(YARA) YARA_Detect_CloseHandle
rule Detect_CloseHandle: AntiDebug {
meta:
description = "Detect CloseHandle as anti-debug"
author = "Unprotect"
comment = "Experimental rule"
strings:
$1 = "NtClose" fullword ascii
$2 = "CloseHandle" fullword ascii
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
Technique Name | Technique ID's | Snippet(s) | OS |
---|---|---|---|
CloseHandle, NtClose | U0114 B0001.003 |
Matching Samples 10 most recent
Sample Name | Matching Techniques | First Seen | Last Seen |
---|---|---|---|
lnl-msfvenom.exe | 7 | 2024-12-02 | 17 hours, 52 minutes ago |
satan_ransomware.exe | 10 | 2024-11-30 | 2 days, 21 hours ago |
EDR Silencer 1.4.exe | 8 | 2024-11-29 | 3 days, 21 hours ago |
Xulytaikhoan.xlsx | 14 | 2024-11-26 | 6 days, 15 hours ago |
credwiz.exe | 6 | 2024-11-25 | 1 week ago |
ejecutablehex01~Rip_dump_SCY.exe.hex | 5 | 2024-11-24 | 1 week, 1 day ago |
ebb508b441172b95f4c6a63c7f78...904128200bcb8ef38b1374663789 | 4 | 2024-11-19 | 1 week, 6 days ago |
e18ac2c4a57b7b4980c63623c966...4e2bb66f2cc4a54974219818fff3 | 8 | 2024-11-19 | 1 week, 6 days ago |
d66430568a8cc95bf12b9511c61c...3f49cab4825c60c5f4c24d33539f | 6 | 2024-11-19 | 1 week, 6 days ago |
cfcb85ddfe25f093feb249d4004d...064da7e9ed119971859c61817f1f | 7 | 2024-11-19 | 1 week, 6 days ago |
Created
June 22, 2022
Last Revised
June 22, 2022