IOC Radar
SHA1MediumSignal 94/100

e1ff89f8b2830778ee9bdae64ab94fc64d16af5a

Location
Korea, Democratic People's Republic ofKorea, Democratic People's Republic of
First Seen
Aug 17, 2023
Last Seen
Apr 1, 2026
Aug 17
First Seen
1048d ago
Apr 1
Last Seen
90d ago
4
Reports
source reports
94%
Confidence
medium
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-1 Hash
SHA-1 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA1
Confidence
94%
Signal Score
94 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

78 techniques

Feed Intelligence Summary

4 reports94% confidence
4
Source reports
94%
Confidence score
Category tags
active scanactive scanningaerospace & defenseagencyagricultural supply chainagricultural technologyagriculture, forestry, fishing and huntingahnlabandarielandarielpevt2apacheapplied researchaptapt45asiaautomotive manufacturingbad reputationbankingbitcoinblockchainbotnetbotnet activitybrute forcecertcisacivil servicescommand & controlcommand and controlcommodity contracts intermediationcommunication protocolcommunications networkscomputer securityconceptcpgscredential accesscredential stuffingcredit card servicescritical infrastructurecrop productioncrypto exchangecrypto miningcrypto walletcryptocurrencycryptocurrency threatscryptojackingcsirtcyber riskscyber securitydarkseouldata encryptiondata exfiltrationdata store exposuredatabase securityddosdecentralized financedefensedefense contractingdefense logisticsdefense systemsdefense technologydenial of servicedetect-debug-environmentdevelopment labsdigital currencydirect-cpu-clock-accessdistributed attacksdprkdprk cyberelectronic health recordselectronics manufacturingemergency servicesencryptionenergyenergy distributionenergy systemsengineeringexploitation activityextortionfarmingfile-hashfinfinancefinance and insurancefinancial servicesfinancial systemsfinancial technologyfood productionftpftp brute forcegoc2pegovtgogovernment facilitiesgovernment technologyh0lygh0sthealth care and social assistancehealth information technologyhealthcare information systemsholygh0st ransomwarehospital managementhttp brute forcehttp scanneridentity & access exploitationidleindicatorindustrial automationindustrial iotindustrial productionindustry/defenseindustry/transportation and warehousingindustry/utilitiesingress tool transferinitial accessinjection activityinjection attacksinnovation managementinstallintrusion detectioniocsiot securityjigsawkorea, democratic people's republic oflateral movementlazaruslazarusandariellivestock managementlockbitlong-sleepsmalicious downloadmalicious softwaremalwaremalware distributionmalwaretype/remote access trojanmanufacturing technologymauimaui ransomwaremedical servicesmilitary operationsmodulekeyloggermoduleshellnational securitynetwork attacksnetwork intrusionnetwork probingnetwork protocolnetwork scanningnetwork securitynistnorth koreanuclearoil & gasonyx sleetoperating systemosintoverlaypatient carepayment processingpeexeperuphishingpower generationpower systemsprecision agricultureprocess injectionprocess manufacturingproduct developmentproton mailpublic administrationpublic infrastructurepublic policyquality controlr&d strategyransomransomwareratsrbgreconnaissancereconnaissance general bureauregulatory agenciesremote accessremote servicesrenewable energyresearchresearch & developmentresearch methodologyresearchedresource hijackingriflerogueyeruntime-modulesryukscannerscientific researchsecurity operationsservicesilent chollimasonicwall smasouth americasouth koreasouth koreanssh attackstrongsupply chain attacksupply chain managementsustainable agriculturesynsystem disruptiont1003t1005t1021t1021.001t1021.002t1027t1039t1040t1047t1048t1055t1057t1059t1059.001t1059.003t1059.004t1059.005t1068t1069.001t1071t1071.001t1071.002t1071.004t1076t1077t1078t1082t1083t1087t1090t1105t1110t1110.001t1110.002t1110.003t1119t1133t1189t1190t1195t1210t1486t1490t1496t1499.001t1499.002t1499.003t1560t1563t1565t1566t1566.001t1567t1569t1569.002t1572t1583t1583.003t1587t1588t1588.002t1589t1589.002t1590t1590.001t1590.002t1590.003t1590.004t1591t1592t1592.001t1592.002t1592.003t1595t1595.001t1595.002t1595.003t1596tcp protocoltechnology researchthreat actorthreat intelligencethreatactor/onyx sleetthreattype/malwarethreattype/threat actorthreattype/vulnerability exploitationtor nodetransportation and warehousingtransportation networksttpsturnunauthorized access attemptuniteduscertutilitiesvulnerability scanwater systemswealth managementweb loginweb trafficwin32 malwarewindows malwarex-popupxmas

Activity Timeline

1 total obs
Apr 1Apr 1

Threat Activity Heatmap

· Peak: 2026-04-01
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreHigh Risk
94
SIGNAL
Signal Score
94%
Confidence
4
Reports
First seenAug 17, 2023
Last seenApr 1, 2026

VirusTotal

Not checked

WHOIS

description
PE32+ executable (GUI) x86-64, for MS Windows
references
https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a, https://www.cisa.gov/uscert/ncas/alerts/aa23-040a, https://www.microsoft.com/en-us/security/blog/2024/07/25/onyx-sleet-uses-array-of-malware-to-gather-intelligence-for-north-korea/#:~:text=Indicators%20of%20compromise, https://www.cisa.gov/sites/default/files/2024-07/AA24-207A-North-Korea-Cyber-Group-Conducts-Global-Espionage-Campaign-to-Advance-Regimes-Military-and-Nuclear-Programs.stix_.json, https://media.defense.gov/2024/Jul/25/2003510137/-1/-1/0/Joint-CSA-North-Korea-Cyber-Espionage-Advance-Military-Nuclear-Programs.PDF, https://www.ic3.gov/Media/News/2024/240725.pdf, https://www.ncsc.gov.uk/news/ncsc-partners-vigilant-dprk-sponsored-cyber-campaign, https://raw.githubusercontent.com/conexioninversa/MalwareIntel/main/C2_CobaltStrikeBeacon.txt, https://labs.inquest.net/iocdb, https://asec.ahnlab.com/en/47906/, 2697839.misp-json, https://community.riskiq.com/article/1028f070, https://ti.qianxin.com/blog/articles/lazarus-armory-update-analysis-of-recent-andariel-attacks/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 years ago · Last seen 3 months ago
Appeared in 4 threat reports