IOCs
2014 CAMPAIGN: FATAL BEAUTY
DROPPER
SHA256: 413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f
Filename: beauty.scr
DROPPED FILES
#1
SHA256: eb90e40fc4d91dec68e8509056c52e9c8ed4e392c4ac979518f8d87c31e2b435
Filename: C:\Windows\beauty.jpg
File type: JPEG image data, JFIF standard 1.02

#2
SHA256: 44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9
Hilename: C:\Windows\svchost.exe
File type: PE32 executable (GUI) Intel 80386, for MS Windows
CC
phpschboy[.]prohosts[.]org
jams481[.]site[.]bz
2016 CAMPAIGN: HOW CAN NORTH KOREAN HYDROGEN BOMB WIPE OUT MANHATTAN
DROPPER
SHA256: 94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5
Filename: How can North Korean hydrogen bomb wipe out Manhattan.src
DROPPED
#1
SHA256: 56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634
Filename: conhote.dll

#2
SHA256: 553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc
Filename: winnit.exe

#3
SHA256: 92600679bb183c1897e7e1e6446082111491a42aa65a3a48bd0fceae0db7244f
Filename: Anti virus service.lnk
CC
dowhelsitjs[.]netau[.]net

2017 CAMPAIGN A:
DROPPER
SHA256: 69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0
Filename: Pyongyang Directory Group email April 2017 RC_Office_Coordination_Associate.src

DROPPED
#1
SHA256: 3de491de3f39c599954bdbf08bba3bab9e4a1d2c64141b03a866c08ef867c9d1
Filename: adobe distillist.lnk

#2
SHA256: 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635
Filename: winload.exe

#3
SHA256: dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d
Filename: winload.dll
CC
Pactchfilepacks[.]net23[.]net
checkmail[.]phpnet[.]us
2017 CAMPAIGN B:
DROPPER
SHA256: 640477943ad77fb2a74752f4650707ea616c3c022359d7b2e264a63495abe45e
Filename: Inter Agency List and Phonebook - April 2017 RC_Office_Coordination_Associate.src

DROPPED
#1
SHA256: 4585584fe7e14838858b24c18a792b105d18f87d2711c060f09e62d89fc3085b
Filename: adobe distillist.lnk

#2
SHA256: 39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635
Filename: winload.exe

#3
SHA256: dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d
Filename: winload.dll
CC
Pactchfilepacks[.]net23[.]net
checkmail[.]phpnet[.]us

RELATED SAMPLES
413772d81e4532fec5119e9dce5e2bf90b7538be33066cf9a6ff796254a5225f
44150350727e2a42f66d50015e98de462d362af8a9ae33d1f5124f1703179ab9
553a475f72819b295927e469c7bf9aef774783f3ae8c34c794f35702023317cc
56f159cde3a55ae6e9270d95791ef2f6859aa119ad516c9471010302e1fb5634
94113c9968db13e3412c1b9c1c882592481c559c0613dbccfed2fcfc80e77dc5
f091d210fd214c6f19f45d880cde77781b03c5dc86aa2d62417939e7dce047ff
0f327d67b601a87e575e726dc67a10c341720267de58f3bd2df3ce705055e757
234f9d50aadb605d920458cc30a16b90c0ae1443bc7ef3bf452566ce111cece8
39bc918f0080603ac80fe1ec2edfd3099a88dc04322106735bc08188838b2635
581e820637decf37bfd315c6eb71176976a0f2d59708f2836ff969873b86c7db
640477943ad77fb2a74752f4650707ea616c3c022359d7b2e264a63495abe45e
69a9d7aa0cb964c091ca128735b6e60fa7ce028a2ba41d99023dd57c06600fe0
97b1039612eb684eaec5d21f0ac0a2b06b933cc3c078deabea2706cb69045355
dae9d8f9f7f745385286775f6e99d3dcc55bbbe47268a3ea20deffe5c8fd0f0e
dd730cc8fcbb979eb366915397b8535ce3b6cfdb01be2235797d9783661fc84d
e6a9d9791f763123f9fe1f69e69069340e02248b9b16a88334b6a5a611944ef9
ead47df090a4de54220a8be27ec6737304c1c3fe9d0946451b2a60b8f11212d1