{ "type": "bundle", "id": "bundle--61288284-8441-4319-a72e-57d9dba8af44", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--b3e5edab-896e-482d-af01-94ad2b65ceaf", "created": "2024-01-01T23:31:02.947259Z", "modified": "2024-08-14T23:07:52.579356Z", "name": "somedieyoungZZ", "identity_class": "organization" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b428ff5d-a49c-4ec5-bfec-e11f555a50db", "created": "2026-06-24T18:09:03.360189Z", "modified": "2026-06-24T18:09:03.360189Z", "name": "YARA Rule", "pattern": "rule kimsuky_VBS_script { meta: author = \"somdieyoungZZ\" date = \"2024-03-13\" strings: $header = { 0x45, 0x53 } # VBScript header $programShell_func = \"WScript.Shell\" wide ascii $createTextFile_func = \"CreateTextFile\" wide ascii $filename_pattern = wide ascii $certutil_cmd = \"certutil -decode\" wide ascii $xor_key = { 0x8d } $base64_regex = /[A-Za-z0-9+\\/]+={0,2}/ condition: (uint16(0) == 0x4553 or uint16(0) == 0x5345) and ($programShell_func or $createTextFile_func) and ($filename_pattern =~ /(malicious_[\\^.]+\\.b64)/) and $certutil_cmd and $xor_key and $base64_regex }", "pattern_type": "yara", "valid_from": "2024-03-12T00:00:00Z" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--254433dd-7538-4956-899f-b4c7e11d4f69", "value": "tes.co" }, { "type": "file", "spec_version": "2.1", "id": "file--ae153e1f-9e7f-4d67-bed3-0b40535f8ebe", "hashes": { "SHA-1": "39a61c4d9d25c8ed1b38b1a51a8ef0b5cf51ce10" } }, { "type": "file", "spec_version": "2.1", "id": "file--677625a2-cbc3-4ab8-b833-f365dab8b5cc", "hashes": { "SHA-256": "db18e23bebb8581ba5670201cea98ccf71ecea70d64856b96c56c63c61b91bbe" } }, { "type": "file", "spec_version": "2.1", "id": "file--82fb2a6b-aeb1-44cc-8cee-218a3fb3d70e", "hashes": { "MD5": "12539ac37a81cc2e19338a67d237f833" } }, { "type": "url", "spec_version": "2.1", "id": "url--b8a09546-1d19-4a19-9d9a-74a67cd1b983", "value": "http://qwert.mine.bz/index.php" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--e91a2b55-1dbf-427a-8242-59c683b49d90", "value": "qwert.mine.bz" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--80b8c36a-4492-4803-bc0f-1ddec08f6630", "value": "216.189.154.6" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1", "created": "2026-06-24T18:09:03.366308Z", "modified": "2026-06-24T18:09:03.366308Z", "name": "Kimsuky" }, { "type": "report", "spec_version": "2.1", "id": "report--865e0d74-caef-4bdc-a6d3-ce32aeefabe1", "created_by_ref": "identity--b3e5edab-896e-482d-af01-94ad2b65ceaf", "created": "2026-06-24T18:09:03.368942Z", "modified": "2026-06-24T18:09:03.368942Z", "name": "Kimsuky 3", "published": "2024-03-12T00:00:00Z", "object_refs": [ "identity--b3e5edab-896e-482d-af01-94ad2b65ceaf", "indicator--b428ff5d-a49c-4ec5-bfec-e11f555a50db", "domain-name--254433dd-7538-4956-899f-b4c7e11d4f69", "file--ae153e1f-9e7f-4d67-bed3-0b40535f8ebe", "file--677625a2-cbc3-4ab8-b833-f365dab8b5cc", "file--82fb2a6b-aeb1-44cc-8cee-218a3fb3d70e", "url--b8a09546-1d19-4a19-9d9a-74a67cd1b983", "domain-name--e91a2b55-1dbf-427a-8242-59c683b49d90", "ipv4-addr--80b8c36a-4492-4803-bc0f-1ddec08f6630", "threat-actor--3cad7692-b5b4-565b-88b1-63998b3f44a1" ], "external_references": [ { "source_name": "source", "url": "https://somedieyoungzz.github.io/posts/kimsuky-3/" } ] } ] }