(YARA) YARA_Detect_CloseHandle

Download Raw

rule Detect_CloseHandle: AntiDebug {
    meta: 
        description = "Detect CloseHandle as anti-debug"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "NtClose" fullword ascii
        $2 = "CloseHandle" fullword ascii
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
CloseHandle, NtClose U0114 B0001.003

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
Real Ghost Hollowing Test Notepad Calc.exe 6 2025-07-05 6 days, 9 hours ago
Клиент.exe 9 2025-07-01 1 week, 3 days ago
wireguard-installer.exe 7 2025-06-12 4 weeks, 1 day ago
131da83b521f610819141d5c7403...abb22ef504a7593955a65f07.exe 9 2025-06-12 4 weeks, 1 day ago
MSBuild.exe 10 2024-11-15 4 weeks, 1 day ago
RuntimeBroker.exe 11 2025-06-05 1 month ago
tel.exe 13 2025-06-01 1 month, 1 week ago
cobalt_sample.exe 13 2025-05-25 1 month, 2 weeks ago
flushes.exe 7 2025-05-24 1 month, 2 weeks ago
unload_sysmon_x64.exe 6 2025-05-18 1 month, 3 weeks ago
View All

Created

June 22, 2022

Last Revised

June 22, 2022