1cfbb81b6297ba2e/graph, https://viz.greynoise.io/analysis/ba31ba2b-4967-4d39-ac24-143d9c66136b, https://www.virustotal.com/gui/collection/3955f19b42e4ed4d4af0bb416ee463d8a6190cdcc4b1de29a0bf795d2dc18a97/summary, https://www.virustotal.com/graph/embed/g1f620b321385470f9e0172dc878e371620e6bb704edc421ca6ef9b709db0fb59?theme=dark, https://www.virustotal.com/gui/collection/3955f19b42e4ed4d4af0bb416ee463d8a6190cdcc4b1de29a0bf795d2dc18a97/iocs, WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4, MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com, CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke, Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems), ^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^, CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan, CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems), CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems), CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems), CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems), CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data, CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize, CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration), CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port), CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io), CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP), CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity), CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent, CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet, CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io), CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected, TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d, Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly, Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com, Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems), Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected, Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered, Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD, https://www.nextron-systems.com/notes-on-virustotal-matches/, TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645, Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,, IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI, https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection, Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042, https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2, https://www.youtube.com/watch?v=GyuMozsVyYs, Emotet | YouTube • Darklivity Podcast "Unhinged Horror", https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004, http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&, https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr, nr-data.net [Apple Private Data Collection], https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic, https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr, https://www.youtube.com/watch?v=GyuMozsVyYs [Emotet] Jays Youtube Bot.exe, https://www.virustotal.com/gui/url/b766d444d21c2ad2d777ae4a5ef7b7b7b97f2097805732e9651834e0a76be1f4/details, Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042, Matches rule DotNet_Reactor from ruleset DotNet_Reactor by @bartblaze, https://www.virustotal.com/gui/file/00514527e00ee001d042e5963b7c69f01060c4b4bc5064319c4af853a3d162c5/detection, m.pornsexer.xxx.3.1.adiosfil.roksit.net, http://freedns.afraid.org/subdomain/edit.php?data_id=21091713, Ransom: message.htm.com, Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H | IDS Detections: Win32.Floxif.A Checkin 403 Forbidden, Yara Detections: stack_string , KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program, Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho, Alerts: modifies_proxy_wpad multiple_useragents injection_resumethread antivm_vmware_in_instruction, Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception, Alerts: infostealer_browser creates_exe suspicious_process modifies_certificates stealth_window exe_appdata, Antivirus Detections: Win32:Renos-KY\ [Trj] , Win.Worm.Pykspa-6057105-0 , Worm:Win32/Pykspa.C IDS Detections Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host) IP Check Domain (showmyipaddress .com in HTTP Host) IP Check Domain (whatismyipaddress .com in HTTP Host) 403 Forbidden Yara Detections None Alerts network_icmp disables_security antiav_servicestop antisandbox_sleep persistence_autorun modify_uac_prompt antivm_vmware_in_instruction network_http recon_checkip creates_exe create, Win32:Renos-KY\ [Trj] , Win.Worm.Pykspa , Worm:Win32/Pykspa.C: FileHash-SHA256 0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd trojan, https://otx.alienvault.com/indicator/file/0000294999c616c2dc6722880830752e826f2c11719c926ef3e62f7b0ef1e0bd, Jays Youtube Bot.exe | **http://ur.now.afraid.org/update/bft.exe | https://avsono.com/networkmanager/ | http://fatah.afraid.org/files/books/Embedded.Linux.Programming.pdf, https://otx.alienvault.com/indicator/file/da06b3d7e20045b6edad50f28ce8bac1, FileHash-MD5 da06b3d7e20045b6edad50f28ce8bac1, Antivirus Detections: Win.Virus.Pioneer-9111434-0 , Virus:Win32/Floxif.H, IDS Detections: Win32.Floxif.A Checkin 403 Forbidden | |, Alerts: dead_host network_icmp nolookup_communication persistence_autorun installs_bho modifies_certificates, Alerts: dumped_buffer network_cnc_http network_http allocates_rwx applcation_raises_exception infostealer_browser, Alerts: stealth_windowcreates_exe suspicious_process exe_appdata, http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg [Tsara Brashears > Song Culture & Samantha Borrego> dorkingbeaty], https://otx.alienvault.com/indicator/url/http://jofu93hf9fdsl.canadacaregiverconsulting.com/pclianyeapp/1167.jpg, https://otx.alienvault.com/indicator/url/https://my.newzapp.co.uk/t/click/1684555348/129495091/17547390 [Target:SongCulture/Tsara Brashears YT], Related somehow, pulse modified by?https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297, http://ur.now.afraid.org/update/bft.exe (Joshua Anderson Address 4120 Douglas Blvd #306-199 City Granite Bay Country US ?), https://otx.alienvault.com/indicator/domain/mywebsitetransfer.com [really?], https://www.9xiuzb.com/activity/activity_pcunion?piusr=t_420, tracking.epicgames.com | epicgames.com | https://www.epicgames.com/id/activate, Conneted to Network: [email protected] | milesit.com | milestechnologies.com | info.milestechnologies.com | www.milesit.com | www.milestechnologies.com, Conneted to Network: http://seed.wavebrowser.co/seed?osname=win&channel=stable&milestone=1 | f16ac036e3.nxcli.net, Conneted to Network: https://getconnected.southwestwifi.com | www.coloradoltcpartnership.org, https://otx.alienvault.com/otxapi/indicators/file/screenshot/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b, https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3, https://otx.alienvault.com/indicator/file/58d35aa65e820e83be595049b9e5a223ffb1f5f9111b64ccdd2622479cda9e1b, https://otx.alienvault.com/otxapi/indicators/file/screenshot/f0d38614f706da3a08acdf7188eac139a352621ccada40e5e22d191412acc357, Phone purchased for target by a 'self-proclaimed' W/F PI from Lakewood, Colorado w/o consent/prior knowledge. PI fitful, so target paid for phone., Found claims PI was a hacker. Brother a hitman. Verbalized non-specific affiliation w/City of Lakewood. Refused to provide target phone passcode., Target admits to ignoring major signs: 'PI' called just before request submitted.Spent hours researching & denouncing targets former 'questionable 'PI, 'PI' feigned high concern for target, begged her to meet at 10 P.M. Target refused. Target states she will only meet in safe public spot in daylight., 'PI' arrives in separate car w/unseen veteran. Points out DV LP to target , states he's not with her. Leads target to restaurant 'to talk'. Stays awhile., 'PI' orders 2 meals. Leaves restaurant a few times. Talks about troubled mother w/medication addictions. Incredibly emotional vowing to be better., Emotionally demands disabled target cash advanced to pay all bills. Denies formerly alleged abilities & skills, still wants $1500 for 4 hours of nothing., Of note: Alleging Federal Investigator calls target. Found her in Bark? No. He asks for $4G to relocate target in 2 days provide hacker secured iPhone., 'PI' claims to have information. Sends picture of who he claims is attacker now millionaire owner of Mile High Sports & Rehabilitation. Asks if she knew., Target knows nothing about assaulter. Chicago Fed text photo for target to confirm identity of attacker. Be sends a photo of Dr. John T. Sasha., Target was treated by Dr. Sasha, was not assaulter. Target relays Law Firm dropped her as she refused to include Sasha in Injury claim., Goal to present targets case, blame & have Sacha removed by board of Colorado attorneys. Widely known firm angrily begins misconduct in her case., Fed alleged if Sasha was in cahoots she could get millions. Target again refused. Alleging Chicago Fed contends be needs to move her 50+ miles., Fed lost interest after satisfied Sasha wasn't of interest. Target interest to rid self of hackers and stalkers. Inundated with calls from fake PI's., Colorado doesn't require a PI licensure. That's a major problem as many stalkers, malicious hackers & the ruthless are drawn to this occupation., Metro T-Mobile refuses refund. Allows target to store phone with them in resealed box. When retrieved box opened and tampered with., Issues: Target contacted a single PI from a very compromised device, received sealed as gift from trusted person via provider. Others contact her., I know this isn't a blog. If someone is targeted, every device will be compromised. It's the goal of the attackers. Unwarranted bounty found., Law enforcement aware and assure target in person she's not a suspect in any crime is Colorado or nationally. All DA's, law enforcement PI's check., You can either have a runner or become a hacker. Only 2 choices for targeted individuals. Target needs to become ethical hacker or ethical grey hat, Purple teamer., Device security reset temporarily before epicgames[.]com a resource being used attempted to self download. Relentless..., Self whitelisting tool, domains moved within nginx., enterprise.cellebrite.com [ digitalclues.com], http://www.pegasustech.net/Pegasustechnology/ProductDetails.aspx?pid=Pegasus RIMS, https://tulach.cc/ [malware engineering | phishing], deviceinbox.com [malware hosting], http://auditrage.top/Rossmaansywh/tb.php?wmtvjltu, https://timersys.com/ [ phishing | deb opera.com], https://rmy1o3xp-d182-v9.klinika-rekonstruktivnoj-kosmetologii-na-ulitse-lenina.ru/ [malware | evader], message.htm.com [ message stealer], https://www.nsogroup.com/governance/whistleblower-policies/ [ Attacking whistle blower. PT documentedly assaulted and injured patient. PMD blew whistle warning PT], https://www.nsogroup.com, https://www.sweetheartvideo.com/tsara-brashears/ [ Tracking BotNetwork malvertizing SA victims name. His name was Jeffrey Scott Reimer DPT, changed after causing SCI], https://pin.it/ [ Pegasus Pinterest. Collecting everything Tsara does ], https://applemusic-spotlight.myunidays.com/US/en-US? [ Enters through apple music app.], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Password cracker ios unlocker | made you look tactics], Libel. Brashears confirms straight status. Has never been with a female. Advocates humane rights for all. Matthew Shepard Lives on., https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Data collection], https://www.blackbagtech.com/wp-content/uploads/2020/04/BlackLight-QuickStart-Guide-v2020R1.pdf, https://lawlink.com/documents/10935/blackbag-technologies-announces-new-release-of-blacklight-forensic-software [wildly abused by Mark Brian Sabey • HallRender.com & others], training001.blackbagtech.com [opportunity?], https://otx.alienvault.com/indicator/hostname/apptree.comcast.net, nr-data.net [Apple Private Data Collection] data.net points to aps.net, Tracking: 8.8.4.4 [ NOT a false.positive], https://api.hireez.com/webhooks/tracking-v2/click/46ecdc52-c791-4f1f-8167-c0cfd752727b, Found in malicious DGA domain of Law Firm | c-67-181-73-197.hsd1.ca.comcast.net, https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians, https://www.hybrid-analysis.com/sample/63bf920be2401947bd686d7dd146af7f3e56800409307360105bf50cebb1c1ea, www2.megawebfind.com [command and control], http://ifdnzact.com/?dn=megawebdeals.com&pid=9PO755G95 [ phishing], 20.99.186.246 [exploit source], https://www.healthonecares.com/locations/presbyterian-st-lukes-medical-center/physicians/ [heuristic], Win32:RATX-gen [Trj] identified., CS Sigma Rules: Shadow Copies Deletion Using Operating Systems Utilities by Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades), CS Sigma Rules: Disable UAC Using Registry by frack113, http://45.159.189.105/bot/regex [ tracking | botnet], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Password cracker | Patient being tracked through multiple medical systems], 0-173-x.msn.com | https://twitter.com/PORNO_SEXYBABES | 0-3.duckdns.org | 0-212.pornhub.org | 000web.pornhub.org, https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing], CS Sigma Rules: Wow6432Node CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), Remote Access Trojan, google.com.uy [Google search browser, masked, links to malicious porn malware spreader, malvertizing, collection host], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password cracker], toolbarqueries.google.com.uy, https://www.nsogroup.com/, https://www.anyxxxtube.net/search-porn/tsara-brashears/, ww.google.com.uy, 321Survive.exe, https://en.m.wikipedia.org › wiki NSO Group, c-67-181-73-197.hsd1.ca.comcast.net, https://www.hybrid-analysis.com/sample/dc5ce323e37bebef2abbd0374249e12355c84dba32f40511eceafa29b57e3872/65b5134ce0242fd6e30b7259, identity_helper.exe, PEXE - DOS executable (COM), redirect_keitaro_exploit_kit_compromised_site_se_referrer, Found in: https://jbplegal.com, http://sexkompas.xyz, DGA Malware Mall Domains: hackingapple.com, video.import-apple.com, DGA- appledreamz.com, tracking2youdu.com , cdn.livechatinc.com, device-local-bf56eb52-6fc6-435b-aadb-9fa1dd89702c.remotewd.com | remotewd.com | 192.168.56.108, http://www.mobiset.ru/photos/2011/march/15/samsung_s3850/img_9.jpg
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
highFirst detected 2 years ago · Last seen 1 month ago
Appeared in 5 threat reports