(YARA) YARA_Detect_ExceptionHandler
rule Detect_SuspendThread: AntiDebug {
meta:
description = "Detect SuspendThread as anti-debug"
author = "Unprotect"
comment = "Experimental rule"
strings:
$1 = "UnhandledExcepFilter" fullword ascii
$2 = "SetUnhandledExceptionFilter" fullword ascii
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
Technique Name | Technique ID's | Snippet(s) | OS |
---|---|---|---|
Unhandled Exception Filter | U0108 B0001.030 |
Matching Samples 10 most recent
Sample Name | Matching Techniques | First Seen | Last Seen |
---|---|---|---|
br1.dll | 10 | 2024-12-03 | 1 day, 2 hours ago |
satan_ransomware.exe | 10 | 2024-11-30 | 4 days, 12 hours ago |
EDR Silencer 1.4.exe | 8 | 2024-11-29 | 5 days, 12 hours ago |
Xulytaikhoan.xlsx | 14 | 2024-11-26 | 1 week, 1 day ago |
credwiz.exe | 6 | 2024-11-25 | 1 week, 1 day ago |
d66430568a8cc95bf12b9511c61c...3f49cab4825c60c5f4c24d33539f | 6 | 2024-11-19 | 2 weeks, 1 day ago |
cascade-injection.exe | 6 | 2024-11-17 | 2 weeks, 3 days ago |
System.Transactions.dll | 10 | 2024-11-15 | 2 weeks, 4 days ago |
System.EnterpriseServices.Wrapper.dll | 7 | 2024-11-15 | 2 weeks, 4 days ago |
NAPCRYPT.DLL | 7 | 2024-11-15 | 2 weeks, 4 days ago |
Created
June 22, 2022
Last Revised
June 22, 2022