← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Infected Hosts - MagicSword Analytics - Alerts Merged 03.06.26
WHITE Disable_Duck 2026-03-06 Modified: 2026-04-05
815
IOCs
HIGH VOLUME
Analytics from 2 infected hosts from MagicSword Hosts are both psuedo clones (?) of a production device that connects to AHS/Covenant Health, UAlberta, Government of Alberta daily. FFSS ******https://tria.ge/260306-2134tsfs3n <- Analytic Files & a few problem Files & 'secret files' only found in Triage VM. Did not include in pulse -> 9/10 *****************
protection"",""internal_name"":""mpsigstub.exe"",""file_descriptfileexplorersystem32sha256block rulesunknownfilehashfilenamefilepathpolicy blockrulesvalidfalseserviceterminalcorestubpowershellupdaterwin32compilerstackformatmodelfastconnectorshellinstallerlsassbitsrestexplorerbraindcomandroidplayenergymalwarevirustrojanransomwarestaticanalysisindicator of compromiseiocextractionemulationonlinesubmitsampledownloadplatformsandboxstatic analyzeranalyzertruemcafeeprotectpowerfuldeathbsodUAlbertaAHSCovenant HealthMicrosoftGoogleID TheftCredential TheftDellLenovoASUSInsiteAlbertaNDPAlbertaUCPUniversityAlbertaNathanIPTelusBotnetSpreaderMalcertsCertificatesTreaty8TreatySixEdmontonYEGEduroam
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Protection"",""internal_name"":""MpSigStub.exe"",""file_description"":""Microsoft FileExplorer Ransomware Trojan Thimeda
Indicators of Compromise (24 / 815 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL email hostname domain
TYPEINDICATORDESCRIPTIONCREATED
URL http://1.15.5.0 2026-03-06
URL http://1.2.0.0 2026-03-06
URL http://15.6.0.0 2026-03-06
URL http://2.10.1.0 2026-03-06
URL http://2.4.43.0 2026-03-06
URL http://24.2.12.0 2026-03-06
URL http://24.2.5.0 2026-03-06
URL http://4.0.0.0 2026-03-06
URL http://4.0.3.0 2026-03-06
URL http://4.2.1.0 2026-03-06
URL http://4.3.43.0 2026-03-06
URL http://5.15.2.0 2026-03-06
URL http://6.2.0.0 2026-03-06
URL http://3.0.0.0 2026-03-06
URL http://3.1.6.0 2026-03-06
URL http://3.21.12.0 2026-03-06
URL http://3.3.2.0 2026-03-06
URL http://3.8.1.0 2026-03-06
URL https://clients2.google.com/service/update2/crx 2026-03-06
URL https://docs.google.com/* 2026-03-06
URL https://drive.google.com/* 2026-03-06
URL https://edge.microsoft.com/extensionwebstorebase/v1/crx 2026-03-06
URL http://1.3.18.0 2026-03-06
URL http://1.7.0.0 2026-03-06
References (10)
↗ https://www.filescan.io/uploads/69ab467397feb4afd670f9d7/reports/1a4169f3-4b2d-4442-9d52-914c643954bc/overview ↗ https://app.threat.zone/submission/ceae3b93-a33f-401b-8a54-a951b524adf4/overview ↗ https://www.filescan.io/uploads/69ab48ab9eaae8465944a7a7/reports/0b631689-e054-441a-8302-0c1c9c9d4783/overview ↗ https://app.threat.zone/submission/f5353cb5-7f63-4462-a4c5-96fc9e9de8fe/overview ↗ https://www.filescan.io/uploads/69ab4a18cd25bfe1dfe2ef6f/reports/59c49be5-98f1-4055-a49b-e5a9ce532f15/overview ↗ https://app.threat.zone/submission/1a95a88b-069d-4ca0-94be-46798f0156cf/overview ↗ https://www.filescan.io/uploads/69ab4c8697feb4afd671070f/reports/1c10bb12-152b-47b0-9d50-0d37fd946a77/overview ↗ http://hybrid-analysis.com/file-collection/69ab53ada78313258c0cd3b1 ↗ Polyswarm ↗ ******https://tria.ge/260306-2134tsfs3n <- Analytic Files & a few problem Files & 'secret files' only found in Triage VM. Did not include in pulse -> 9/10