{ "type": "bundle", "id": "bundle--b1794b6c-9e7f-4533-b093-f50e2598be83", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--73e00b2e-370c-4b86-982a-3f0379027134", "created": "2023-03-08T12:51:58.84666Z", "modified": "2023-03-08T12:51:58.84674Z", "name": "Anomali", "identity_class": "organization" }, { "type": "file", "spec_version": "2.1", "id": "file--26618aca-1ed9-43e2-a6ac-722676f112fe", "hashes": { "SHA-256": "4d4b17ddbcf4ce397f76cf0a2e230c9d513b23065f746a5ee2de74f447be39b9" } }, { "type": "file", "spec_version": "2.1", "id": "file--79de2bac-5d23-49ae-92e6-a53c50b30523", "hashes": { "SHA-256": "e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a" } }, { "type": "file", "spec_version": "2.1", "id": "file--88f52636-735e-4e6e-aeb4-e2f9db0d4c37", "hashes": { "SHA-256": "ae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283" } }, { "type": "file", "spec_version": "2.1", "id": "file--c7d21dc6-8662-4ee7-bae6-50fb6b7aa970", "hashes": { "SHA-256": "eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55" } }, { "type": "file", "spec_version": "2.1", "id": "file--24167ccc-bb90-41a9-8d04-e6acab46d0ee", "hashes": { "MD5": "5d0ffbc8389f27b0649696f0ef5b3cfe" } }, { "type": "file", "spec_version": "2.1", "id": "file--5d1b663d-7650-44c0-b118-34061d5b87da", "hashes": { "MD5": "1d0e79feb6d7ed23eb1bf7f257ce4fee" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--ef5398e6-d030-4458-ae4b-c3a3ea511fd3", "created": "2026-06-24T23:57:08.304971Z", "modified": "2026-06-24T23:57:08.304971Z", "name": "YARA Rule", "pattern": "rule AnomaliLABS_Lazarus_wipe_file_routine {\r\nmeta:\r\nauthor = \"aaron shelmire\"\r\ndate = \"2015 May 26\"\r\ndesc = \u201cYara sig to detect File Wiping routine of the Lazarus group\u201d\r\nstrings:\r\n$rand_name_routine = { 99 B9 1A 00 00 00 F7 F9 80 C2 61 88 16 8A 46 01 46 84 C0 }\r\n/* imports for overwrite function */\r\n$imp_getTick = \"GetTickCount\"\r\n$imp_srand = \"srand\"\r\n$imp_CreateFile = \"CreateFileA\"\r\n$imp_SetFilePointer = \"SetFilePointer\"\r\n$imp_WriteFile = \"WriteFile\"\r\n$imp_FlushFileBuffers = \"FlushFileBuffers\"\r\n$imp_GetFileSizeEx = \"GetFileSizeEx\"\r\n$imp_CloseHandle = \"CloseHandle\"\r\n/* imports for rename function */\r\n$imp_strrchr = \"strrchr\"\r\n$imp_rand = \"rand\"\r\n$Move_File = \"MoveFileA\"\r\n$Move_FileEx = \"MoveFileEx\"\r\n$imp_RemoveDir = \"RemoveDirectoryA\"\r\n$imp_DeleteFile = \"DeleteFileA\"\r\n$imp_GetLastError = \"GetLastError\"\r\ncondition:\r\n$rand_name_routine and (11 of ($imp_*)) and ( 1 of ($Move_*))\r\n}", "pattern_type": "yara", "valid_from": "2016-05-27T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--b5372057-0b27-4635-96e0-50570725a266", "hashes": { "SHA-256": "bdcfa3b6ca6b351e76241bca17e8f30cc8f35bed0309cee91966be9bd01cb848" } }, { "type": "file", "spec_version": "2.1", "id": "file--d074c8f0-9deb-4cf7-8e69-37592f4ef1d1", "hashes": { "MD5": "0b9bf941e2539eaa34756a9e2c0d5343" } }, { "type": "file", "spec_version": "2.1", "id": "file--34929550-10c2-4f11-9e24-4fa983fa58d6", "hashes": { "MD5": "96f4e767aa6bb1a1a5ab22e0662eec86" } }, { "type": "file", "spec_version": "2.1", "id": "file--a9d718b6-45e6-4270-abc0-fcd9aee92037", "hashes": { "MD5": "558b020ce2c80710605ed30678b6fd0c" } }, { "type": "file", "spec_version": "2.1", "id": "file--0220851c-e882-435b-923f-1d9c26b92b04", "hashes": { "SHA-256": "ddebee8fe97252203e6c943fb4f9b37ade3d5fefe90edba7a37e4856056f8cd6" } }, { "type": "file", "spec_version": "2.1", "id": "file--7c609269-e72b-49c3-b59f-e4e18af7dda2", "hashes": { "MD5": "24d76abbc0a10e4c977a28b33c879248" } }, { "type": "file", "spec_version": "2.1", "id": "file--d8cc5548-b1b0-4858-b2a6-69f35d7b4a96", "hashes": { "SHA-256": "138464214c78a73e3714d784697745acbf692ef40419d31418e4018e752cb92b" } }, { "type": "file", "spec_version": "2.1", "id": "file--c97f5ecc-cf5c-4644-bad9-ef0e99fbe700", "hashes": { "MD5": "b0ec717aeece8d5d865a4f7481e941c5" } }, { "type": "file", "spec_version": "2.1", "id": "file--e11e8fa5-dbf9-43c2-9cfa-0bf8b74a526b", "hashes": { "MD5": "5a85ea837323554a0578f78f4e7febd8" } }, { "type": "file", "spec_version": "2.1", "id": "file--e25ab141-d916-40ac-8941-a73de45b0dc9", "hashes": { "SHA-256": "f6cb8343444771c3d03cc90e3ac5f76ff9a4cb9cd41e65c3b7f52b38b20c0c27" } }, { "type": "file", "spec_version": "2.1", "id": "file--ce3da82a-d1b6-4bb3-b5d3-830e7faca1c8", "hashes": { "MD5": "909e1b840909522fe6ba3d4dfd197d93" } }, { "type": "file", "spec_version": "2.1", "id": "file--f26ca6c4-6747-4dce-a2c2-c9281cdab65c", "hashes": { "MD5": "f7272bb1374bf3af193ea1d1845b27fd" } }, { "type": "report", "spec_version": "2.1", "id": "report--4d15b467-c3ae-4ec1-bcd6-b8b8b2e4b0e4", "created_by_ref": "identity--73e00b2e-370c-4b86-982a-3f0379027134", "created": "2026-06-24T23:57:08.313985Z", "modified": "2026-06-24T23:57:08.313985Z", "name": "Evidence of Stronger Ties Between North Korea and SWIFT Banking Attacks", "published": "2016-05-27T00:00:00Z", "object_refs": [ "identity--73e00b2e-370c-4b86-982a-3f0379027134", "file--26618aca-1ed9-43e2-a6ac-722676f112fe", "file--79de2bac-5d23-49ae-92e6-a53c50b30523", "file--88f52636-735e-4e6e-aeb4-e2f9db0d4c37", "file--c7d21dc6-8662-4ee7-bae6-50fb6b7aa970", "file--24167ccc-bb90-41a9-8d04-e6acab46d0ee", "file--5d1b663d-7650-44c0-b118-34061d5b87da", "indicator--ef5398e6-d030-4458-ae4b-c3a3ea511fd3", "file--b5372057-0b27-4635-96e0-50570725a266", "file--d074c8f0-9deb-4cf7-8e69-37592f4ef1d1", "file--34929550-10c2-4f11-9e24-4fa983fa58d6", "file--a9d718b6-45e6-4270-abc0-fcd9aee92037", "file--0220851c-e882-435b-923f-1d9c26b92b04", "file--7c609269-e72b-49c3-b59f-e4e18af7dda2", "file--d8cc5548-b1b0-4858-b2a6-69f35d7b4a96", "file--c97f5ecc-cf5c-4644-bad9-ef0e99fbe700", "file--e11e8fa5-dbf9-43c2-9cfa-0bf8b74a526b", "file--e25ab141-d916-40ac-8941-a73de45b0dc9", "file--ce3da82a-d1b6-4bb3-b5d3-830e7faca1c8", "file--f26ca6c4-6747-4dce-a2c2-c9281cdab65c" ], "external_references": [ { "source_name": "source", "url": "https://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks" } ] } ] }