(YARA) YARA_Detect_CloseHandle

Download Raw

rule Detect_CloseHandle: AntiDebug {
    meta: 
        description = "Detect CloseHandle as anti-debug"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "NtClose" fullword ascii
        $2 = "CloseHandle" fullword ascii
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
CloseHandle, NtClose U0114 B0001.003

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
Real Ghost Hollowing Test Notepad Calc.exe 6 2025-07-05 1 week, 4 days ago
Клиент.exe 9 2025-07-01 2 weeks, 1 day ago
wireguard-installer.exe 7 2025-06-12 1 month ago
131da83b521f610819141d5c7403...abb22ef504a7593955a65f07.exe 9 2025-06-12 1 month ago
MSBuild.exe 10 2024-11-15 1 month ago
RuntimeBroker.exe 11 2025-06-05 1 month, 1 week ago
tel.exe 13 2025-06-01 1 month, 2 weeks ago
cobalt_sample.exe 13 2025-05-25 1 month, 3 weeks ago
flushes.exe 7 2025-05-24 1 month, 3 weeks ago
unload_sysmon_x64.exe 6 2025-05-18 1 month, 4 weeks ago
View All

Created

June 22, 2022

Last Revised

June 22, 2022