(YARA) YARA_Detect_CloseHandle

Download Raw

rule Detect_CloseHandle: AntiDebug {
    meta: 
        description = "Detect CloseHandle as anti-debug"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "NtClose" fullword ascii
        $2 = "CloseHandle" fullword ascii
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
CloseHandle, NtClose U0114 B0001.003

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
lnl-msfvenom.exe 7 2024-12-02 17 hours, 52 minutes ago
satan_ransomware.exe 10 2024-11-30 2 days, 21 hours ago
EDR Silencer 1.4.exe 8 2024-11-29 3 days, 21 hours ago
Xulytaikhoan.xlsx 14 2024-11-26 6 days, 15 hours ago
credwiz.exe 6 2024-11-25 1 week ago
ejecutablehex01~Rip_dump_SCY.exe.hex 5 2024-11-24 1 week, 1 day ago
ebb508b441172b95f4c6a63c7f78...904128200bcb8ef38b1374663789 4 2024-11-19 1 week, 6 days ago
e18ac2c4a57b7b4980c63623c966...4e2bb66f2cc4a54974219818fff3 8 2024-11-19 1 week, 6 days ago
d66430568a8cc95bf12b9511c61c...3f49cab4825c60c5f4c24d33539f 6 2024-11-19 1 week, 6 days ago
cfcb85ddfe25f093feb249d4004d...064da7e9ed119971859c61817f1f 7 2024-11-19 1 week, 6 days ago
View All

Created

June 22, 2022

Last Revised

June 22, 2022