Recent Lazarus Tools
2019-01-13 • Norfolk •
An attempted intrusion against Chilean interbank network Redbanc used a fake LinkedIn developer-job approach to persuade an employee to run ApplicationPDF.exe. The .NET downloader displayed a fake job application form while contacting a C2 server, writing Reg_Time.ps1 to c:\users\public\, and executing a PowerShell payload that closely matched the PowerSpritz family. The excerpt links the tooling to suspected North Korea-aligned financial intrusion activity, including Vietnam-centered banking infrastructure cases involving hs.exe and syschk.ps1, while treating possible Pakistan activity as lower confidence. Reported artifacts include multiple hashes, PowerShell command routines, encrypted logging to c:\windows\temp\tmp0914.tmp, and infrastructure such as 38.132.124[.]250 and 89.249.65[.]220.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 34404a3fb9804977c6ab86cb991fb130 | 2019-01-13 | 2020-08-05 |
| HASH | b484b0dff093f358897486b58266d069 | 2019-01-13 | 2020-08-05 |
| HASH | f12db45c32bda3108adb8ae7363c342… | 2019-01-13 | 2020-03-09 |
| HASH | f3ca8f15ca582dd486bd78fd57c2f4d… | 2019-01-13 | 2020-03-09 |
| HASH | c6930e298bba86c01d0fe2c8262c46b… | 2019-01-13 | 2020-03-09 |
| HASH | b345e6fae155bfaf79c67b38cf488bb… | 2019-01-13 | 2019-01-22 |
| HASH | 791205487bae0ac814440573e992ba2… | 2019-01-13 | 2019-01-22 |
| HASH | ed7fcb9023d63cd9367a3a455ec9433… | 2018-07-23 | 2019-01-22 |
| HASH | 26466867557f84dd4784845280da1f27 | 2018-07-23 | 2019-01-22 |
| HASH | a20ef335481c2b3a942df1879fca776… | 2019-01-13 | 2019-01-13 |
| HASH | 9ff715209d99d2e74e64f9db894c114… | 2018-07-23 | 2019-01-13 |
| HASH | bda82f0d9e2cb7996d2eefdd1e5b41c4 | 2018-07-23 | 2019-01-13 |
| IPv4 | 89.249.65.220 | 2018-07-23 | 2019-01-13 |
| IPv4 | 38.132.124.250 | 2018-07-23 | 2019-01-13 |