{
	"id": "495fd54a-bdcc-4652-bbb6-327633eeffd5",
	"created_at": "2026-04-10T03:21:32.555846Z",
	"updated_at": "2026-04-10T13:13:05.207035Z",
	"deleted_at": null,
	"sha1_hash": "385e32a8862ac2a4949be0dc9a6a436c48c69d81",
	"title": "IoCs/APT/dtrack_lazarus_group.md at master · jeFF0Falltrades/IoCs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47203,
	"plain_text": "IoCs/APT/dtrack_lazarus_group.md at master ·\r\njeFF0Falltrades/IoCs\r\nBy jeFF0Falltrades\r\nArchived: 2026-04-10 03:03:06 UTC\r\nDTrack\r\nUtilized by North Korean APT \"Lazarus Group\"; Not to be confused with ATMDtrack\r\nReporting\r\nhttps://usa.kaspersky.com/about/press-releases/2019_dtrack-previously-unknown-spy-tool-hits-financial-institutions-and-research-centers\r\nhttps://twitter.com/a_tweeter_user/status/1188811977851887616?s=20\r\nYARA\r\nrule dtrack_2020 {\r\n meta:\r\n author = \"jeFF0Falltrades\"\r\n strings:\r\n $pdb = \"Users\\\\user\\\\Documents\\\\Visual Studio 2008\\\\Projects\\\\MyStub\\\\Release\\\\MyStub.pdb\" wi\r\n $str_log = \"------------------------------ Log File Create....\" wide ascii\r\n $str_ua = \"CCS_Mozilla/5.0 (Windows NT 6.1\" wide ascii\r\n $str_chrome = \"Local Settings\\\\Application Data\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\History\r\n $str_tmp = \"%s\\\\~%d.tmp\" wide ascii\r\n $str_exc = \"Execute_%s.log\" wide ascii\r\n $str_reg_use = /net use \\\\\\\\[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\\\C\\$ \\/delete/\r\n $str_reg_move = /move \\/y %s \\\\\\\\[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\\\C\\$\\\\Windows\r\n $hex_1 = { d1 ?? 33 ?? fc 81 ?? ff 00 00 00 c1 ?? 17 }\r\n $hex_2 = { c1 ?? 08 8b ?? fc c1 ?? 10 }\r\n $hex_3 = { 81 0D [4] 1C 31 39 29 }\r\n condition:\r\n 2 of them or $hex_3\r\n}\r\nSample Hashes\r\nhttps://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md\r\nPage 1 of 2\n\n3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682\r\nbfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364\r\n51ac3966b48c91947de4ce51a90aee9deb730d86cedf8c863d9dcdf0fb322537\r\n61c1b9afa2347c315a6b4628f9dff3ada6f8d040345402d4708881f05b1ec48b\r\nee9cd8decf752a47eefe24369a806976dce8ac2c29a8271c68bc407326fb19a9\r\n791c59a0d6456ac1d9976fe82dc6b13f3e5980c6cfa2fd9d58a3cc849755ea9f\r\n93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9\r\na0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68\r\nc5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c\r\nb0bf63300fd4f6a0b1544663b6326c250086369b128d241287d150e6e6409fd8 (test file)\r\n1ba8cba6337da612d1db2cdfe1b44f6110741d91ba696a5b125ebd3e9b081ed7\r\n4701cc722f03253fb332747f951fff4c4ff023e13096a7e090a22b95c70efbf3\r\nSource: https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md\r\nhttps://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md"
	],
	"report_names": [
		"dtrack_lazarus_group.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775791292,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/385e32a8862ac2a4949be0dc9a6a436c48c69d81.pdf",
		"text": "https://archive.orkl.eu/385e32a8862ac2a4949be0dc9a6a436c48c69d81.txt",
		"img": "https://archive.orkl.eu/385e32a8862ac2a4949be0dc9a6a436c48c69d81.jpg"
	}
}