Actors
Naming registry
Threats
Is my stack targeted?
Campaigns
Track campaigns
Compare
Attribution by source
Search
Full text search

Lazarus Bank Attack Campaign

Lazarus Group attacks against global banks and Polish financial sector using custom malware.

Start date
1 January 2016
End date
Techniques
19

Indicators of compromise

38
14 sha111 sha25610 md52 domain1 ip

Attributed actors

Lazarus Group· primary

Techniques (19)

collection1
T1560.001Archive via Utility
command-and-control3
T1573.001Symmetric Cryptography
T1105Ingress Tool Transfer
T1071.001Web Protocols
credential-access1
T1003.001LSASS Memory
defense-impairment1
T1070.001Clear Windows Event Logs
discovery2
T1082System Information Discovery
T1083File and Directory Discovery
execution3
T1059.003Windows Command Shell
T1059.001PowerShell
T1053.005Scheduled Task
exfiltration1
T1041Exfiltration Over C2 Channel
initial-access2
T1078Valid Accounts
T1566.001Spearphishing Attachment
lateral-movement1
T1021.001Remote Desktop Protocol
persistence3
T1078Valid Accounts
T1547.001Registry Run Keys / Startup Folder
T1053.005Scheduled Task
privilege-escalation4
T1078Valid Accounts
T1547.001Registry Run Keys / Startup Folder
T1055Process Injection
T1053.005Scheduled Task
stealth4
T1078Valid Accounts
T1070.004File Deletion
T1055Process Injection
T1027Obfuscated Files or Information

Indicators of compromise (38)

MD510
1f7897b041a812f96f1925138ea38c46confirmed
1507e7a741367745425e0530e23768e6confirmed
cb52c013f7af0219d45953bae663c9a2confirmed
40e698f961eb796728a57ddf81f52b9aconfirmed
9914075cc687bdc352ee136ac6579707confirmed
911de8d67af652a87415f8c0a30688b2confirmed
18a451d70f96a1335623b385f0993bccconfirmed
85d316590edfb4212049c4490db08c4bconfirmed
9cc6854bc5e217104734043c89dc4ff8confirmed
7fe80cee04003fed91c02e3a372f4b01confirmed
SHA25611
752b8e93a8f6803b265dd3a7cd39df86997cf99900426635b1b97dd665bd7f9fconfirmed
a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118confirmed
cd10ffb7a88f0d2ec69326e7a13f00b9ed211a3a719f89a755a29494ff1142e6confirmed
efa57ca7aa5f42578ab83c9d510393fcf4e981a3eb422197973c65b7415863e7confirmed
95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2confirmed
d4616f9706403a0d5a2f9a8726230a4693e4c95c58df5c753ccc684f1d3542e2confirmed
7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836confirmed
4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6bconfirmed
825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044ccconfirmed
99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7dconfirmed
200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22confirmed
DOMAIN2
sap.misapor.chconfirmed
eye-watch.inconfirmed
SHA114
e45ca027635f904101683413dd58fbd64d602ebeconfirmed
9876f8650d75938f8a2e4fb4df4321cc819d0f58confirmed
a107f1046f5224fdb3a5826fa6f940a981fe65a1confirmed
50b4f9a8fa6803f0aabb6fd9374244af40c2ba4cconfirmed
97a3698ffffdb63df79faeaf58169f9755db1f90confirmed
fa4f2e3f7c56210d1e380ec6d74a0b6dd776994bconfirmed
aa115e6587a535146b7493d6c02896a7d322879econfirmed
bedceafa2109139c793cb158cec9fa48f980ff2bconfirmed
da967dc59a7b61aeaeaee380b2c147c5bb1b3bc5confirmed
4f0d7a33d23d53c0eb8b34d102cdd660fc5323a2confirmed
11568dffd6325ade217fbe49ce56a3ee5001cbccconfirmed
09c1756064f15fcdd29ff8f239b3d5dcc22ac492confirmed
2c6c244b3858ce06a0b646ae386f65e69ae5c046confirmed
178994ab2d4fc0a32a328e97d7d220c8bbb9150cconfirmed
IP1
54.235.197.176confirmed