(YARA) YARA_Detect_ExceptionHandler

Download Raw 

rule Detect_SuspendThread: AntiDebug {
    meta: 
        description = "Detect SuspendThread as anti-debug"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "UnhandledExcepFilter" fullword ascii
        $2 = "SetUnhandledExceptionFilter" fullword ascii
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and any of them 
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Unhandled Exception Filter U0108 B0001.030

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
unload_sysmon_x64.exe 6 2025-05-18 5 days, 6 hours ago
ZAP.exe 6 2025-04-26 3 weeks, 5 days ago
BypassThreatBook.exe 5 2025-04-27 3 weeks, 5 days ago
DS4Windows.exe 9 2025-04-19 1 month ago
xwizard.exe 6 2025-04-18 1 month ago
simple.exe 5 2025-04-13 1 month, 1 week ago
simple_packed.exe 4 2025-04-13 1 month, 1 week ago
shutdown.exe 6 2025-04-08 1 month, 2 weeks ago
Starter.exe 8 2025-03-26 1 month, 3 weeks ago
br2c41.tmp 8 2025-03-26 1 month, 3 weeks ago
View All
Created

June 22, 2022

Last Revised

June 22, 2022