(YARA) Detect_Interrupts

Download Raw

rule Detect_Interrupt: AntiDebug {
    meta: 
        description = "Detect Interrupt instruction"
        author = "Unprotect"
        comment = "Experimental rule / the rule can be slow to use"
    strings:
        $int3 = { CC }
        $intCD = { CD }
        $int03 = { 03 }
        $int2D = { 2D }
        $ICE = { F1 }
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
INT3 Instruction Scanning U0105 B0001.025
INT 0x2D U0129 B0001.006
ICE 0xF1 U0130

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
br1.dll 10 2024-12-03 1 day, 1 hour ago
lnl-msfvenom.exe 7 2024-12-02 2 days, 8 hours ago
d76d0406155a16f0.exe 4 2024-11-13 2 days, 14 hours ago
build.exe 5 2024-12-01 2 days, 16 hours ago
satan_ransomware.exe 10 2024-11-30 4 days, 11 hours ago
EDR Silencer 1.4.exe 8 2024-11-29 5 days, 12 hours ago
Xulytaikhoan.xlsx 14 2024-11-26 1 week, 1 day ago
credwiz.exe 6 2024-11-25 1 week, 1 day ago
MokManager.efi 8 2024-11-25 1 week, 2 days ago
ejecutablehex01~Rip_dump_SCY.exe.hex 5 2024-11-24 1 week, 2 days ago
View All

Created

June 22, 2022

Last Revised

June 22, 2022