{ "type": "bundle", "id": "bundle--4dcaef4b-46c0-4334-9524-2bbaf9e260fd", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--a376a29c-d499-4d13-a9b0-c30b2b36c12d", "created": "2023-03-08T12:51:55.504513Z", "modified": "2024-09-12T13:07:45.993173Z", "name": "Cyfirma", "identity_class": "organization" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fd6c958d-78c9-429f-a1d1-18002affaf58", "created": "2026-06-24T19:54:52.982563Z", "modified": "2026-06-24T19:54:52.982563Z", "name": "YARA Rule", "pattern": "rule Konni_RAT\r\n{\r\nmeta:\r\ndescription = \u201cDetects Konni RAT based on IoCs including file names, hashes, URLs, and registry keys.\u201d\r\nauthor = \u201cCYFIRMA Research\u201d\r\ndate = \u201c2025-03-28\u201d\r\nthreat_level = \u201cHigh\u201d\r\nmal_type = \u201cRemote Access Trojan\u201d\r\nstrings:\r\n$file1 = \u201cfolder.zip\u201d\r\n$file2 = \u201c2024\ub144 \uadc0\uc18d \uc5f0\ub9d0\uc815\uc0b0 \uc548\ub0b4\ubb38_\uc138\ud55c.docx.lnk\u201d\r\n$file3 = \u201cstart.vbs\u201d\r\n$file4 = \u201cdisappear.cab\u201d\r\n$file5 = \u201c32791673.bat\u201d\r\n$file6 = \u201c40137808.bat\u201d\r\n$file7 = \u201c45150722.bat\u201d\r\n$file8 = \u201c92754154.bat\u201d\r\n$file9 = \u201c93152588.bat\u201d\r\n$file10 = \u201c96001702.bat\u201d\r\n$file11 = \u201c98389791.bat\u201d\r\n$url1 = \u201chttps://www.acschoolcatering.com/libraries/src/inc/get.php?\u201d\r\n$url2 = \u201chttps://www.roofcolor.com/wp-includes/js/src/upload.php\u201d\r\n$url3 = \u201chttps://www.roofcolor.com/wp-includes/js/src/list.php?\u201d\r\n$reg_key = \u201cHKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\svcstart\u201d\r\ncondition:\r\n// Detects based on specific hashes of known files (SHA256 only)\r\nhash.sha256(\u201c61ce43ea1c2ddafb23ee8ee083417fd375bbefce200f9bb48166af7c67df4d3c\u201d) or\r\nhash.sha256(\u201cb81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543\u201d) or\r\nhash.sha256(\u201c76ee4da0af1921b820cc0913b4011bb5382edac958eb2592ee1c3a00a41c2041\u201d) or\r\nhash.sha256(\u201cf1b4eb84e77e39803a0463b49b66600adb19347512354d0481568a8411b75b24\u201d) or\r\nhash.sha256(\u201cc348e945e1f6123bd054277d16a39da715deed8f5a6849bc70a57913b877e2ba\u201d) or\r\nhash.sha256(\u201ca8b0f9717bc16d48e55be95886500179ca4b7dad9610dd0865dbf8849901a791\u201d) or\r\nhash.sha256(\u201c474978a976de1c869385d37ae422b1718918bc8cc05353a4bebb2b75846ab74c\u201d) or\r\nhash.sha256(\u201cee8e8471fbe1b7fc85508e549444893bdea7579c5032c2626abcb1356129787e\u201d) or\r\nhash.sha256(\u201ce3c3981f65663c9923da9ca28c20951543ae3796bd39f86964769490b01c2bd7\u201d) or\r\nhash.sha256(\u201c4c53e24db4b7858fd9d17de2bfc3d73096f41172dfcc31a807231acb97aff9d0\u201d) or\r\nhash.sha256(\u201ca19b9eb292395e0d84c4a1a8eb5c88abbe0f71060cd06a436bf79da914e3e0c1\u201d) or\r\n// Detect specific URLs\r\n$url1 in url or\r\n$url2 in url or\r\n$url3 in url or\r\n// Detect persistence mechanism in the registry\r\n$reg_key in registry\r\n}", "pattern_type": "yara", "valid_from": "2025-03-28T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--1dc1455f-2fc2-4553-bb1e-ee64c8c63550", "hashes": { "SHA-256": "76ee4da0af1921b820cc0913b4011bb5382edac958eb2592ee1c3a00a41c2041" } }, { "type": "file", "spec_version": "2.1", "id": "file--b7fdde67-d5b7-4b8b-acb1-19985b8fe3b7", "hashes": { "SHA-256": "a8b0f9717bc16d48e55be95886500179ca4b7dad9610dd0865dbf8849901a791" } }, { "type": "file", "spec_version": "2.1", "id": "file--8d93680c-3084-458d-973a-9e5ff41895a9", "hashes": { "MD5": "cae6a87fd9ab544e5ccceb38f35c201e" } }, { "type": "file", "spec_version": "2.1", "id": "file--da104c04-bf8a-415e-b9e0-77d815224c58", "hashes": { "SHA-256": "474978a976de1c869385d37ae422b1718918bc8cc05353a4bebb2b75846ab74c" } }, { "type": "file", "spec_version": "2.1", "id": "file--bb2c7400-abc6-4496-9415-b1ecf1cde1c7", "hashes": { "SHA-256": "c348e945e1f6123bd054277d16a39da715deed8f5a6849bc70a57913b877e2ba" } }, { "type": "file", "spec_version": "2.1", "id": "file--eb6fe829-6cff-4399-add0-0094f5278c5b", "hashes": { "SHA-256": "4c53e24db4b7858fd9d17de2bfc3d73096f41172dfcc31a807231acb97aff9d0" } }, { "type": "file", "spec_version": "2.1", "id": "file--a140f25d-284b-477c-9f11-774104a3cd34", "hashes": { "SHA-256": "61ce43ea1c2ddafb23ee8ee083417fd375bbefce200f9bb48166af7c67df4d3c" } }, { "type": "file", "spec_version": "2.1", "id": "file--af076543-9a82-4c5c-bbb0-2f2c8d6098ec", "hashes": { "SHA-256": "ee8e8471fbe1b7fc85508e549444893bdea7579c5032c2626abcb1356129787e" } }, { "type": "file", "spec_version": "2.1", "id": "file--0a44e5fa-5427-48b5-8e28-59eaa61c8957", "hashes": { "SHA-256": "f1b4eb84e77e39803a0463b49b66600adb19347512354d0481568a8411b75b24" } }, { "type": "file", "spec_version": "2.1", "id": "file--16f33ada-92e8-4548-ab7e-b421f2b5c6be", "hashes": { "SHA-256": "a19b9eb292395e0d84c4a1a8eb5c88abbe0f71060cd06a436bf79da914e3e0c1" } }, { "type": "file", "spec_version": "2.1", "id": "file--ab1f112f-fae9-4ae0-a866-2240a97842dc", "hashes": { "SHA-256": "e3c3981f65663c9923da9ca28c20951543ae3796bd39f86964769490b01c2bd7" } }, { "type": "url", "spec_version": "2.1", "id": "url--bab309a3-fbf7-4fbf-8f6f-b1e9490bb2bc", "value": "https://www.roofcolor.com/wp-includes/js/src/list.php?" }, { "type": "url", "spec_version": "2.1", "id": "url--fa279951-c8b9-4b69-bdbf-e84a8c5e09dd", "value": "https://www.acschoolcatering.com/libraries/src/inc/get.php?" }, { "type": "url", "spec_version": "2.1", "id": "url--d62a1ea2-e178-4fda-a48b-48fb027ae566", "value": "http://www.roofcolor.com/wp-includes/js/src/list.php?f=%COMPUTERNAME%.txt" }, { "type": "url", "spec_version": "2.1", "id": "url--20fa74e4-7865-451f-ac5c-d8ab00bf6795", "value": "https://www.roofcolor.com/wp-includes/js/src/upload.php" }, { "type": "url", "spec_version": "2.1", "id": "url--1ed23f45-ea0b-4b36-88be-302f94c87a64", "value": "https://www.roofcolor.com/wp-includes/js/src/list.php" }, { "type": "url", "spec_version": "2.1", "id": "url--782a5fc8-c079-45f3-b23c-4c9b8f1b1e4c", "value": "https://www.acschoolcatering.com/libraries/src/inc/get.php" }, { "type": "file", "spec_version": "2.1", "id": "file--8f54f571-f267-44ee-819b-de454294add5", "hashes": { "MD5": "a2785ec65622217be80174b887b1eb06" } }, { "type": "file", "spec_version": "2.1", "id": "file--6f414ae3-35cd-4aa1-91b0-c25f8a1611b8", "hashes": { "SHA-256": "b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543" } }, { "type": "url", "spec_version": "2.1", "id": "url--8b42f5b5-f88a-4fdf-af59-91cd5bae205d", "value": "http://www.roofcolor.com/wp-includes/js/src/upload.php" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--c5ccef3c-2bf9-4c16-ae50-dc70e8d03d2e", "value": "roofcolor.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--353f2347-bd43-4e0a-b892-a91aed691c56", "value": "acschoolcatering.com" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--a014dfac-e081-5b16-a0b1-fe21d104be8f", "created": "2026-06-24T19:54:52.995942Z", "modified": "2026-06-24T19:54:52.995942Z", "name": "Konni" }, { "type": "report", "spec_version": "2.1", "id": "report--a219b35d-64e1-4be7-b83e-a872d8b97afa", "created_by_ref": "identity--a376a29c-d499-4d13-a9b0-c30b2b36c12d", "created": "2026-06-24T19:54:53.011641Z", "modified": "2026-06-24T19:54:53.011641Z", "name": "Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques", "published": "2025-03-28T00:00:00Z", "object_refs": [ "identity--a376a29c-d499-4d13-a9b0-c30b2b36c12d", "indicator--fd6c958d-78c9-429f-a1d1-18002affaf58", "file--1dc1455f-2fc2-4553-bb1e-ee64c8c63550", "file--b7fdde67-d5b7-4b8b-acb1-19985b8fe3b7", "file--8d93680c-3084-458d-973a-9e5ff41895a9", "file--da104c04-bf8a-415e-b9e0-77d815224c58", "file--bb2c7400-abc6-4496-9415-b1ecf1cde1c7", "file--eb6fe829-6cff-4399-add0-0094f5278c5b", "file--a140f25d-284b-477c-9f11-774104a3cd34", "file--af076543-9a82-4c5c-bbb0-2f2c8d6098ec", "file--0a44e5fa-5427-48b5-8e28-59eaa61c8957", "file--16f33ada-92e8-4548-ab7e-b421f2b5c6be", "file--ab1f112f-fae9-4ae0-a866-2240a97842dc", "url--bab309a3-fbf7-4fbf-8f6f-b1e9490bb2bc", "url--fa279951-c8b9-4b69-bdbf-e84a8c5e09dd", "url--d62a1ea2-e178-4fda-a48b-48fb027ae566", "url--20fa74e4-7865-451f-ac5c-d8ab00bf6795", "url--1ed23f45-ea0b-4b36-88be-302f94c87a64", "url--782a5fc8-c079-45f3-b23c-4c9b8f1b1e4c", "file--8f54f571-f267-44ee-819b-de454294add5", "file--6f414ae3-35cd-4aa1-91b0-c25f8a1611b8", "url--8b42f5b5-f88a-4fdf-af59-91cd5bae205d", "domain-name--c5ccef3c-2bf9-4c16-ae50-dc70e8d03d2e", "domain-name--353f2347-bd43-4e0a-b892-a91aed691c56", "threat-actor--a014dfac-e081-5b16-a0b1-fe21d104be8f" ], "external_references": [ { "source_name": "source", "url": "https://www.cyfirma.com/research/analysis-of-konni-rat-stealth-persistence-and-anti-analysis-techniques/" } ] } ] }