{ "type": "bundle", "id": "bundle--6168e235-7cb4-482c-9c65-e110953e5ce8", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--099fda28-c579-453d-b4f6-7ff517a1fb4f", "created": "2025-03-10T00:22:22.664547Z", "modified": "2025-03-10T00:22:22.664583Z", "name": "ZW01f", "identity_class": "organization" }, { "type": "url", "spec_version": "2.1", "id": "url--31086cac-67b8-49e4-b4a1-e8dc7323bd85", "value": "https://content.dropboxapi.com/2/files/download" }, { "type": "url", "spec_version": "2.1", "id": "url--c1044d52-426f-4905-89da-fa1e2d65eeee", "value": "https://content.dropboxapi.com/2/files/upload" }, { "type": "url", "spec_version": "2.1", "id": "url--8d290fe2-d244-4bf5-b57b-4f6c4660e5d0", "value": "https://cloud-api.yandex.net/v1/disk/resources?path=%s&limit=500" }, { "type": "url", "spec_version": "2.1", "id": "url--a64126c6-9559-4290-83bc-03b468f963d2", "value": "https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s" }, { "type": "url", "spec_version": "2.1", "id": "url--3d0e2263-4447-4e96-8bc2-2e26dd1fabd0", "value": "https://cloud-api.yandex.net/v1/disk/resources/download?path=%s" }, { "type": "url", "spec_version": "2.1", "id": "url--04fe9298-99e4-459a-ae8f-10073a59a9da", "value": "https://api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1" }, { "type": "url", "spec_version": "2.1", "id": "url--76c71fe9-1211-4a69-80ff-c4332edeabec", "value": "https://cloud-api.yandex.net/v1/disk/resources?path=%s&permanently=%s" }, { "type": "url", "spec_version": "2.1", "id": "url--ceed8ea1-c030-48eb-83bf-b9ecbc3422cd", "value": "https://api.pcloud.com/getfilelink?path=%s&forcedownload=1&skipfilename=1" }, { "type": "url", "spec_version": "2.1", "id": "url--0a5f9e7d-5101-4503-99f6-4e60fc8edf77", "value": "https://api.pcloud.com/listfolder?path=%s" }, { "type": "url", "spec_version": "2.1", "id": "url--f038e68c-d14a-4800-8c23-b4e782ab82e7", "value": "https://api.dropboxapi.com/2/files/list_folder" }, { "type": "url", "spec_version": "2.1", "id": "url--e98229d3-33d9-496a-bb31-18f8ad4943da", "value": "https://api.dropboxapi.com/2/files/delete" }, { "type": "url", "spec_version": "2.1", "id": "url--2544bf0e-67c0-439e-af3d-92960395fe67", "value": "https://api.pcloud.com/deletefile?path=%s" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--02e2f1b8-e1eb-428f-ac08-372b2b6e7291", "value": "cloud-api.yandex.net" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--26f18d55-7793-434b-8767-494739da1788", "created": "2026-06-24T18:08:39.543878Z", "modified": "2026-06-24T18:08:39.543878Z", "name": "YARA Rule", "pattern": "rule detct_RokRat\r\n{\r\nmeta:\r\ndescription = \"Detects Rokrat payload using some of the hardcoded strings \"\r\nauthor = \"Mohamed Ezzat (@ZW01f)\"\r\nhash1 = \"09a4adef9a7374616851e5e2a7d9539e1b9808e153538af94ad1d6d73a3a1232\"\r\nhash2 = \"94159655fa0bfb1eff092835d8922d3e18ca5c73884fd0d8b78f42c8511047b6\"\r\nstrings:\r\n// apis used\r\n$s0 = \"https://api.pcloud.com/deletefile?path=%s\" wide\r\n$s1 = \"https://api.dropboxapi.com/2/files/list_folder\" wide\r\n$s3 = \"https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s\" wide\r\n$s4 = \"https://cloud-api.yandex.net/v1/disk/resources?path=%s&limit=500\" wide\r\n$s5 = \"https://cloud-api.yandex.net/v1/disk/resources?path=%s&permanently=%s\" wide\r\n// file it use for download payloads .\r\n$s6 = \"KB400928_doc.exe\"\r\n$s7 = \"%04d%02d%02d %02d%02d%02d\" wide\r\ncondition:\r\nuint16(0) == 0x5A4D and all of ($s*)\r\n}", "pattern_type": "yara", "valid_from": "2025-03-10T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--0d8403b8-ca31-4978-8b18-a54ce3d2629f", "hashes": { "SHA-256": "9d96e4816a59475768d461a71cecf20fd99215ce289ecae8c865cf45feeb8802" } }, { "type": "file", "spec_version": "2.1", "id": "file--74bf5a84-b707-4d6d-a174-30e6621d167b", "hashes": { "SHA-256": "cfc814a16547dd4e92607bd42d2722cc567492e88d2830d7d28a0cc20bf3950c" } }, { "type": "file", "spec_version": "2.1", "id": "file--321e3715-ec1b-4294-a2f5-315ca2ff6113", "hashes": { "SHA-256": "6d790df4a2c81e104db10f5e47eb663ca520a456b1305e74f18b2f20758ea4e1" } }, { "type": "file", "spec_version": "2.1", "id": "file--d6400eec-120c-4473-9435-e71154b1c67a", "hashes": { "SHA-256": "1c4cd06ebece62c796ea517bf26cc869fa71213d17e30feb0f91c8a4cfa7ef1b" } }, { "type": "file", "spec_version": "2.1", "id": "file--4bf2ec0b-3b05-49cf-95d8-43c4ae565eae", "hashes": { "SHA-256": "2b6928101efa6ededc7da18e7894866710c10794b8cbaf43b48c721e9731c41a" } }, { "type": "file", "spec_version": "2.1", "id": "file--a0fd4895-ce06-40c4-acf3-022237542ecf", "hashes": { "SHA-256": "09a4adef9a7374616851e5e2a7d9539e1b9808e153538af94ad1d6d73a3a1232" } }, { "type": "file", "spec_version": "2.1", "id": "file--df75e4bc-c3e4-4c98-aaff-0493e2a39b41", "hashes": { "SHA-256": "7df7ad7b88887a06b559cd453e7b65230d0cccff1a403328a521d8753000c6c9" } }, { "type": "file", "spec_version": "2.1", "id": "file--b46e1dcb-2d89-40a2-bb27-05705aababf0", "hashes": { "SHA-256": "5306582c8a24508b594fed478d5abaa5544389c86ba507d8ebf98c5c7edde451" } }, { "type": "file", "spec_version": "2.1", "id": "file--e600ed76-89d1-4f9d-8b51-8e7792d75eca", "hashes": { "SHA-256": "94159655fa0bfb1eff092835d8922d3e18ca5c73884fd0d8b78f42c8511047b6" } }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--3be555f5-1f0d-5001-b84a-c6c910760fd0", "created": "2026-06-24T18:08:39.552507Z", "modified": "2026-06-24T18:08:39.552507Z", "name": "APT37" }, { "type": "report", "spec_version": "2.1", "id": "report--e64b674f-efb5-4497-b439-7fed70ddc3c4", "created_by_ref": "identity--099fda28-c579-453d-b4f6-7ff517a1fb4f", "created": "2026-06-24T18:08:39.556442Z", "modified": "2026-06-24T18:08:39.556442Z", "name": "APT37 - RokRat", "published": "2025-03-10T00:00:00Z", "object_refs": [ "identity--099fda28-c579-453d-b4f6-7ff517a1fb4f", "url--31086cac-67b8-49e4-b4a1-e8dc7323bd85", "url--c1044d52-426f-4905-89da-fa1e2d65eeee", "url--8d290fe2-d244-4bf5-b57b-4f6c4660e5d0", "url--a64126c6-9559-4290-83bc-03b468f963d2", "url--3d0e2263-4447-4e96-8bc2-2e26dd1fabd0", "url--04fe9298-99e4-459a-ae8f-10073a59a9da", "url--76c71fe9-1211-4a69-80ff-c4332edeabec", "url--ceed8ea1-c030-48eb-83bf-b9ecbc3422cd", "url--0a5f9e7d-5101-4503-99f6-4e60fc8edf77", "url--f038e68c-d14a-4800-8c23-b4e782ab82e7", "url--e98229d3-33d9-496a-bb31-18f8ad4943da", "url--2544bf0e-67c0-439e-af3d-92960395fe67", "domain-name--02e2f1b8-e1eb-428f-ac08-372b2b6e7291", "indicator--26f18d55-7793-434b-8767-494739da1788", "file--0d8403b8-ca31-4978-8b18-a54ce3d2629f", "file--74bf5a84-b707-4d6d-a174-30e6621d167b", "file--321e3715-ec1b-4294-a2f5-315ca2ff6113", "file--d6400eec-120c-4473-9435-e71154b1c67a", "file--4bf2ec0b-3b05-49cf-95d8-43c4ae565eae", "file--a0fd4895-ce06-40c4-acf3-022237542ecf", "file--df75e4bc-c3e4-4c98-aaff-0493e2a39b41", "file--b46e1dcb-2d89-40a2-bb27-05705aababf0", "file--e600ed76-89d1-4f9d-8b51-8e7792d75eca", "threat-actor--3be555f5-1f0d-5001-b84a-c6c910760fd0" ], "external_references": [ { "source_name": "source", "url": "https://zw01f.github.io/malware%20analysis/apt37/" } ] } ] }