SHA1HighVerifiedSignal 96/100
e682ede655fb6ed3b6285f10dfd7c68105a1fce0
Location
EthiopiaFirst Seen
Jun 16, 2022
Last Seen
Jun 2, 2026
Jun 16
First Seen
1464d ago
Jun 2
Last Seen
17d ago
6
Reports
source reports
96%
Confidence
high
68/75
VirusTotal
detections
Found in 6 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.
SHA-1 Hash
SHA-1 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA1
Confidence
96%
Signal Score
96 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
6 reports96% confidence
6
Source reports
96%
Confidence score
Category tags
aaaaaaaa nxdomainabuseacademic institutionsacceptaccess controlaccess ta0001access typeaccount securityaccount_manipulationactive relatedactive scanactive scanningactive threatactivity dnsacurix networksad fraudadded activeaddressaddress domainadjfprem ordadobe portableadult contentadwareadwindaffected _and_fixedaffiliate marketing abuseagentagent teslaaigalertsalexaalexa topalf featuresalfperalibaba cloudalienvault otxalienvault_ransomwareall domainall filehashall hostnameall octoseekall reportall scoreblueall searchallmul vbaget4alpha criteriaalvoesamazon 02americaanalysis dateanalysis ob0001analysis ob0002analyzeanalyzer pasteanalyzer threatanchoranchor httpsandarielandroidanti_analysisapacheapeaksoft iosapnicapnic researchapnic whoisappleapple iosapple ios threatapple notepadapple phoneapple privatearialarinarkeistealerartemisartifacts vascii textascioasiaasia pacificasnoneasnone belgiumasnone countryasnone denmarkasnone unitedassembly commonassembly nameasyncratattackaura stealerauthentication attackav detectionsavast avgave suiteavg win32awfulazorultazure tlsbackdoorbackendbad reputationbaglebandit stealerbank securitybanloadbasicbb c7bc a1beijing baidubest targetsbetabotbinarybinary filebiosbitratblacklist httpblacklist httpsbodisbodybody doctypebody htmlbody lengthbonusbitcoinbootborland delphibotnetbotnet activitybotnet campaignbrent kimballbrian sabeybrian sabeysbrothbrute forcebrute force attackbundledbypassc tmpsamplec2c2 communicationc2 ipc2 resolutionc2_ipscallcallback phishingcallscanadacanada unknowncapacape sandboxcapturecat-themed domainscatalog treecc fdccus asnas33070certcert validitych uachainchaoscheckercheckincheckschecks amountchecks creationchinachina telecomchristopher ahmannchromecisco umbrellacivil servicescivil societycivilian societyck idck idsck matrixclassclickclick-based attackclipper dosclosecloudcloud computingcloud infrastructurecloud migrationcloud securitycloud servicescloud storagecloudflare dnsclr versioncnamecnc feodocnc servercndigicert sha2coalition etcobalt strikecodecode executioncode injectioncode integritycom laudecom_hijackingcommandcommand & controlcommand and controlcommand decodecommand executioncommand_and_controlcommentcommunication protocolcommunication technologiescommunity httpscompromised host detectioncompromised websiteconnect azurepccontactcontacted urlscontent reputationcontent typecontrol ob0004cookiecopycopy md5copy sha1copy sha256cordelia stcorecountcountrycountry unitedcovid19cpu namecreation datecredential accesscredential harvestingcredential stealingcredential stuffingcredential theftcredential_accesscritical riskcronup threatcrypcryptbotcryptocurrencycryptocurrency threatscryptojackingcsc corporatecus cnmicrosoftcus cnr3cyber defensecyber espionagecyber threatcycbotd4 dcdanabotdapatodarkdark consultantsdark powerdarkgatedatadata accessdata collectiondata copyingdata encryptiondata exfiltrationdata rtversiondata store exposuredata theftdata transferdata uploaddch vddosddos attacksdebugdecoy systemdefense evasiondefense_evasiondeletedelete cdelete servicedelphidelphi genericdenial of servicedenmarkdetailsdetection listdiamondfoxdigital mediadigitaloceanasndirectoi t1222displaynamedistributed attacksdistribution managementdiv divdiv sectiondive intodjvudll readdll sideloadingdnsdns attackdnspionagednssecdocument filedocument formatdofoildohdoin itdomaindomainsdomains iidopple aidos borlanddos comdouble clickdownerdownldrdownloaderdridexdrop resolverdroppeddropped cdrwebdynadot llcdynamicdynamic dnsdynamicloadere weowe64ee1082 impacte1203 datae1564 discoveryecacc sed5906edgeview driveeducationeducational resourceseducational serviceseducational technologyegregorelectronic health recordselfelf executableelf geomielf32elf64 operationemailsemails metaemotetemotet emotetemotet ipencryptencryptionendianengineeringenoughenterenter scenterprise securityentertainment technologyentityentriesentropy chi2entry pointeraseerroret toret trojanethiopiaetisalat misretpro malwareeuropeevasion ob0006eventlog_clearevilevil cevilnumexchange allexcludeexclude dataexclude suggesexe sizeexe32exec amd6464executable fileexpirationexpiration dateexpiration httpexpires thuexploitexploit domainexploit kit activityexploitationexploitation activityexportexternal ipexternal-resourcesextortionextrextr dataextr pleaseextra dataf4 cafailedfakedout threatfalconfalsefamilyfastfastest privacyfeodofilefile-based malwarefile-hashfilehash-sha256filer datafiler filehuonfilesfiles cfiles deletedfiles domainfiles ipfiles locationfiles matchingfiles relatedfilet cefilet filerfilet filetfinal urlfinancefinancial institutionfinancial servicesfindfind cfind peoplefind sfireholfirstfirst dnsflagflow t1574flubotfont formatfooterfor privacyformformatformbook cncformbook malware activityfoundframe srcfrancefreight forwardingftpftp brute forcefueryfull reportsfunction readfusioncoregamersgandi sasgather victimgeckogeneratorgenericgeneric windosgermanyget helloget httpget icarusget responsegetdc copyimagegithubglobalgnu linkergnulinux aptgolanggonegooglegoogle dnsgoogle safegootloadergovernment technologygpt analyzergraphgreat britaingroupguardgui32guidguloaderh1256hackerhackershacking toolshackingtrio uahall evanshandlehashhasheshashes c2aehauthead bodyheader intelheadersheaders datehealth care and social assistancehealth information technologyhealthcare information systemshellohelp dnshelping sabeyheurhichinahidden cobrahide artifactshighhigh levelhigh processhigh securityhigher educationhighly targetedhistorical sslhistoryhitmenholy see (vatican city state)home networkhospital managementhosthostnamehostname enumerationhostshtmlhtml documenthtml infohtml internethttp attackhttp attackerhttp headershttp methodhttp performshttp redirecthttp requestshttp responsehttp scannerhttp_c2httpshttps domainhttps redirecthua muicalulhunterhunting macrohybridhypervicedidicmp trafficicmp_c2ico rtgroupiconicons libraryidentity & access exploitationidron anvids detectionsiframeiframesinboundincludeinclude datainclude reviewindicatorindicatoreindicators showindustry_and_commerceinfection chain analysisinfection dnsinfoinfo compilerinfo headerinfo initialinformation gatheringinformation technologyinfostealerinfostealing malwareinfrastructure acquisitionreconnaissanceingress tool transferinitial accessinjectioninjection activityinjection t1055inno setupinputinput validation bypassinquest labsintelintel 8038internet of thingsinventory managementiociocsiot botnetiot securityiot/ics attackips collectionipv4ipv4 addipv6issuerissuing cait consultantit infrastructurejapan as17676japan as2514japan as9365json datak-12 educationkey algorithmkey identifierkey infokey usagekgs0khtmlkimsukykit exploitkls0known torkrakenkuaiziplabs pulseslang clateral movementlayer protocollearnlearn morelessless seelevelblue labsli ulliberalliberal friendslifelightlinenumlink initiallink librarylinkerlinuxlinux subsyslmenlo parkloaderloadslocallockbitloginlogistics technologylogon autostartlolkeklookup countrylookup wannacrylow softwarelowfilsymsltd dbalucas achalumma stealerlummac2machinemagicmail spammermainmakopmalicious activitymalicious advertisingmalicious downloadmalicious linksmalicious powershell activitymalicious sitemalicious softwaremalicious url repositorymalicious_documentmalicious_urlsmalvertisingmalwaremalware beaconmalware c2malware campaignmalware distributionmalware dnsmalware emotetmalware hostingmalware httpmalware sitemalware trafficmalware_emotetmalware_hashesmalware_installmonstrmalware_simdamanualymatanbuchusmatches datamatches edolavdmatches matchesmaui ransomwaremazemediamedia & entertainmentmedia centermedia distributionmedical servicesmediummemorymemory patternmemory scanningmetameta namemeta tagsmetadata analysismetadata headermetromillionminermirai botnetmirai variantmitremitre attmitre attackmobilemobile carriersmobile networksmobile secmobile securitymobile threatmodelmodel secmodify systmodify systemmodule loadmodules t1129mon julmonitoringmovedmozillamr windowsms visualms windowsmsiemsilmsnmtb showingmulti-cloud managementmultimedia productionmustang pandamutexmy boy dannamename filename md5name servername serversname tacticsname verdictnamecheap incnamesnanocore ratnation-state activitynetworknetwork attacksnetwork communicationnetwork denialnetwork hijacksnetwork infonetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork trafficnetwormneutralnew caledonianew threatnextnext associatednginxnidsnjratno datano entrino expirationnokoyawanone googlenordvpnsetupnorth americanospltezraxufnumbernumbersob0005 defenseob0007 systemob0012 hideobserved dnsobserved emailoc0001 processoc0003 dataodigicert incogoogle trustoletollydbgometa platformsonedrive vaultonloadopenopeniocoperating systemoperating system securityorionorion logoorion wios linuxos2 executableotx descriptionotx logootx octoseekotx telemetryoutbound trafficoverlayoverview domainowner exploitp2404packingpacking t1045palantir technologiespalantirian abusepandaparent domainparispassive dnspasswordpassword attackspassword bypasspastepatch managementpath traversalpatient carepatternpattern domainspattern matchpattern urlspcappcidump rasmanpdb pathpdf documentpdf reportpe resourcepe sectionpe32 compilerpe32 executablepe32 linkerpe32 packerpe32 protectorpeexepegasusperforms dnsperuphiphishphishingphishing attackphishing campaignphishing intelligencephishing sitephone hackingphysical threatpiiplasmaplay ransomwareplaygamepleaseplease subplugxpoemponmocup postponyporkbun llcporn relatedporn revengepornhubportpossible credential accesspostpost httppragmapreconditionpresent decpresent febpresent janprivacyprivacy serviceprivate serverprivilege escalationprobeproc indicativeproccpuinfoprocessprocess createprocess injectionprocess lprocess t1543process32nextwprocess_injectionprocesses treeproducts idprojectprotectprotocol exploitationproxyproxy_modificationpsexecpt morapublic administrationpublic infrastructurepublic policypulsepulse pulsespulse submitpulsespulses otxpurpose p5pushpythonqakbotqbotquasarquasar ratquasiquasi governmentqueryr processesraccoonraccoonstealerransomransomexxransomwareransomware_behaviorraspberry robinratrc4 prgareadread creadsreads cpureconnaissancerecord typerecord valuerecordsredline stealerredlinestealerredrumreferenreference idreferrer abuserefloadapihashregion createregion updateregistrant nameregistry keysregulatory agenciesreimerrelatedrelated domainsrelated nidsrelated pulsesrelated tagsrelicrelocsremc t1070remcosremcos trojanremoteremote accessremote access toolremote access trojanremote servicesremote systemreport publishreport spamrequestresearchedreserved ipreserved ip addressresolverrorresource hijackingreverse dnsreverse ipreviewreview excludereview occrl httprolerole titleroot carootkitrostpayrounduprticon englishrticon neutralrticon russianruntime processrussia unknownrva entryryuk ransomwaresabeysabey data centerssabey pornsabey typesafe browsingsafe sitesafebaesalesamplessamuel tulachsandboxsc datasc pulsescams & fraudscanscan endpointsscriptscript urlsscripting attackssddlse httpsearchsecurity operationssecurity policyseenserver caserversserviceserving ipsettings cshared csharedink csharedinkarsa csharedinkbgbg csharedinkcscz csharedinkdadk cshellshell codeshell commandsshellexecuteexwshelltraywndshipping servicesshowshow processshow techniqueshowingsiblings domainsim unlocksingaporesingapore asnsitesitessizeskynetslcc2smoke loadersmuxsnatchsneaky serversnitsoa nxdomainsocial engineeringsocial media securitysoftware developmentsoftware exploitationsoftware supplysoftware vulnerabilitiessouth americasouth brisbanesouth koreaspamspam brianspam deletespanspawnsspeedspotify artistsptoxspytox ogsqli dumperssdeepssh attackssl certificatestackstarfieldstart servicestaticstatusstatus codestealerstixstopstop servicestop showstreamstreaming servicesstreams sizestringsstrong namestwasubject keysubject publicsuggestsuggested ocssuitesummarysummary iocssupply chain attacksupply chain managementsuricata ipv4suspsuspicous ipswipperswisynsystem disruptionsystem labelsystemd servicesysvt matrixt1001t1003t1005t1007t1009t1010t1012t1016t1016.001t1021t1021.001t1021.002t1027t1027 masqueract1030t1031t1033t1035t1036t1036 indicatort1036.004t1037.002t1040t1041t1045t1047t1053t1055t1055.003t1056t1056.004t1057t1059t1059.001t1059.002t1059.003t1059.004t1059.005t1059.007t1060t1063t1064t1065t1068t1069.001t1070t1071t1071.001t1071.004t1076t1078t1078.001t1082t1083t1086t1095t1096t1102t1102.001t1105t1106t1110t1110.001t1110.002t1110.003t1110.004t1113t1119t1129t1133t1134t1140t1155t1179t1189t1189 foundt1189 networkt1190t1195t1195.001t1195.002t1203t1204t1204.001t1204.002t1210t1222t1480t1485t1486t1490t1496t1497t1498t1499t1499.001t1499.002t1499.003t1505t1518t1518.001t1543t1543.002t1546t1546.015t1547t1552t1553t1553.002t1555t1555.003t1562t1563t1564t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1567.002t1568t1568.002t1569t1569.002t1571t1573t1573.001t1573.002t1574t1583t1583.001t1583.002t1583.003t1583.004t1583.005t1584t1584.001t1587.001t1588t1589t1589.001t1590t1590.001t1590.002t1590.003t1590.004t1590.005t1595t1595.001t1595.002t1595.003t1598t1608.002t1609t1614ta0002 sharedta0004 accessta0004 processta569tag counttag managertagstags viewporttaiwan as3462targettargeted_attacktargeting databasetbmvidtcp protocoltcp scanningteamteam phishingteam topteamstechnical citytelecomtelecom servicestelecommunicationstelefonica cotelnet threattempteslatext/htmlthailandthank youthe brother sabeythird-party compromisethird-party-cookiesthreatthreat actorthreat analyzerthreat intelligencethreat preventionthreat reportthreat roundupthreatsthreats ettico datatiger rattitletitle errortitle spytoxtld counttls snitls versiontmobiletmobile metrotocstuttofseetoolstop destinationtop sourcetor nodetotaltrackertraefik defaulttraffic tcptrang chtransportation managementtreetrickbottridenttrojantrojan malwaretrojanclickertrojandroppertrojanproxytrojanspytrusttsara brashearsttl valuetulachtwittertyp datatyp domaintyp filettyp innicatadtypetype datatype indicatortype nametype win32ua archua bitnessua fullua platformubuntuudp includeuk collectionunauthorizedunicode textunionuniqueunique asnsunique ruunitedunited kingdomunited statesunivjosunixunix shellunknown nsunsafeurlsurls httpurls httpsurls tcpurls urlurlshortner decurlshortner sepursnifusageusd twitteruseruser agentuser executionusrbinid idutc firstutc googleutc gtmsxrfutc namesutc submissionsutf8 textv2 documentv3 serialvaluevalue aversion listversion secvessel statevhashvictim won casevidarviprevirtoolvoidvpnvulnerabilityvulnerability scanwannacryptwarehouse operationsweb application attackweb application exploitationweb exploitationweb openweb protocolsweb securityweb trafficwebshellweinedoewse netwestlawwhois filewhois lookupwhois recordwhois sslcertwhois whoiswin16 newin32 dllwin32 dynamicwin32 exewin32 malwarewin32pcmega janwindirwindowswindows malwarewindows ntwindows servicewiperworkers compensationworldwormwornwritewrite cwritten cx00x00x384x436x509v3 keyx8bxe5xboxxorxor ddosxor encryptxorddosxslayerxxx videosy212 urlyarayara detectionsyara ruleyexe yeyouthzbotzbot typezergzergecazergeca botnetzeuszfglddkl58a url
Activity Timeline
Jun 2Jun 2
Threat Activity Heatmap
· Peak: 2026-06-02LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
96
SIGNAL
Signal Score
96%
Confidence
6
Reports
First seenJun 16, 2022
Last seenJun 2, 2026
Verified IOC
WHOIS
- description
- SHA1 of 00000981afc0d32c0030222243c8946a74ff90ba759a087359ceb6605ac6cd7f
- references
- https://darkconsultants.com/brent-kimball, HCA | https://www.healthonecares.com/physicians/profile/Dr-Brent-Y-Kimball-MD | Neurosurgeons state failed surgery performed on target/others, Matches rule User with Privileges Logon by frack113, Emotet - CnC IP's: 104.131.58.132 | 14.160.93.230 | 163.172.40.218 | 186.15.83.52 | 190.17.42.79 | 72.29.55.174 | 82.8.232.51 91.204.163.19 command_and_control, Emotet: FileHash-MD5 dc8a506286ad0664872a52ce9ce2434f, Emotet: FileHash-SHA1 00533ac38b0b61ad6bd8c821337b9d2e6cc97a55, Emotet: FileHash-SHA256 0b0cc210943913d7afcbc007c3d0eb3ead6b8bedcaae2c3104a20eb872527127, Antivirus Detections: Win32:Malware-gen , Win.Malware.Generic-7430042-0 , Trojan:Win32/Emotet!MTB, Alerts: dead_host nolookup_communication persistence_autorun removes_zoneid_ads dumped_buffer, Alerts: network_cnc_http network_http_post allocates_rwx antisandbox_foregroundwindows, Alerts: creates_service network_http antivm_queries_computername moves_self packer_entropy, Install: https://otx.alienvault.com/otxapi/indicators/file/screenshot/669a87ee497aefdbeedfff72455a32511c458714fc6d6817efb7ad792095606e, Win32:InstallMonstr-MA: FileHash-MD5 70007c3aedf9f1685d266a67cfed80af, Win32:InstallMonstr-MA: FileHash-SHA1 132cc254607c3669afe70e7af773672178823682, Win32:InstallMonstr-MA: FileHash-SHA256 e9b66a63d6ab467c32b1162fc1c72acc26835de0d79ae3d45a0420c399e39f1f, Backdoor:Win32/Simda.gen!B: FileHash-MD5 fd9849e8e0b6234ea49551d73b2cb8fe, Backdoor:Win32/Simda.gen!B: FileHash-SHA1 fcfcab8f821af9858b78b670d837b09b0b120f3a, Backdoor:Win32/Simda.gen!B: FileHash-SHA256 fc9ef718314979909ec27998697e32731d551e2b1b713b5e39e60c1ea60af1ef, Antivirus Detections: Win32:Shiz-JT\ [Trj] , Win.Trojan.Generic-6323528-0 , Backdoor:Win32/Simda.gen!B, IDS Detections: Wapack Labs Sinkhole DNS Reply Backdoor.Win32.Shiz.ivr Checkin Backdoor.Win32/Simda.gen!A Checkin Unsupported/Fake Internet Explorer Version MSIE 2. Unsupported/Fake Windows NT Version 5.0 More Yara Detections stack_string , dbgdetect_procs, Alerts: network_icmp dumped_buffer2 allocates_execute_remote_process antiav_detectfile antidbg_windows antivm_generic_bios, Alerts: dead_host persistence_autorun disables_proxy injection_createremotethread injection_modifies_memory injection_write_memory, Alerts: modifies_proxy_wpad multiple_useragents packer_polymorphic process_interest ransomware_mass_file_delete, Suspicious Manipulation Of Default Accounts Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc Sigma Integrated Rule Set (GitHub) - Nasreddine Bencherchali (Nextron Systems), CS Sigma rules: Matches rule Suspicious Manipulation Of Default Accounts by Nasreddine Bencherchali (Nextron Systems), IDS Detections: Matches rule MALWARE-CNC Win.Trojan.Scudy outbound connection, roblox-hack-tool-jailbreak_GM431946152.pdf, Matches rule Suspicious Eventlog Clear or Configuration Using Wevtutil by Ecco, Daniil Yugoslavskiy, oscd.community, Matches rule COM Hijacking For Persistence With Suspicious Locations by Nasreddine Bencherchali, http://connectivitycheck.gstatic.com/generate_204, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | www.pornhub.com, https://www.anyxxxtube.net/search-porn/tsara-brashears/ | www.anyxxxtube.net, hannahseenan.pornsextape.com, https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term=, Apple 'that's my boy' Dan: https://cdn1.dan.com/assets/icons/touch, FileHash-SHA256: cef164b4d6d29e1bff2bad9e49abaf143593a07d8a6e584f472b545b9e0c5631, FileHash-SHA256: 7e9822ba1e8fa34ce37262f6746dbc72819d754f805a410dbeb2cedb08a05789, Tulach: 114.114.114.114, kaiser-friedrich-halle.de | kurma.hosting-mexico.net, www.joewa.com, Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name, Yara Detections: MacSync_AppleScript_Stealer , UPX ,, Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser, apple.k8s.joewa.com • joewa.com • http://apple.k8s.joewa.com/ • https://apple.k8s.joewa.com/, Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO, blackbox-exporter.lenovo-k8s.home.local.advena.io, http://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena/, Calls an API typically used to retrieve function addresses, load a resource T1129 Shared Modules Execution Adversaries may execute malicious payloads via loading shared modules. Learn more, Loads modules at runtime Looks up procedures from modules, (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007, https://cloudflare-dns.com/dns | cloudflare-dns.com, https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522, https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com, https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f, 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file), ‘Can't access file’ Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca, ‘Can't access file’[Found in Zergeca Botnet], IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI), IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io), Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections, IP’s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56, Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org, Crowdsourced SIGMA Below:, Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke, Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems), Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community, Crowdsourced IDS Below:, Matches rule ET POLICY External IP Lookup ipinfo.io, Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io), Matches rule ET INFO External IP Check (checkip .amazonaws .com), Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt, Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI), Unique rule identifier: This rule belongs to a private collection., geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi, https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO, Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/, crypto-pool.fr, iبامسلمون لمهمملممنامصناءواممساند | مطعم+ ممامام, Muslims have built, supported, and assisted. or Muslims: Support and Solidarity, LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado, IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST, IDS Detections: MVPower DVR Shell UCE • HackingTrio UA (Hello, World), IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution, IDS Detections: HackingTrio UA (Hello, World) • HTTP traffic on port 443 (POST), IDS Detections: Mirai Variant User-Agent (Inbound) • HackingTrio UA (Hello, World), IDS: Observed Suspicious UA (Hello, World), Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,, Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections, Alerts: cape_detected_threat, IP’s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184, IP’s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248, Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0], https://dns.google/resolve?name=SELECT, 31.6.16.33 • network.target [Found in Zergeca Botnet], multi-user.target • ootheca.top • network.target • ootheca.pw [Found in Zergeca Botnet], 84.54.51.82 • http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet], Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets, Since September 2023, according to an analysis by cyber security firm XLab CTIA., Address shows an place of origin: Broomfield , Co, Believed to be originating from Germany and Russia, BGP Hurricane Electric seen, Potentially Pegasus related . Found to be affecting an IOS device, Indicators seen may have affected a few OTX users. Is ongoing, Zergeca related URLs , URI’s , Domains, inaccessible files referenced, apple.k8s.joewa.com • joewa.com • com.apple, This pulse is so huge it’s a mess. Will break down., The Brothers Sabey – Conservatives with Liberal Friends • https://thebrotherssabey.com/, http://watchhers.net/index.php, http://212.33.237.86/images/1/report.php, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian, https://webmail.police.govmm.org/owa/, https://pks.wroclaw.sa.gov.pl:1443/ • portal.bialystok.sa.gov.pl, https://tulach.cc/ phishing • 45.32.112.220 scanning_host • 45.76.79.215, Mark Brian Sabey, Melvin Sabey, Christopher P ‘Buzz’ Ahmann, Ronda Cordova, Unknown Persons impersonating Private Investigators (plural), Quasi Government Case, Victim silenced. Struck by Car Driven by male police let walk, Denver Police let this attempted murder walk. Cited him as a ghost driver, Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora, Sexual and Physical Assaulter - Jeffrey Scott Reimer, Reimer was a PT. Unknown whereabouts , name or job description, Denver Police Department Major Crimes closed investigation, Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim, I bring up the personal nature of the crime because a delete service has been used, More than 1000 IoC’s including pulses have been ILLEGALLY removed, All IoC’s originate from sources named. There are some unknown attackers, This is a serious crime. I’m certain God WILL pay them., https://palantirwww.sweetheartvideo.com Mar 21, 2026, 2:06:10 PM 3 domain palantir.io Mar 21, 2026, 2:06:10 PM 34 URL https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ • www.palantir.com, http://palantirwww.sweetheartvideo.com/ (weirdness), http://foundry2-lbl.dvr.dn2.n-helix.com • https://foundry2-lbl.dvr.dn2.n-helix.com, foundry2-lbl.dvr.dn2.n-helix.com Mar 21, 2026, 2:06:10 PM 29 URL https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ Mar 21, 2026, 2:06:10 PM 8 URL http://datafoundry.com Mar 21, 2026, 2:06:10 PM 9 URL http://foundry2sdbl.dvr.dn2.n-helix.com Mar 21, 2026, 2:06:10 PM 17 URL https://209-99-40-223.fwd.datafoundry.com Mar 21, 2026, 2:06:10 PM 27 domain datafoundry.com Mar 21, 2026, 2:06:10 PM 40 hostname 209-99-40-223.fwd.datafoundry.com Mar 21, 2026, 2:06:1, https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx, https://www.datafoundry.com/data-center-contamination-control/, https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/, http://foundry2-lbl.dvr.dn2.n-helix.com/, https://207-207-25-201.fwd.datafoundry.com/, http://datafoundry.com • http://foundry2sdbl.dvr.dn2.n-helix.com • https://209-99-40-223.fwd.datafoundry.com • datafoundry.com • 209-99-40-223.fwd.datafoundry.com • beabetta.ifoundry.co.uk.s7b2.psmtp.com • foundry2sdbl.dvr.dn2.n-helix.com • fwd.datafoundry.com • 207-207-25-154.fwd.datafoundry.com • 207-207-25-156.fwd.datafoundry.com 207-207-25-160.fwd.datafoundry.com • 207-207-25-163.fwd.datafoundry.com • 207-207-25-164.fwd.datafoundry.com • 207-207-25-165.fwd.datafoundry.com Mar 21, 207-207-25-166.fwd, http://datafoundry.com • https://209-99-40-223.fwd.datafoundry.com datafoundry.com • 209-99-40-223.fwd.datafoundry.com Mar 21, 2026, 2:06:10 PM 13 hostname beabetta.ifoundry.co.uk.s7b2.psmtp.com Mar 21, 2026, 2:06:10 PM 12 hostname foundry2sdbl.dvr.dn2.n-helix.com Mar 21, 2026, 2:06:10 PM 18 hostname fwd.datafoundry.com Mar 21, 2026, 2:06:10 PM 8 hostname 207-207-25-154.fwd.datafoundry.com Mar 21, 2026, 2:06:10 PM 19 hostname 207-207-25-156.fwd.datafoundry.com Mar 21, 2026, 2:06:1, https://rdweb.datafoundry.com/, http://foundry2sdbl.dvr.dn2.n-helix.com/, Updated | What’s left after theft, 207-207-25-167.fwd.datafoundry.com • 207-207-25-168.fwd.datafoundry.com • 207-207-25-169.fwd.datafoundry.com, 207-207-25-170.fwd.datafoundry.com • 207-207-25-171.fwd.datafoundry.com • 207-207-25-201.fwd.datafoundry.com, https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse, https://www.datafoundry.com/category/news/press-releases/, 207-207-25-209.fwd.datafoundry.com • 207-207-25-212.fwd.datafoundry.com • 207-207-25-213.fwd.datafoundry.com • 209-99-64-53.fwd.datafoundry.com, 209-99-69-91.fwd.datafoundry.com • dns1.datafoundry.com • dns2.datafoundry.com • rdweb.datafoundry.com, www.go.datafoundry.com • http://207-207-25-209.fwd.datafoundry.com, http://209-99-64-53.fwd.datafoundry.com • http://dns2.datafoundry.com • http://fwd.datafoundry.com, http://pdns1.datafoundry.com/ • http://rdweb.datafoundry.com • http://rdweb.datafoundry.com/, https://rdweb.datafoundry.com/ • http://www.datafoundry.com • https://207-207-25-163.fwd.datafoundry.com •, https://207-207-25-209.fwd.datafoundry.com • https://209-99-40-224.fwd.datafoundry.com/, https://209-99-64-53.fwd.datafoundry.com • https://dns1.datafoundry.com • https://dns2.datafoundry.com • https://fwd.datafoundry.com, Some may may find this content is very disturbing and offensive, cat-are-here.ru, Antivirus Detections: Unix.Trojan.Mirai-10028259-0 | Mirai (ELF) Mirai (Windows, Yara Detections: LZMA, IP’s Contacted: 32.227.223.238 107.74.143.88 69.196.71.159 96.16.197.80 101.80.61.229 125.101.205.34, IP’s Contacted: 16.85.50.206 215.160.125.18 40.71.227.8 57.122.151.130, All Domains Contacted: thekittler.ru newkittler.ru cats-master.ru, https://otx.alienvault.com/indicator/file/b57042ed9a7d7dbe1f7c7f32de74d2b367ee835d, https://otx.alienvault.com/indicator/domain/cat-are-here.ru, CloudFlare IP’s: 104.18.36.237 ,104.18.37.237, CloudFlare Domain: apple-dns.net, Cloudflare URL: https://forms.sonymusicfans.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js, https://forms.sonymusicfans.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js, http://213.209.143.24/ppc • http://213.209.143.24/rep.i486 • http://213.209.143.24/rep.sh4, http://213.209.143.24/x32 • https://250-mail.simswap.in • https://mail.simswap.in, http://kittler.ru/arm5 • http://kittler.ru/mpsl • http://thekittler.ru/rep.arm7, http://kittler.ru/rep.sh4 • http://kittler.ru/x32 • http://cats-master.ru/x86_64, sonymusicfans.com • forms.sonymusicfans.com • image.emails.sonymusicfans.com • url8878.e.sonymusicfans.com, https://forms.sonymusicfans.com/campaign/cannons-all-i-need-pre-add-pre-save/, https://forms.sonymusicfans.com/wp-content/plugins/smf-core/assets/css/campaign_333c4e8b19a72989caf8.css, https://view.emails.sonymusicfans.com/Error.aspx, URL http://url8878.e.sonymusicfans.com/ls/click • https://forms.sonymusicfans.com/campaign/all, http://url8878.e.sonymusicfans.com/ • http://url8878.e.sonymusicfans.com/ls/click, https://forms.sonymusicfans.com/campaign/all • https://forms.sonymusicfans.com/campaign/mmph/, https://image.emails.sonymusicfans.com/lib/fe9a12747566007d70/m/1/eb6e3ce4-7a7b-4435-a2cd-968f7277e6e0.png, https://image.emails.sonymusicfans.com/lib/fe9412747566057a72/m/1/b381d305-8e17-49be-bc99-e5fab3a7cd17.gif, push.apple.com • emails.redvue.com • apple-dns.net • 57.122.151.130 • https://teja8.kuikr.com/i6/20181130/Apple, Tracking LummaC2 Infrastructure with Cats (byAlienVault) https://otx.alienvault.com/pulse/6839003a3028827e1ebbfb1a, Interesting relationships: LummaC2 , Mirai Botnet , Sony Music Group , Apple, https://otx.alienvault.com/pulse/694898db3a9999fecfd893cb, ↓→Found in: https://house.mo.gov/↓, dns.msftncsi.com • https://dns.msftncsi.com/ • http://dns.msftncsi.com/, demo.auth.civicalg.com.sni.cloudflaressl.com, happyrabbit.kr [Apple iOS threat], https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 • appletoncdn.xyz, https://tracking.s-unlock.com • https://ignaciob.com/track/click/v2-318692303 • adepttracker.com •, https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639, https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393, https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join, http://nudeteenporn.site, https://www.virustotal.com/graph/g36d42db72d704469b0071fa675d3459385ee5529eab24925851fac2b89ac95c4, https://www.virustotal.com/graph/embed/g01c31a9734354d3fa14dd33e4bf1ec770e47e5f31e58424a927132b65c0cc052?theme=dark, http://www.hybrid-analysis.com/file-collection/66fac68ee418a841c80f2f92, http://www.hybrid-analysis.com/file-collection/66fac9127c919f69780c6f51, http://www.hybrid-analysis.com/file-collection/66faca03bf2d577d0707447e, http://www.hybrid-analysis.com/file-collection/66faca7c1e2a6e5879090c09, http://www.hybrid-analysis.com/file-collection/66facaef84282adfb805d499, http://www.hybrid-analysis.com/file-collection/66fac600ca930ea26b059ede, http://www.hybrid-analysis.com/file-collection/66fac890b85c51f0a00bb153, http://www.hybrid-analysis.com/file-collection/66fac7f30821b4aa5f0666ed, http://www.hybrid-analysis.com/file-collection/66fac7871e2a6e58790909fe, http://www.hybrid-analysis.com/file-collection/66fac6de4c7499ee5303356c, http://www.hybrid-analysis.com/file-collection/66fac978202166e31d059f2e, http://www.hybrid-analysis.com/file-collection/66fac56e9086d458e6064fea, https://urlscan.io/api/v1/result/5dea4d73-564a-4a37-88ef-da841b2bb274/, https://urlscan.io/result/5dea4d73-564a-4a37-88ef-da841b2bb274/, https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/community, https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/iocs, https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d, https://www.virustotal.com/gui/collection/aa215ea9a4819e7b629171f16969657ad55a22269acc626b32d5625eb3c16d9d/graph, Andariel Backdoor Activity (Checkin), IDS: WGET Command Specifying Output in HTTP Headers, IDS: D-Link Devices Home Network Administration Protocol Command Execution, Trojan.NukeSped./TigerRat | Trojan[APT]/Win32.Lazarus | Cited: Andariel group » state-sponsored threat actor & Defense media, Mr. Telephone man. there js something wrong with her line when she tries to dial a number, she gets a freak every time..., In this instance a senior citizen needing assisted living resources redirected & social engineered by addresses originated from: jefferson.co.us, Noted: Calls redirected, call jumps ahead of 25+ callers in wait, keeps getting same agent, told approved for services never applied for or received, Exploits: IPv4 20.99.186.246 | 52.109.0.140 | CVE CVE-2023-22518 | Trojans: AgentTesla.KM , Cobalt Strike , Ransom: WannaCrypt , Malware: Dxqo, Domain Name: IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA.COM Emails: [email protected], Emails: [email protected] Name: Botnet Sinkhole | Address: Botnet Sinkhole City: Los Angeles Country: USA, Dnssec:Unsigned | Name Servers | BRUCE.NS.CLOUDFLARE.COM, Notable: Mirai - 192.70.175.110 Security Operations (DORA?) [email protected] | state.co.us | Reverse DNS dns1.state.co.us, Unix.Trojan.Mirai-6976991-0 : FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c, ELF:Mirai-AII\ [Trj] | FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9, Overlaps: 4 others mailed information email address., Ransom:Win32/WannaCrypt.H, iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com | CVE-2017-0147, AS36081 State of Colorado General Government Computer, Yara Detections Mirai_Botnet_Malware Alerts: dead_host network_icmp osquery_detection nolookup_communication, ELF:Mirai-AII\ [Trj] | FileHash-SHA256: 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9, Detections Executable and linking format (ELF) file download Over HTTP |, FileHash-SHA256 : 256760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9, Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\ [Trj], 77882 IP’s Contacted: 1.1.69.67 1.10.237.208 1.101.233.31 1.102.46.59 1.103.37.126 1.105.106.252 1.106.108.182 1.106.193.143 1.109.132.165 1.11.116.209, Domains Contacted: ntp.ubuntu.com | IDS Detections GNU/Linux APT User-Agent Outbound likely related to package management | 91.189.89.198, Yara Detections: gafgyt IP’s Contacted: 91.189.89.198 Domains Contacted :ntp.ubuntu.com, FileHash-SHA256: a0f50a7b0f9717589000b3414017bdcfcb9d3f6a3e5e03fe49c4dc8035e0d25c, Related Domains: townofignacio.com | coloradoagriculture.com | coloradoworkforce.com | coworkforce.com | coloradoccjj.com | dns1.state.co.us, https://www.rapidinterviews.com/api/jobs/redirect/public-transit-bus-drivers-with-utah-transit-authority-in-stansbury-park-apc-1932, https://us.thebigjobsite.com/redirectfeedjob?jobid=2A5F97A6BAE0AA90DC418C2119E1E0EB&source=onestepjobsxmlus&utm_source=onestepjobsxmlus&jobSiteK, redirect.wuxs.icu, https://a-a.redirector.navexglobal.com/navex_hosting/404.html, https://engage.navexglobal.com/topclass1/login.do?redirectTo=/expand.do?template=JasperReports&view=library, https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?, Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread, Antivirus Detections: Win.Malware.Oxypumper-6900445-0, IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile, IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families), IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb), Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7, Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8, Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1, Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ, google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/, https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622, Ransomware Detected: text artifact in screenshot indicates file may be ransomware details "Antivirus" (Source: screen_11.png, Indicator: "virus"), scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99, Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9, Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a, Antivirus Detections: Win32:TrojanX-gen\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx, Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp, iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com, iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com, iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com, iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com, iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E, Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/, DotNET_Crypto_Obfuscator, Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,, Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,, Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA, IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,, IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ..., https://otx.alienvault.com/indicator/ip/216.40.34.41, Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97, ns2.tsaratsovo.net, FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955, FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79, FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848, Antivirus Detections: Win32:MalwareX-gen\ [Trj], IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator, Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx, Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger, https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29, Antivirus Detections: Win32:MalwareX-gen\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE, Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string, Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc, Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9, Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5, 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com, mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,, https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled, https://www.YouTube.com/polebote, https://www.virustotal.com/gui/collection/31631d40caeb46bdbd936028bb7012a42ad2261b6e3906eeab345aab8663bc40/iocs, 123.json, https://www.virustotal.com/graph/embed/g619317b5da9c4fb4824227d24a36e284bba5cf96b2a74175ba626ce7533e2942?theme=dark, https://www.virustotal.com/graph/embed/g954d7f416fea4d899764468b283f1bf707327c503eb24a03b597b0223a654591?theme=dark, redhatdelete.com, Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}, explorer.exe • Explorer.EXE • upnaneat-xex.exe • akgibik.exe • wmiadap.exe • wmiprvse.exe • winlogon.exe • tmpo3rfa1vg.exe, https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60, Trojan-Ransom.Win32.Blocker.jgb Checkin, https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695, POD 18447 for Cox.xls, https://apps.apple.com/us/app/gambinos-pizza/id1500338496, https://www.hallrender.com/attorney/brian-sabey/ • www.hallrender.com • https://www.hallrender.com/wp-json/oembed, 1.download.windowsupdate.com [HiddenTear], https://tulach.cc/ • tulach.cc • thedevilsback.golf • nextcloud.tulach.cc [phishing], https://gronthoghor.com/xoe/qbot.zip •, Win32:JunkPoly - Worm:Win32/Bagle.gen!C https://www.anyxxxtube.net/search-porn/tsara-brashears/ • www.metrobyt-mobile.com, workers.dev [extraction • GET request attack], ddos.dnsnb8.net [command_and_control], www.supernetforme.com [command_and_control], https://www.trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html, http://www.supernetforme.com/search.php?q=2075.2075.300.4096.0.756ae987de3398fb3871e5916bf6fa3ea748bb384f297c252a6a6c52397bb6be.1.399198437 [phishing • python], https://www.milehighmedia.com/legal/2257 [Brazzers Porn Virus Network • Data collection • phishing], https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ phishing • virus network • Apple data collection ], CVE: CVE-2023-23397, 0-129-112027imap-intranet-pv-175-166.matomo.cloud, https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [iOS password decryption • unlocker], https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512, https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017, https://twitter.com/PORNO_SEXYBABES, sex-ukraine.net, http://ww38.hardsexxxtube.com/scj/thumbs/295/196_teen_Megan.jpg • humani-teens.com, feedercontroller.webcrawlingeap-prod-co4.binginternal.com, accessoire-telephones.fr • bks-tv.ru [telecom] • coltel.ru [telecom] • ceptelefondata.com.tr [data collection • USA] ts-astra.ru [telecom] wifi.ru, nexus.b2btest.ertelecom.ru, Virus Network: 192.229.211.108 | Tracking: http://d1ql3z8u1oo390.cloudfront.net/offer.php?affId=7512&trackingId=433313787&instId=7584&ho_trackingid=HO433313787&cc=DE&sb=x64&wv=7sp1&db=InternetExplorer&uac=1&cid=bcbaa53dffa0965e557319f4f2155088&v=3&net=4.8.03761&ie=8.0.7601.17514&res=800x600&osd=151&kid=hqmrb21boa4c9c32d7k, Tracking: trackyouremails.com • https://adservice.google.com.uy/clk, http://micrologin.ogspy.net/track/dhl-information-contact.html, https://www.crccolorado.com/dr-adam-sang, CS IDS Rules: MALWARE Possible Compromised Host, CS IDS Rules: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz, CS IDS Rules: SERVER-OTHER Squid HTTP Vary response header denial of service attempt, CS IDS Rules: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses, CS IDS Rules: ET AnubisNetworks Sinkhole Cookie Value btst, http://www.defi-realty.com/jem9/ [phishing], http://45.159.189.105/bot/regex [phishing | tracking], https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing | data collection| browser vulnerability], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [password decryption], https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/, https://attack.mitre.org/software/S0226/, http://watchhers.net/index.php. [ data collection], remotewd.com, https://remote.krogerlaw.com, device-local-7e6b3aa6-e3de-4e8f-9213-9f15c92d1d81.remotewd.com, www.pornhub.com [password decryption], www.supernetforme.com [CnC], ddos.dnsnb8.net [CnC], http://happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg [phishing], http://amaiorpascoadetodas2.com/cgi-sys/suspendedpage.cgi?smart-tv-led-55-samsung-55ru7100-ultra-hd-4k-com-conversor-digital-3-hdmi-2-usb-wi-fi-visual-livre-de-cabos-controle-remoto-%C3%9Anico-e-bluetooth-&skullid=539293743, http://url7639.ascglobal-email.com/wf/open?upn=HDu-2BON2WuckNVJ2U1s3AlMizU2CbfEvFl7S9TXTdQm2nLS-2F0QX6mc4PxuUDVyCyIzMeTvJRSiC633rEV-2B8mukshW0CHiC-2FvQOWOgJR6RGOtzDWutJV4OtjBHGduMDUigvEESSJQD8KXk1UU3bXtRdyd7QpBC-2F7Ti-2Bq6tNr1C4yz-2FXcUbYvtJX4ip5d5t5eXud233BW97tdcojPu0yKWZ0Zm2DyXbj1RIwt-2FO0RcYLC7feNtrpw6OxBd8r4Tc3uHoT7Z9NFErDUBbBuYpsze-2FiBRziGeeMExS5l82Xna4au56co0IdOcfscmwGtC-2BxD3xiJW4v560wXMZQU0G9hqqPVeYTnwZwyfebBz1KLSW-2BIJtHMF6DCNHhatvrb3WM84-2BGpgCxOK1dFKPiKsmPzSc-2BdCAO9BzU3K6G7EaDYNu2cRHdGmat-2BCJs, https://darkforums.me/Thread-Check-Any-Indian-Vehicle-Owner-Details-home-address-phone-number [Whoa Nelly!], https://us-bankofamerica.com/PhoneVerification.php/, http://www.w3.org/TR/html4/loose.dtd | www.w3.org [collection], http://dl.ariamobile.net/mobile/2008.10.a/applications/My_Phone-v2.01-S60v3-[wWw.Ariamobile.Net].zip, http://iphones.email [redirection chain], *Patient PII & PHI at critical risk, google.com.uy [Google search browser, masked, links to malicious porn malware spreader, malvertizing, collection host], https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ iOS unlocker & password cracker], toolbarqueries.google.com.uy, tulach.cc [Adversarial Malware Attack Source], http://1.116.132.182/weblogic_CVE_2020_2551.jar, init-p01st.push.apple.com, newrelic.se [Apple Collection], apple-dns.net. [Apple email collection], apple.com [=vaccine.com / negative http or https - insecure, malicious], nr-data.net [ Hidden private Apple data collection], http://dm.kaspersky-labs.com/en/KIS/21.2.16.590/ksde_ksn_en.txt [=apple.com/bag], www.metrobyt-mobile.com. [s3.amazonnaws.com Apple], https://www.sweetheartvideo.com/tsara-brashears/ [Tracking & BotNet campaign =Tulach abuse], https://www.anyxxxtube.net/search-porn/tsara-brashears/ [Target - prism.exe , phishing, NSA current, former, wannabe?] Not classified it's widespread., https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ password cracker, Mail spammer, malicious advertising], https://mobile.twitter.com/hashtag/daisycoleman [Troubling Catherine Daisy Coleman DEFAULT Twitter] Coleman's alleged suicide note Twitter, 114.114.114.114 [IP, subnet? Attacked my devices with dumping campaign. Revenge], mobile.twitter.com [titled hashtag Daisy Coleman], http://pingma.qq.com/mstat/report/?index=1569424777 [malicious Daisy Coleman link], 12 CVE exploits posted in 'scoreblue' CVE tally, Hybrid Analysis, wTools, VT, Deep Search and related online research. Yes I'm a frightened underdog advocate, educated & trained in many areas.THIS!, Above Assurant link. [ Hidden privacy threats,,Transactional campaign, https://pin.it/ [SQLi Dumper], https://github.com/dyne/domain-list/blob/master/data/nsa = msftncsci.com/ncsi.txt, msftconnecttest.com, ncsi-geo.trafficmanager.net =analytics.tresensa.com, https://www.msn.com/?ocid=wispr&pc=u477 [msftconnecttest.com/redirect malicious. [Remote Network Attack via devices], 104.200.22.130 Command and Control, aig.com, https://github-cloud.s3.amazonaws.com [DNS prefetch], [email protected] [Investigation of alleged victims?], 103.224.212.34 scanning_host, 0-1.duckdns.org [malicious]
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
highFirst detected 4 years ago · Last seen 17 days ago
Appeared in 6 threat reports