(YARA) YARA_Detect_ExceptionHandler

Download Raw

rule Detect_SuspendThread: AntiDebug {
    meta: 
        description = "Detect SuspendThread as anti-debug"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "UnhandledExcepFilter" fullword ascii
        $2 = "SetUnhandledExceptionFilter" fullword ascii
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and any of them 
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Unhandled Exception Filter U0108 B0001.030

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
br1.dll 10 2024-12-03 1 day, 2 hours ago
satan_ransomware.exe 10 2024-11-30 4 days, 12 hours ago
EDR Silencer 1.4.exe 8 2024-11-29 5 days, 12 hours ago
Xulytaikhoan.xlsx 14 2024-11-26 1 week, 1 day ago
credwiz.exe 6 2024-11-25 1 week, 1 day ago
d66430568a8cc95bf12b9511c61c...3f49cab4825c60c5f4c24d33539f 6 2024-11-19 2 weeks, 1 day ago
cascade-injection.exe 6 2024-11-17 2 weeks, 3 days ago
System.Transactions.dll 10 2024-11-15 2 weeks, 4 days ago
System.EnterpriseServices.Wrapper.dll 7 2024-11-15 2 weeks, 4 days ago
NAPCRYPT.DLL 7 2024-11-15 2 weeks, 4 days ago
View All

Created

June 22, 2022

Last Revised

June 22, 2022