(YARA) YARA_Detect_CloseHandle
rule Detect_CloseHandle: AntiDebug {
meta:
description = "Detect CloseHandle as anti-debug"
author = "Unprotect"
comment = "Experimental rule"
strings:
$1 = "NtClose" fullword ascii
$2 = "CloseHandle" fullword ascii
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| CloseHandle, NtClose | U0114 B0001.003 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| MS-RPRN.exe | 7 | 2025-03-12 | 6 days, 16 hours ago |
| RustPatchlessCLRLoader.exe | 8 | 2025-03-07 | 1 week, 4 days ago |
| stub_modified.exe | 7 | 2025-02-18 | 1 month ago |
| payload.exe | 7 | 2025-02-18 | 1 month ago |
| encrypt.exe | 7 | 2025-02-18 | 1 month ago |
| twain_32.dll | 7 | 2025-02-17 | 1 month ago |
| csgo.dll | 10 | 2025-02-17 | 1 month ago |
| libEGL.dll | 8 | 2025-02-12 | 1 month ago |
| 1663704907_themetool.exe | 6 | 2025-01-20 | 1 month, 3 weeks ago |
| Stellaris v2.3.0-v3.12.5 Plus 24 Trainer.exe | 8 | 2025-01-18 | 2 months ago |
Created
June 22, 2022
Last Revised
June 22, 2022