IOC Radar
SHA1MediumSignal 98/100

fa71d067f8187a023334c5503e66fd9be2b73698

Location
PeruPeru
First Seen
Aug 18, 2023
Last Seen
Apr 29, 2026
Aug 18
First Seen
1027d ago
Apr 29
Last Seen
42d ago
8
Reports
source reports
98%
Confidence
medium
Found in 8 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-1 Hash
SHA-1 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA1
Confidence
98%
Signal Score
98 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

33 techniques

Feed Intelligence Summary

8 reports98% confidence
8
Source reports
98%
Confidence score
Category tags
abusealienvault_ransomwareapt29apt29 campaignartifacts vbad reputationbeaconbrc4brute forceclient executcobalt strikecollaborationcommand & controlcredential stuffingcritical industriesctaddosdefense evasiondetect-debug-environmentdomainurl httpsdropdropperdukeduke malwaredukesdumpingeducationembassyenergyeuropeexecutable fileexploitation activityfile-hashfinance and insuranceforeign affairshalfrighasheshijackhostnameidentity & access exploitationindicatorinjectioninjection activitykkeelab52learnlong-sleepsmagicwebmalwarememory patternmodify registrymsdosname nname pathnatoneednetwork infonorwayopen sourceoperating systemorionos credentialpartnerpedllperupolandpreos bootprocessprocess injectionquery firmwareransomwarerareencodingremote servicesremovalreportresearchedrootkitservicesigmasolarwindssouth americastage0stixstubsupply chain attacksvgsvg droppersvg dropperdllsystemt1003t1014t1021t1021.001t1027t1036t1055t1057t1069.001t1070t1071t1078t1082t1102t1106t1112t1134t1176t1203t1204t1218t1497t1518t1518.001t1542t1542.003t1543t1547t1552t1566t1574t1574.002t1584teamtechnir processthreat actortor nodetrojanukraineurls httpuse shortverdictvulnerability scanwin32 malwarewindowswindows malwarewindows shortcutylarv

Activity Timeline

1 total obs
Apr 29Apr 29

Threat Activity Heatmap

· Peak: 2026-04-29
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
98
SIGNAL
Signal Score
98%
Confidence
8
Reports
First seenAug 18, 2023
Last seenApr 29, 2026

VirusTotal

Not checked

WHOIS

description
PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
references
https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered, https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing, https://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs, IOCs.April.pdf, https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f, I copied IoC’s & from a pulse by AlienVault. I added related , resourced information I found interesting, XOR_embeded_exefile_xored_with_round_256_bytes_key, FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->, Name: Invitation - Santa Lucia Celebration.msg • File Type CDFV2 Microsoft Outlook Message, YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth, YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth, YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth, YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth, YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth, YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth, SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali, Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded., kefas.id: Crowdsourced Sigma below | Malicious Score High, Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29, Evolution of Russian APT29 – New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner, Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 • AlienVault |, Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research, https://thehackernews.com/2023/08/nofilter-attack-sneaky-privilege.html, https://therecord.media/illinois-hospital-notifies-patients-employees-of-cyber-incident?&web_view=true, August 18th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3074 - Malicious PDF Documents Used to Target NATO countries.pdf, https://labs.inquest.net/iocdb, https://lab52.io/blog/2344-2/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 years ago · Last seen 1 month ago
Appeared in 8 threat reports