SHA1HighVerifiedSignal 98/100

`ffb6b44c5911efb7397a02da9b66f83a42e3fd20`

Location

Singapore

First Seen

Sep 14, 2024

Last Seen

Apr 14, 2026

Sep 14

First Seen

642d ago

Apr 14

Last Seen

66d ago

Reports

source reports

98%

Confidence

high

Found in 6 reports. Confidence: high. · Confidence scores are heuristic. Verify before acting on results.

SHA-1 Hash

SHA-1 file hash associated with malicious samples.

MISP Category

Artifacts Dropped

Hash Algorithm

SHA1

Confidence

98%

Signal Score

98 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

62 techniques

Feed Intelligence Summary

6 reports98% confidence

Source reports

98%

Confidence score

Category tags

a50 typa5ipa9 a8aaaaaamiraiabuseabv0abv01acceptaccess typeaccount securityactive relatedactive scanadded activeaddressaddress domainaddress rangeadware backdoorakamai rankalertsalgoritall domainall filehashall scoreblueallocation typealvoesamericaamerica flagamerica relatedanalyzer pasteapollo databaseapple incarialas834 ipxoasciiascii textashburnasiaasia pacificaudioautoitav detectionsbackbackdoorbad reputationbb c7bc a1bedroom indianbg phonebhabi sexbinarybinary filebodybotnetbotnet activitybrian sabeybrute forcebulgaria phonec tmpsamplec2 ipc2 resolutionca issuerscallcallscanadacanrebcc fdcdn rangecertcert validitychainchina domainchina flagchina unknowncidrck idck idsck matrixclear hindiclick-based attackcloudflare dnscnamecobalt strikecode executioncode injectioncommandcommand & controlcommand and controlcommand executioncommunication protocolcontactcontroller fakecptbdevcreation datecredential stuffingcro intormationd4 dcdata accessdata copyingdata exfiltrationdata store exposuredata transferdata uploadddosddos attacksdefense evasiondelphidesidete datadetect-debug-environmentdirectoi t1222distributed attacksdiv divdive intodns attackdohdomail showingdownloaderdrive by compromisedroo anvdropsds nxdomaindumpingdynamic dnsdynamicloaderedgeview driveee fcelfelf contaelf executableelf geomielf64 operationencryptencryptionengineenoughenter scentrieserroreuropeeurope/asiaevasionexchange allexchange lteexcludeexclude dataexclude suggesexec amd6464executable fileexploitexploit domainexploitation activityexternal ipextrextr referenextra ltef4 cafailedfakaidfalsefastfastest privacyff d5filefile-hashfiler datafiler filehuonfilesfiles domainfiles ipfiles locationfiles relatedfilet cefilet filerfilet filetfiltered personfiltered routefindfind cfind sfingering herfirst dnsfor privacyformatfoundfull reportsgateway protocol abusegeckogermanyget helloget icarusglobalgmtngogolanggoogle dnsguardh1256hackinghacking toolshackingtrio uahandlehashes capehd postshellohelveticaheurhighhistorical otxhostname enumerationhostshttp attackhttp performshttp scannerhttpshttps domainhua muicalulhunting macrohybrididentity & access exploitationids detectionsiframeinboundincludeinclude datainclude reviewincluded iocsindicatorindicatoreinfection dnsinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceingress tool transferinjection activityinput validation bypassintelinternet gmbhinternet of thingsiocsiocs oiot botnetiot securityiot/ics attackipv4ipv4 addipv4 urlissuerit infrastructureje elfje matchesjeff reimer sexjeffrey reimerjeffrey reimer ptkey usagekeywordkhtmlkit exploitl extractionlabs pulseslatinalauncherlayer protocollearnlessless iplinklinuxloaderloadslocallog idlte allmac osmachomacho 64bitmacsync_applescript_stealermagicmagika isomalicious downloadmalicious linksmalicious softwaremalwaremalware distributionmalware hostingmanually adamanually addmanualymatches datamatches edolavdmatches matchesmatches yaramedia centermediummemo filememory patternmemory scanningmetadata analysismirai botnetmirai variantmitre attmitre attackmodelmodify systmodify systemmonths agomovedmozillamsien1 excludenamename serversname tacticsnation-state activityneterranetwork communicationnetwork infonetwork namenetwork scanningneven dilkovnew threatnextnext associatedno entrinorth americanot cryptographically soundnumberocspogoogle trustopenoperating systemoperating system securityos credentialotx logootx telemetryoutbound trafficoverview ipowner exploitpa abusecpa statuspassive dnspath traversalpe sectionpe32 executablepegasusperforms dnsphishingphoneidentifyphotos picsphucket newsponmocup postporn typepostpresent novprivate serverprivileged accessproc indicativeproccpuinfoprocessprocess createprocess injectionprocess lprogrampulsepulse pulsespulsespulses nonepulses urlpythonqaeaav0qaexnqbenxzqbepaxxzransomwareread creadsreads cpureconnaissancerecord valueredacted forref breferenreference idreimer dptreimer typerelated nidsrelated pulsesrelated tagsremc t1070remoteremote accessremote servicesreport publishreport spamresearchedreviewreview excludereview iocsreview occriperobotorobotodraftrole titlerussiasabey xxxsc carscan endpointsschaansearchsecurity operationsself-deleteserver caserversservicesexyshellshowshowingsimsingaporesingapore asnsizeslcc2smuxsocial engineeringsocial media securitysofiasoftware developmentsoftware supplysourcespamspanspan tdssdeepssltls clientstatusstopstop showstreamstringsstwasucuri websitesuggessuggestsuggested ocssuggestedinccsuiteswipper relationshipsystemd servicesysvt1003t1005t1012t1014t1016t1021t1021.001t1027t1027 masqueract1030t1036t1036 indicatort1037.002t1041t1047t1055t1057t1059t1059.001t1060t1069.001t1070t1070.004t1071t1071.001t1078t1082t1083t1095t1105t1119t1133t1140t1155t1190t1203t1204.001t1204.002t1222t1222.002t1485t1486t1489t1496t1497t1499t1499.002t1499.003t1518t1518.001t1542t1543t1543.002t1564t1565t1566t1569.002t1571t1573t1583.005t1587.001t1589.001t1590.001t1609tagstamilteen sexthreat actorthreat intelligencethumtico datatimetitletitle addedtls snitls versiontls webtocstuttor nodetraefik defaulttraffic tcptrid nulltrojan malwaretsara typetwittertyp datatyp filettyp innicatadtypetype indicatortype ipv4typesunique ruunitedunited statesunixunix shellunknown nsupdaterupx packerurlsurls httpurls httpsuser executionusersusrbinid iduuidv3 serialvalidvaluevideos xxxvulnerability scanw4uninitializedweb application attackweb application exploitationweb securityweb trafficwhois serverwild fantasywin32 malwarewindirwindows malwarewindows ntwiperwitchworldwormwritewrite cx machoxorxtraxxx videoyarayara deteyara detecteayara detectionsyara detelyara ruleyoung boyzbotzenbox linuxzercegazergzergecazergeca botnetzergeca sample

Activity Timeline

1 total obs

Apr 14Apr 14

Threat Activity Heatmap

· Peak: 2026-04-14

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Dormant

3mo

Minimal

Intelligence SummaryAI Generated

This Indicator of Compromise (IOC), a SHA-1 hash, is of critical concern due to its extremely high threat score and confirmed associations with sophisticated malicious activity. Its presence in an environment strongly indicates an active compromise that could lead to severe consequences, including data exfiltration, system-wide disruption, and potentially financial losses through ransomware or cryptocurrency mining. This IOC has been linked to the ransomware groups 'el dorado' and 'HsHarada', in…

Threat ScoreHigh Risk

SIGNAL

Signal Score

98%

Confidence

Reports

First seenSep 14, 2024

Last seenApr 14, 2026

Verified IOC

VirusTotal

Not checked

WHOIS

description: SHA1 of 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29
references: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet, https://otx.alienvault.com/pulse/69d5859750dfad7fe7989ef4, https://www.virustotal.com/gui/file/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b/behavior, https://www.virustotal.com/gui/file/2e9df8987212300815928e0426e9358b1380a1eaba38270d03dd69e421686b5b/behavior, https://www.virustotal.com/gui/file/897b30acabf35da4937b1b8258d30dd2f89cf64ada8522b558d01eb503b7b85f/behavior, https://www.virustotal.com/graph/gd016713b8645450da71f7493b0829def1376ce3e16cf4f6d95061a7400af5447, https://www.virustotal.com/gui/file/4bf52ea159354bc0aefecb53fbf93b2fea7019eabf9ada27c58fa00c1e9bb990/details, https://www.virustotal.com/gui/file/c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f/detection/, https://apple.k8s.joewa.com/• https://com.apple • freedns.afraid.org, IPv4 188.114.96.1 In CDN range: provider=cloudflare • dns.google • push.apple.com, Zercega • IPv4 84.54.51.82, Zercega • http://bot.hamsterrace.space:5966/, Zercega • multi-user.target, Zercega • ootheca.pw, CVE-2023-22518 CVE-2018-10562 CVE-2024-6387 CVE-2025-20393, Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29, Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke, Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems), Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community, Crowdsourced IDS rules:, Matches rule ET POLICY External IP Lookup ipinfo.io, Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io), Matches rule ET INFO External IP Check (checkip .amazonaws .com), Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt, Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection., Yara detected: Xmrig cryptocurrency miner, Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance, meta.com • meta.com.apple, geomi.service • 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63, ELF contains segments with high entropy indicating compressed/encrypted content, /etc/systemd/system/geomi.service File type: ASCII text, http://www.bing.lt/search?q=, Win.Malware.Salat-10058846-0, Yara Detections: MacSync_AppleScript_Stealer, Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara, Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process, Alerts: resumethread_remote_process enumerates_running_processes reads_self, Alerts: packer_unknown_pe_section_name script_tool_executed, Alerts: queries_computer_name queries_keyboard_layout queries_locale_api, Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry, Contacted: 188.114.96.1 Domains Contacted dns.google, distracted-chebyshev.84-54-51-82.plesk.page • domain plesk.page, www.joewa.com, Win.Malware.Salat-10058846-0 Alerts binary_yara packer_unknown_pe_section_name, Yara Detections: MacSync_AppleScript_Stealer , UPX ,, Yara Detections: UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser, apple.k8s.joewa.com • joewa.com • http://apple.k8s.joewa.com/ • https://apple.k8s.joewa.com/, Interlocken Business Park Address. 105 Edgeview Drive, Broomfield, CO, blackbox-exporter.lenovo-k8s.home.local.advena.io, http://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena.io/, https://blackbox-exporter.lenovo-k8s.home.local.advena/, Calls an API typically used to retrieve function addresses, load a resource T1129 Shared Modules Execution Adversaries may execute malicious payloads via loading shared modules. Learn more, Loads modules at runtime Looks up procedures from modules, (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime) Calls an API typically used to load libraries Loads the RPC (Remote Procedure Call) module DLL T1059.007, https://cloudflare-dns.com/dns | cloudflare-dns.com, https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522, https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_522&utm_campaign=www.joewa.com, https://hybrid-analysis.com/sample/60d74d52f3b90530a1bc0dd1e26c694c6339bca6f249a4a1818694cd6aeea618/69cf2d0230de22b88e055a1f, 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 (Can't access file), ‘Can't access file’ Trojan.Sagnt/R011c0dfs24 | Trojan/Linux.Zergeca, ‘Can't access file’[Found in Zergeca Botnet], IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI), IDS: Possible External IP Lookup ipinfo.io Possible External IP Lookup Domain Observed in SNI (ipinfo. io), Yara Detections: is__elf , LZMA , ELFHighEntropy , elf_empty_sections, IP’s Contacted: 116.203.98.109 34.117.59.81 104.16.248.249 44.209.201.56, Domains Contacted: cloudflare-dns.com checkip.amazonaws.com ipinfo.io api.opennic.org, Crowdsourced SIGMA Below:, Crowdsourced IDS Below:, Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI), Unique rule identifier: This rule belongs to a private collection., geomi.service 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29 703552___ad433f35-96a0-467f-9fa4-a25a66b5c385.elf geomi, https://vtbehaviour.commondatastorage.googleapis.com/6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775233275&Signature=vkbdhKnRjzLDcOeMxSE64WCgRJRN28vyp5o%2BMZIxIXbQxUz%2BB%2Beagggbj%2FVYVgAbXypupb2f1UXvcCVp7nMx6zqWvOYXl%2FsBnIislk5NatiGtExGV4WBAU3iE7lNBAjbnmf6HTwhBZCrJts4swSKX3iu%2FZ%2F0%2FwHPNnH%2FygP8AnfbECEroOxz%2FRqDso4jfiSs5dHVkZ%2BFx7fgRfqgt7QeR4IMwju2UyRQQJkwOjQO, Reference: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/, crypto-pool.fr, iبامسلمون لمهمملممنامصناءواممساند | مطعم+ ممامام, Muslims have built, supported, and assisted. or Muslims: Support and Solidarity, LIE. Built American. Attorneys , hackers , Sabey, Ahmann , US quasi government, SOCs , Red Teams , Hacker Fest | Colorado, IDS Detections: Mirai Variant User-Agent (Outbound) WebShell Generic - wget http - POST, IDS Detections: MVPower DVR Shell UCE • HackingTrio UA (Hello, World), IDS Detections: JAWS Webserver Unauthenticated Shell Command Execution, IDS Detections: HackingTrio UA (Hello, World) • HTTP traffic on port 443 (POST), IDS Detections: Mirai Variant User-Agent (Inbound) • HackingTrio UA (Hello, World), IDS: Observed Suspicious UA (Hello, World), Yara Detections: SUSP_ELF_LNX_UPX_Compressed_File , is__elf , LZMA , UPX ,, Yara Detections: ELFHighEntropy , ElfUPX , elf_empty_sections, Alerts: cape_detected_threat, IP’s Contacted: 210.101.166.243 117.61.31.95 118.173.103.172 2.159.67.181 117.80.58.104 .231.34 109.33.155.184, IP’s Contacted: 212.88.65.130 94.160.172.104 5.164.111.219 5.248, Contacted: bot.hamsterrace.space [Unix.Trojan.Mirai-7669677-0], https://dns.google/resolve?name=SELECT, 31.6.16.33 • network.target [Found in Zergeca Botnet], multi-user.target • ootheca.top • network.target • ootheca.pw [Found in Zergeca Botnet], 84.54.51.82 • http://bot.hamsterrace.space:5966 [Found in Zergeca Botnet], Zergeca botnet based on Golang language still operating in the same language as the Mirai botnets, Since September 2023, according to an analysis by cyber security firm XLab CTIA., Address shows an place of origin: Broomfield , Co, Believed to be originating from Germany and Russia, BGP Hurricane Electric seen, Potentially Pegasus related . Found to be affecting an IOS device, Indicators seen may have affected a few OTX users. Is ongoing, Zergeca related URLs , URI’s , Domains, inaccessible files referenced, apple.k8s.joewa.com • joewa.com • com.apple, This pulse is so huge it’s a mess. Will break down., https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/#background

`ffb6b44c5911efb7397a02da9b66f83a42e3fd20`

MITRE ATT&CK TTPs

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey