(YARA) Detect_Interrupts
rule Detect_Interrupt: AntiDebug {
meta:
description = "Detect Interrupt instruction"
author = "Unprotect"
comment = "Experimental rule / the rule can be slow to use"
strings:
$int3 = { CC }
$intCD = { CD }
$int03 = { 03 }
$int2D = { 2D }
$ICE = { F1 }
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
Technique Name | Technique ID's | Snippet(s) | OS |
---|---|---|---|
INT3 Instruction Scanning | U0105 B0001.025 | ||
INT 0x2D | U0129 B0001.006 | ||
ICE 0xF1 | U0130 |
Matching Samples 10 most recent
Sample Name | Matching Techniques | First Seen | Last Seen |
---|---|---|---|
br1.dll | 10 | 2024-12-03 | 1 day, 1 hour ago |
lnl-msfvenom.exe | 7 | 2024-12-02 | 2 days, 8 hours ago |
d76d0406155a16f0.exe | 4 | 2024-11-13 | 2 days, 14 hours ago |
build.exe | 5 | 2024-12-01 | 2 days, 16 hours ago |
satan_ransomware.exe | 10 | 2024-11-30 | 4 days, 11 hours ago |
EDR Silencer 1.4.exe | 8 | 2024-11-29 | 5 days, 12 hours ago |
Xulytaikhoan.xlsx | 14 | 2024-11-26 | 1 week, 1 day ago |
credwiz.exe | 6 | 2024-11-25 | 1 week, 1 day ago |
MokManager.efi | 8 | 2024-11-25 | 1 week, 2 days ago |
ejecutablehex01~Rip_dump_SCY.exe.hex | 5 | 2024-11-24 | 1 week, 2 days ago |
Created
June 22, 2022
Last Revised
June 22, 2022