IOC Radar
SHA256MediumSignal 99/100

f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332

Location
Korea, Republic ofKorea, Republic of
First Seen
Sep 9, 2022
Last Seen
Apr 1, 2026
Sep 9
First Seen
1373d ago
Apr 1
Last Seen
73d ago
10
Reports
source reports
99%
Confidence
medium
Found in 10 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
99%
Signal Score
99 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

37 techniques

Feed Intelligence Summary

10 reports99% confidence
10
Source reports
99%
Confidence score
Category tags
active scanactive scanningactor profileactor/lazarusaerospace & defenseagencyahnlabapacheaptapt38asiaattackautomotive manufacturingbankingbitcoinblockchainbotnetbotnet activitybrute forcec2 urlschecks-network-adapterschecks-user-inputcisacivil servicescommand & controlcommand and controlcommodity contracts intermediationcommunication obfuscationcommunications networksconceptcredential accesscredential stuffingcredit card servicescritical infrastructurecrypto exchangecrypto miningcrypto walletcryptocurrencycryptocurrency threatscryptojackingcyber espionagedata encodingdata encryptiondata exfiltrationdata store exposuredecentralized financedefensedefense contractingdefense logisticsdefense systemsdefense technologydetect-debug-environmentdigital currencydirect-cpu-clock-accessdistributed attacksdownloaderdprkdprk cyberdtrackelectronic health recordselectronics manufacturingemergency servicesencryptionenergy systemsenumerateexfiltrationexploitation activityextortionfile-hashfinancefinancial servicesfinancial systemsfinancial technologyg0032government facilitiesgovernment technologyh0lygh0sthealth care and social assistancehealth information technologyhealthcare information systemshospital managementidentity & access exploitationindicatorindustrial automationindustrial iotindustrial productioninformation technologyinfrastructure monitoringingress tool transferinitial accessinjection activityinstalliocsiocs vsingleiot securityit infrastructurejigsawjob seeker targetingkeyloggerkisakorea, democratic people's republic oflateral movement techniqueslazaruslazarus aptlazarus grouplockbitlong-sleepsmagicratmagicrat c2smalmalicious activitymalicious downloadmalicious softwaremalwaremalware analysismalware distributionmalware/magicratmanufacturing technologymauimaui ransomwaremedical servicesmilitary operationsnational securitynetwork service scanningnorth koreaoperating systemosintpatient carepayment processingpeexepersistence mechanismsperuphishingprocess injectionprocess manufacturingproton mailpublic administrationpublic infrastructurepublic policyputtyqt frameworkquality controlransomransomwareratratsreconnaissanceregulatory agenciesremote accessremote servicesresearchedresource hijackingruntime-modulesryukscannersecure endpointsecurity operationsserviceservice scansocial engineeringsoftware developmentsonicwall smasouth americasouth koreasouth koreansugargh0stsupply chain attacksupply chain managementsystem disruptionsystem information discoveryt1005t1016t1021t1021.001t1025t1027t1033t1036t1041t1046t1053t1055t1059t1059.003t1069.001t1070t1071t1071.001t1071.004t1078t1082t1102t1105t1125t1210t1213t1486t1490t1496t1499.002t1499.003t1547t1565t1566t1595.001t1595.002t1595.003talosthreat actorthreat intelligencethreat spotlighttigerrattor nodetransportation networkstrojan malwarettpsturnunitedurlsurls httpvsinglevsingle c2svulnerability scanwater systemswealth managementwin32 malwarewindowswindows malwarex-popupyamabotyamabot c2s

Activity Timeline

1 total obs
Apr 1Apr 1

Threat Activity Heatmap

· Peak: 2026-04-01
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Threat ScoreHigh Risk
99
SIGNAL
Signal Score
99%
Confidence
10
Reports
First seenSep 9, 2022
Last seenApr 1, 2026

VirusTotal

Not checked

WHOIS

description
PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
references
https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a, https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html, https://blog.talosintelligence.com/lazarus-magicrat/, https://raw.githubusercontent.com/conexioninversa/MalwareIntel/main/C2_CobaltStrikeBeacon.txt, https://asec.ahnlab.com/en/47906/, 2697839.misp-json, https://www.cisa.gov/uscert/ncas/alerts/aa23-040a, http://blog.talosintelligence.com/2022/09/lazarus-magicrat.html, https://community.riskiq.com/article/fd4b8822, September 08, 2022 - CryptoGen Cyber Threat Intelligence - North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns.pdf

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 3 years ago · Last seen 2 months ago
Appeared in 10 threat reports