(CAPA) CAPA_sandbox_name

Download Raw 

rule:
  meta:
    name: check for sandbox username
    namespace: anti-analysis/anti-vm/vm-detection
    author: "@_re_fox"
    scope: function
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    examples:
      - ccbf7cba35bab56563c0fbe4237fdc41:0x402B90
    references:
      - https://github.com/LloydLabs/wsb-detect
  features:
    - and:
      - api: GetUserName
      - or:
        - string: /MALTEST/i
          description: Betabot Username Check
        - string: /TEQUILABOOMBOOM/i
          description: VirusTotal Sandbox
        - string: /SANDBOX/i
          description: Gookit Username Check
        - string: /^VIRUS/i
          description: Satan Username Check
        - string: /MALWARE/i
          description: Betabot Username Check
        - string: /SAND\sBOX/i
          description: Betabot Username Check
        - string: /Test\sUser/i
          description: Betabot Username Check
        - string: /CurrentUser/i
          description: Gookit Username Check
        - string: /7SILVIA/i
          description: Gookit Username Check
        - string: /FORTINET/i
          description: Shifu Username Check
        - string: /John\sDoe/i
          description: Emotet Username Check
        - string: /Emily/i
          description: Trickbot Downloader Username Check
        - string: /HANSPETER\-PC/i
          description: Trickbot Downloader Username Check
        - string: /HAPUBWS/i
          description: Trickbot Downloader Username Check
        - string: /Hong\sLee/i
          description: Trickbot Downloader Username Check
        - string: /IT\-ADMIN/i
          description: Trickbot Downloader Username Check
        - string: /JOHN\-PC/i
          description: Trickbot Downloader Username Check
        - string: /Johnson/i
          description: Trickbot Downloader Username Check
        - string: /Miller/i
          description: Trickbot Downloader Username Check
        - string: /MUELLER\-PC/i
          description: Trickbot Downloader Username Check
        - string: /Peter\sWilson/i
          description: Trickbot Downloader Username Check
        - string: /SystemIT/i
          description: Trickbot Downloader Username Check
        - string: /Timmy/i
          description: Trickbot Downloader Username Check
        - string: /WIN7\-TRAPS/i
          description: Trickbot Downloader Username Check
        - string: /WDAGUtilityAccount/i
          description: Windows Defender Application Guard

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Detecting Hostname, Username U1311
Created

June 20, 2022

Last Revised

June 20, 2022