(YARA) YARA_Detect_ExceptionHandler

Download Raw

rule Detect_SuspendThread: AntiDebug {
    meta: 
        description = "Detect SuspendThread as anti-debug"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "UnhandledExcepFilter" fullword ascii
        $2 = "SetUnhandledExceptionFilter" fullword ascii
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and any of them 
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Unhandled Exception Filter U0108 B0001.030

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
Real Ghost Hollowing Test Notepad Calc.exe 6 2025-07-05 4 hours, 14 minutes ago
Клиент.exe 9 2025-07-01 4 days, 6 hours ago
ArtifactDLL.x64.dll 5 2025-06-20 2 weeks, 1 day ago
Artifact.exe 5 2025-06-20 2 weeks, 1 day ago
wireguard-installer.exe 7 2025-06-12 3 weeks, 2 days ago
131da83b521f610819141d5c7403...abb22ef504a7593955a65f07.exe 9 2025-06-12 3 weeks, 2 days ago
tel.exe 13 2025-06-01 1 month ago
loader.exe 8 2025-05-29 1 month ago
cobalt_sample.exe 13 2025-05-25 1 month, 1 week ago
unload_sysmon_x64.exe 6 2025-05-18 1 month, 2 weeks ago
View All

Created

June 22, 2022

Last Revised

June 22, 2022