{ "type": "bundle", "id": "bundle--98a10261-a61e-41e1-b243-d790d5153930", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--6093c656-dd0f-4972-b2c8-760541671328", "created": "2023-03-08T12:51:56.338602Z", "modified": "2023-03-08T12:51:56.338683Z", "name": "Carbonblack", "identity_class": "organization" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--02e2f1b8-e1eb-428f-ac08-372b2b6e7291", "value": "cloud-api.yandex.net" }, { "type": "file", "spec_version": "2.1", "id": "file--a22e3f5a-5a30-44d6-afac-a807b0ad7f24", "hashes": { "MD5": "0ff0f3f0722dd122a0f5c3d4c7752675" } }, { "type": "file", "spec_version": "2.1", "id": "file--627e59cc-2cb4-4fe9-9bc5-d1fc68c9f6ed", "hashes": { "MD5": "fc0a9850f7b6a91f7757d64c86cfc141" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--659d0488-cfc8-428b-85de-15e342b9c74d", "created": "2026-06-24T20:27:24.008355Z", "modified": "2026-06-24T20:27:24.008355Z", "name": "YARA Rule", "pattern": "rule ROKRAT_payload : TAU DPRK APT\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \u201cCarbonBlack Threat Research\u201d //JMyers\r\n\r\ndate = \u201c2018-Jan-11\u201d\r\n\r\ndescription = \u201cDesigned to catch loader observed used with ROKRAT malware\u201d\r\n\r\nrule_version = 1\r\n\r\nyara_version = \u201c3.7.0\u201d\r\n\r\nTLP = \u201cWhite\u201d\r\n\r\nexemplar_hashes = \u201ce200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573\u201d\r\n\r\nstrings:\r\n\r\n$s1 = \u201capi.box.com/oauth2/token\u201d wide\r\n\r\n$s2 = \u201cupload.box.com/api/2.0/files/content\u201d wide\r\n\r\n$s3 = \u201capi.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1\u201d wide\r\n\r\n$s4 = \u201ccloud-api.yandex.net/v1/disk/resources/download?path=%s\u201d wide\r\n\r\n$s5 = \u201cSbieDll.dll\u201d\r\n\r\n$s6 = \u201cdbghelp.dll\u201d\r\n\r\n$s7 = \u201capi_log.dll\u201d\r\n\r\n$s8 = \u201cdir_watch.dll\u201d\r\n\r\n$s9 = \u201cdef_%s.jpg\u201d wide\r\n\r\n$s10 = \u201cpho_%s_%d.jpg\u201d wide\r\n\r\n$s11 = \u201clogin=%s&password=%s&login_submit=Authorizing\u201d wide\r\n\r\n$s12 = \u201cgdiplus.dll\u201d\r\n\r\n$s13 = \u201cSet-Cookie:\\\\b*{.+?}\\\\n\u201d wide\r\n\r\n$s14 = \u201ccharset={[A-Za-z0-9\\\\-_]+}\u201d wide\r\n\r\ncondition:\r\n\r\n12 of ($s*)\r\n\r\n}", "pattern_type": "yara", "valid_from": "2018-02-27T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6526e541-493d-425f-987d-a488b3b1007e", "created": "2026-06-24T20:27:24.009102Z", "modified": "2026-06-24T20:27:24.009102Z", "name": "YARA Rule", "pattern": "rule ROKRAT_loader : TAU DPRK APT\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \u201cCarbonBlack Threat Research\u201d //JMyers\r\n\r\ndate = \u201c2018-Jan-11\u201d\r\n\r\ndescription = \u201cDesigned to catch loader observed used with ROKRAT malware\u201d\r\n\r\nrule_version = 1\r\n\r\nyara_version = \u201c3.7.0\u201d\r\n\r\nTLP = \u201cWhite\u201d\r\n\r\nexemplar_hashes = \u201ce1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd\u201d\r\n\r\nstrings:\r\n\r\n$n1 = \u201cwscript.exe\u201d\r\n\r\n$n2 = \u201ccmd.exe\u201d\r\n\r\n$s1 = \u201cCreateProcess\u201d\r\n\r\n$s2 = \u201cVirtualAlloc\u201d\r\n\r\n$s3 = \u201cWriteProcessMemory\u201d\r\n\r\n$s4 = \u201cCreateRemoteThread\u201d\r\n\r\n$s5 = \u201cLoadResource\u201d\r\n\r\n$s6 = \u201cFindResource\u201d\r\n\r\n$b1 = {33 C9 33 C0 E8 00 00 00 00 5E} //Clear Register, call+5, pop ESI\r\n\r\n$b2 = /\\xB9.{3}\\x00\\x81\\xE9?.{3}\\x00/ //subtraction for encoded data offset\r\n\r\n//the above regex could slow down scanning\r\n\r\n$b3 = {03 F1 83 C6 02} //Fix up position\r\n\r\n$b4 = {3E 8A 06 34 90 46} //XOR decode Key\r\n\r\n$b5 = {3E 30 06 46 49 83 F9 00 75 F6} //XOR routine and jmp to code\r\n\r\n//push api hash values plain text\r\n\r\n$hpt_1 = {68 EC 97 03 0C} //api name hash value - Global Alloc\r\n\r\n$hpt_2 = {68 54 CA AF 91} //api name hash value - Virtual Alloc\r\n\r\n$hpt_3 = {68 8E 4E 0E EC} //api name hash value - Load Library\r\n\r\n$hpt_4 = {68 AA FC 0D 7C} //api name hash value - GetProc Addr\r\n\r\n$hpt_5 = {68 1B C6 46 79} //api name hash value - Virtual Protect\r\n\r\n$hpt_6 = {68 F6 22 B9 7C} //api name hash value - Global Free\r\n\r\n//push api hash values encoded XOR 0x13\r\n\r\n$henc_1 = {7B FF 84 10 1F} //api name hash value - Global Alloc\r\n\r\n$henc_2 = {7B 47 D9 BC 82} //api name hash value - Virtual Alloc\r\n\r\n$henc_3 = {7B 9D 5D 1D EC} //api name hash value - Load Library\r\n\r\n$henc_4 = {7B B9 EF 1E 6F} //api name hash value - GetProc Addr\r\n\r\n$henc_5 = {7B 08 D5 55 6A} //api name hash value - Virtual Protect\r\n\r\n$henc_6 = {7B E5 31 AA 6F} //api name hash value - Global Free\r\n\r\ncondition:\r\n\r\n(1 of ($n*) and 4 of ($s*) and 4 of ($b*)) or\r\n\r\nall of ($hpt*) or\r\n\r\nall of ($henc*)\r\n\r\n}", "pattern_type": "yara", "valid_from": "2018-02-27T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--6eca45a2-03d1-4699-96df-3cbcfcb16697", "hashes": { "SHA-1": "c09c1be69e5a206bcfe3d726773f0b0ddecb3622" } }, { "type": "file", "spec_version": "2.1", "id": "file--c5b2dcae-50d9-408c-8461-a811f4c384ed", "hashes": { "SHA-256": "2ca7c2048f247b871e455a9ac8bcb97927dd284477e7c2c4d2454509f97413b5" } }, { "type": "file", "spec_version": "2.1", "id": "file--82bfe68e-790b-4eb6-a59b-526c8e295d19", "hashes": { "MD5": "1f354d76203061bfdd5a53dae48d5435" } }, { "type": "file", "spec_version": "2.1", "id": "file--a7e054cd-e632-4cca-9f1a-06f22869c8f0", "hashes": { "SHA-256": "a9e25c8aabc041c81ef44ab4483432d4fd1223bf8e13e2812e4c9b58d6c34fac" } }, { "type": "file", "spec_version": "2.1", "id": "file--346b7623-1659-4067-9bfc-70673f0123b3", "hashes": { "MD5": "2eaf2a4764a1e5f4ed5c4c03cb91d910" } }, { "type": "file", "spec_version": "2.1", "id": "file--4de66a07-0c97-43ca-b050-7c72094c2eda", "hashes": { "MD5": "394e52e219feb1a5c403714154048728" } }, { "type": "file", "spec_version": "2.1", "id": "file--bff83d25-575e-4aa6-b301-44a38c3c1f5b", "hashes": { "MD5": "d8b76044cedbd7db8cd7d35e35853552" } }, { "type": "file", "spec_version": "2.1", "id": "file--26390726-b88f-4deb-aa6d-d50a01fcca0e", "hashes": { "MD5": "199dba4e0d91649be88d319d6e35679c" } }, { "type": "file", "spec_version": "2.1", "id": "file--b3ce379e-9869-4892-8359-21013b2ba2bd", "hashes": { "SHA-1": "0e46e026890982da526d8acf9f1ce6287451c9a6" } }, { "type": "file", "spec_version": "2.1", "id": "file--315c859a-abb2-4000-86cf-8376a8f5b98e", "hashes": { "MD5": "d699ec58eb259f634e8a0ca394771097" } }, { "type": "file", "spec_version": "2.1", "id": "file--656eeb74-d4ff-4426-8815-7abad36d94e8", "hashes": { "MD5": "da2c1226b37133a26f073e1b2e99725e" } }, { "type": "file", "spec_version": "2.1", "id": "file--3b5d2fbf-95c3-43fc-b466-c1414e47b76f", "hashes": { "MD5": "c4a7bf20f6fc766645a65da614af527f" } }, { "type": "file", "spec_version": "2.1", "id": "file--a441a7b5-df90-4e10-914a-67b71f1fae94", "hashes": { "MD5": "0c80569caa34549a9ed52c8e747656aa" } }, { "type": "file", "spec_version": "2.1", "id": "file--a1092a86-0ffe-4f48-a199-0457e09ec4c4", "hashes": { "MD5": "cd6c70f1550d4ec7ef8c2f9389052187" } }, { "type": "file", "spec_version": "2.1", "id": "file--8d7780a8-502a-4b68-94f3-58c3bf46fc0b", "hashes": { "MD5": "31f84f4086f6cc29fdec3beb3d4143c7" } }, { "type": "file", "spec_version": "2.1", "id": "file--40f272d1-46eb-4070-8406-f7db7acb592f", "hashes": { "MD5": "9701f6142ffcddad4bb15c457a064d79" } }, { "type": "file", "spec_version": "2.1", "id": "file--a5d355db-879d-41f7-b9ef-0e9d03a00753", "hashes": { "MD5": "5c6c1ed910e7c9740a0289a6d278908a" } }, { "type": "file", "spec_version": "2.1", "id": "file--030fe165-cf9a-4c2d-93eb-e9e0a08bec0d", "hashes": { "MD5": "a3521ae8c25e14c17f986095b07a644b" } }, { "type": "file", "spec_version": "2.1", "id": "file--01162200-83d2-4ed2-ab90-6abc06f3aa4b", "hashes": { "SHA-256": "1bcefc2ccdee1aa41578507d638b33f2957010637d98bb83c011541f7d632efb" } }, { "type": "file", "spec_version": "2.1", "id": "file--8a00c8e2-d45a-4de1-95c5-4f1b1a6188ba", "hashes": { "SHA-256": "e200517ab9482e787a59e60accc8552bd0c844687cd0cf8ec4238ed2fc2fa573" } }, { "type": "file", "spec_version": "2.1", "id": "file--778e22c8-bb69-45b1-b9e4-103c278be0d7", "hashes": { "MD5": "807f171588560279c492b1bf5b5f1392" } }, { "type": "file", "spec_version": "2.1", "id": "file--2f49ec9e-b97b-4b43-9a7c-fafa7f3cabe8", "hashes": { "SHA-1": "60d465f1a6c35509174503e87ca106ad2fa40b39" } }, { "type": "file", "spec_version": "2.1", "id": "file--fcfc14c0-924d-4131-bd77-c9497c0c32fc", "hashes": { "MD5": "d2881e56e66aeaebef7efaa60a58ef9b" } }, { "type": "file", "spec_version": "2.1", "id": "file--4231a22e-99a3-4b99-b682-0b9b32be2b8f", "hashes": { "MD5": "462e65d46a453444d5fa86c0df10acb9" } }, { "type": "file", "spec_version": "2.1", "id": "file--4848f328-3ac9-411f-b505-b0bfa5b65342", "hashes": { "MD5": "220c7c1fe852af006a83412ecef642fe" } }, { "type": "file", "spec_version": "2.1", "id": "file--8808d4f8-f495-4550-8a71-469accd9e3a5", "hashes": { "MD5": "bbc2905f395f561cb2c59b0541c2758a" } }, { "type": "file", "spec_version": "2.1", "id": "file--2480d1e4-e87c-4606-aa93-84ffe78277eb", "hashes": { "SHA-256": "e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd" } }, { "type": "file", "spec_version": "2.1", "id": "file--61bcdf7f-c20f-4888-b65b-b029ddbcf7bb", "hashes": { "SHA-256": "7ebc9a1fd93525fc42277efbccecf5a0470a0affbc4cf6c3934933c4c1959eb1" } }, { "type": "file", "spec_version": "2.1", "id": "file--3157cfd6-c63c-411d-b018-2af2de9cd8d2", "hashes": { "SHA-256": "7d8008028488edd26e665a3d4f70576cc02c237fffe5b8493842def528d6a1d8" } }, { "type": "file", "spec_version": "2.1", "id": "file--b5d038e1-110a-4f1e-acd4-228e5c22430b", "hashes": { "SHA-256": "6c372f29615ce8ae2cdf257e9f2617870c74b321651e9219ea16847467f51c9f" } }, { "type": "file", "spec_version": "2.1", "id": "file--f125e455-a267-4625-a2b4-5e4d2e3eab6f", "hashes": { "SHA-256": "95192de1f3239d5c0a7075627cf9845c91fd397796383185f61dde893989c08a" } }, { "type": "file", "spec_version": "2.1", "id": "file--5df60041-7312-41ed-a4ad-5b27fbfe3ead", "hashes": { "SHA-256": "19e4c45c0cd992564532b89a4dc1f35c769133167dc20e40b2a41fccb881277b" } }, { "type": "report", "spec_version": "2.1", "id": "report--170c898e-a296-44ff-a86f-ceea8e3b206b", "created_by_ref": "identity--6093c656-dd0f-4972-b2c8-760541671328", "created": "2026-06-24T20:27:24.029723Z", "modified": "2026-06-24T20:27:24.029723Z", "name": "Threat Analysis: ROKRAT Malware", "published": "2018-02-27T00:00:00Z", "object_refs": [ "identity--6093c656-dd0f-4972-b2c8-760541671328", "domain-name--02e2f1b8-e1eb-428f-ac08-372b2b6e7291", "file--a22e3f5a-5a30-44d6-afac-a807b0ad7f24", "file--627e59cc-2cb4-4fe9-9bc5-d1fc68c9f6ed", "indicator--659d0488-cfc8-428b-85de-15e342b9c74d", "indicator--6526e541-493d-425f-987d-a488b3b1007e", "file--6eca45a2-03d1-4699-96df-3cbcfcb16697", "file--c5b2dcae-50d9-408c-8461-a811f4c384ed", "file--82bfe68e-790b-4eb6-a59b-526c8e295d19", "file--a7e054cd-e632-4cca-9f1a-06f22869c8f0", "file--346b7623-1659-4067-9bfc-70673f0123b3", "file--4de66a07-0c97-43ca-b050-7c72094c2eda", "file--bff83d25-575e-4aa6-b301-44a38c3c1f5b", "file--26390726-b88f-4deb-aa6d-d50a01fcca0e", "file--b3ce379e-9869-4892-8359-21013b2ba2bd", "file--315c859a-abb2-4000-86cf-8376a8f5b98e", "file--656eeb74-d4ff-4426-8815-7abad36d94e8", "file--3b5d2fbf-95c3-43fc-b466-c1414e47b76f", "file--a441a7b5-df90-4e10-914a-67b71f1fae94", "file--a1092a86-0ffe-4f48-a199-0457e09ec4c4", "file--8d7780a8-502a-4b68-94f3-58c3bf46fc0b", "file--40f272d1-46eb-4070-8406-f7db7acb592f", "file--a5d355db-879d-41f7-b9ef-0e9d03a00753", "file--030fe165-cf9a-4c2d-93eb-e9e0a08bec0d", "file--01162200-83d2-4ed2-ab90-6abc06f3aa4b", "file--8a00c8e2-d45a-4de1-95c5-4f1b1a6188ba", "file--778e22c8-bb69-45b1-b9e4-103c278be0d7", "file--2f49ec9e-b97b-4b43-9a7c-fafa7f3cabe8", "file--fcfc14c0-924d-4131-bd77-c9497c0c32fc", "file--4231a22e-99a3-4b99-b682-0b9b32be2b8f", "file--4848f328-3ac9-411f-b505-b0bfa5b65342", "file--8808d4f8-f495-4550-8a71-469accd9e3a5", "file--2480d1e4-e87c-4606-aa93-84ffe78277eb", "file--61bcdf7f-c20f-4888-b65b-b029ddbcf7bb", "file--3157cfd6-c63c-411d-b018-2af2de9cd8d2", "file--b5d038e1-110a-4f1e-acd4-228e5c22430b", "file--f125e455-a267-4625-a2b4-5e4d2e3eab6f", "file--5df60041-7312-41ed-a4ad-5b27fbfe3ead" ], "external_references": [ { "source_name": "source", "url": "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/" } ] } ] }