{
    "type": "bundle",
    "id": "bundle--fc018048-61b6-4ecb-bda8-1ba59e6a7b07",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--cc548405-ea5a-490e-bf4f-a591a3de881c",
            "created": "2023-03-08T12:51:55.656877Z",
            "modified": "2023-03-09T14:13:02.547905Z",
            "name": "BaeSystems",
            "identity_class": "organization"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--f611534c-1594-4647-a2d5-1788667883dd",
            "created": "2026-06-24T18:21:02.631154Z",
            "modified": "2026-06-24T18:21:02.631154Z",
            "name": "YARA Rule",
            "pattern": "rule Hermes2_1 {\r\nmeta:\r\ndate = \"2017/10/11\"\r\nauthor = \"BAE\"\r\nhash = \"b27881f59c8d8cc529fa80a58709db36\"\r\nstrings:\r\n$magic = { 4D 5A }\r\n//in both version 2.1 and sample in Feb\r\n$s1 = \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\Nls\\\\Language\\\\\"\r\n$s2 = \"0419\"\r\n$s3 = \"0422\"\r\n$s4 = \"0423\"\r\n//in version 2.1 only\r\n$S1 = \"HERMES\"\r\n$S2 = \"vssadminn\"\r\n$S3 = \"finish work\"\r\n$S4 = \"testlib.dll\"\r\n$S5 = \"shadowstorageiet\"\r\n//maybe unique in the file\r\n$u1 = \"ALKnvfoi4tbmiom3t40iomfr0i3t4jmvri3tb4mvi3btv3rgt4t777\"\r\n$u2 = \"HERMES 2.1 TEST BUILD, press ok\"\r\n$u3 = \"hnKwtMcOadHwnXutKHqPvpgfysFXfAFTcaDHNdCnktA\" //RSA Key part\r\ncondition:\r\n$magic at 0 and all of ($s*) and 3 of ($S*) and 1 of ($u*)\r\n}",
            "pattern_type": "yara",
            "valid_from": "2017-10-16T00:00:00Z"
        },
        {
            "type": "file",
            "spec_version": "2.1",
            "id": "file--3e57e313-36d0-4e32-aaa7-78fbb3845e54",
            "hashes": {
                "MD5": "b27881f59c8d8cc529fa80a58709db36"
            }
        },
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b",
            "created": "2026-06-24T18:21:02.637288Z",
            "modified": "2026-06-24T18:21:02.637288Z",
            "name": "Lazarus"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--7e5a1c2b-8362-40dd-b5fd-88e8576bd04b",
            "created_by_ref": "identity--cc548405-ea5a-490e-bf4f-a591a3de881c",
            "created": "2026-06-24T18:21:02.638317Z",
            "modified": "2026-06-24T18:21:02.638317Z",
            "name": "TAIWAN HEIST: LAZARUS TOOLS AND RANSOMWARE",
            "published": "2017-10-16T00:00:00Z",
            "object_refs": [
                "identity--cc548405-ea5a-490e-bf4f-a591a3de881c",
                "indicator--f611534c-1594-4647-a2d5-1788667883dd",
                "file--3e57e313-36d0-4e32-aaa7-78fbb3845e54",
                "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b"
            ],
            "external_references": [
                {
                    "source_name": "source",
                    "url": "http://baesystemsai.blogspot.kr/2017/10/taiwan-heist-lazarus-tools.html"
                }
            ]
        }
    ]
}