{ "type": "bundle", "id": "bundle--ddf33d46-616c-48ee-b7e7-43bdd4b7611d", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--d976efb0-dbf4-4790-b8d9-91c08e643a32", "created": "2024-03-11T10:19:12.224755Z", "modified": "2024-03-14T13:07:16.747961Z", "name": "RustyNoob619", "identity_class": "organization" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0eab46d8-0241-4901-8b28-b5e1e1829102", "created": "2026-06-24T22:32:00.273989Z", "modified": "2026-06-24T22:32:00.273989Z", "name": "YARA Rule", "pattern": "import \"pe\"\r\n\r\nrule DLL_North_Korean_Lazarus_March2024 {\r\n meta:\r\n Description = \"Detects a malicious DLL used by a North Korean Threat actor Lazarus\"\r\n Author = \"RustyNoob619\"\r\n Credits = \"@BaoshengbinCumt for sharing the malware sample on Twitter\"\r\n Reference = \"https://twitter.com/BaoshengbinCumt/status/1767422816507646073\"\r\n Hash = \"5289529957d52c9d5fc2e47aa9924fd1de21b902509dee0241d5d6b056733a94\"\r\n\r\n strings:\r\n $str1 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Connections\" wide\r\n $str2 = \"SeDebugPrivilege\" wide\r\n $str3 = \"AutoConfigURL\" wide\r\n\r\n $usragnt1 = \"Content-Length:\" wide\r\n $usragnt2 = \"Content-Type: application/x-www-form-urlencoded\" wide\r\n\r\n $cmd1 = \"opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u\"\r\n $cmd2 = \"dist data: dyn %ld, stat %ld\"\r\n $cmd3 = \"lit data: dyn %ld, stat %ld\"\r\n $cmd4 = \"dyn trees: dyn %ld, stat %ld\"\r\n $cmd5 = \"code %d bits %d->%d\"\r\n $cmd6 = \"bl code %2d\"\r\n\r\n condition:\r\n pe.imports(\"KERNEL32.dll\",\"UpdateProcThreadAttribute\")\r\n and pe.imports(\"KERNEL32.dll\",\"QueryPerformanceCounter\")\r\n and pe.imports(\"KERNEL32.dll\",\"IsDebuggerPresent\")\r\n and pe.imports(\"KERNEL32.dll\",\"GetUserDefaultLCID\")\r\n and pe.imports(\"ole32.dll\",\"CoInitializeEx\")\r\n and pe.imports(\"ole32.dll\",\"CoInitializeSecurity\")\r\n and pe.imports(\"SHELL32.dll\",\"CommandLineToArgvW\")\r\n and pe.imports(\"ADVAPI32.dll\",\"LookupPrivilegeValueW\")\r\n \r\n and pe.exports(\"InitProcessPriv\")\r\n and pe.exports(\"InitThread\")\r\n and pe.exports(\"ShutdownLockAppHostServer\")\r\n and pe.exports(\"StartLockAppHostServer\")\r\n and pe.exports(\"UnInitProcessPriv\")\r\n and pe.exports(\"UnInitThread\")\r\n and 2 of ($str*)\r\n and any of ($usragnt*)\r\n and 3 of ($cmd*)\r\n}", "pattern_type": "yara", "valid_from": "2024-03-14T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--b7f36951-8120-45eb-bb16-9b8f3efcb819", "hashes": { "SHA-256": "5289529957d52c9d5fc2e47aa9924fd1de21b902509dee0241d5d6b056733a94" } }, { "type": "report", "spec_version": "2.1", "id": "report--3c924e63-1079-4ea1-af01-e111e83fb724", "created_by_ref": "identity--d976efb0-dbf4-4790-b8d9-91c08e643a32", "created": "2026-06-24T22:32:00.277866Z", "modified": "2026-06-24T22:32:00.277866Z", "name": "Detects a malicious DLL used by a North Korean Threat actor Lazarus", "published": "2024-03-14T00:00:00Z", "object_refs": [ "identity--d976efb0-dbf4-4790-b8d9-91c08e643a32", "indicator--0eab46d8-0241-4901-8b28-b5e1e1829102", "file--b7f36951-8120-45eb-bb16-9b8f3efcb819" ], "external_references": [ { "source_name": "source", "url": "https://github.com/RustyNoob-619/100-Days-of-YARA-2024/blob/main/Day74.yar" } ] } ] }