(YARA) YARA_Detect_ExceptionHandler
rule Detect_SuspendThread: AntiDebug {
meta:
description = "Detect SuspendThread as anti-debug"
author = "Unprotect"
comment = "Experimental rule"
strings:
$1 = "UnhandledExcepFilter" fullword ascii
$2 = "SetUnhandledExceptionFilter" fullword ascii
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| Unhandled Exception Filter | U0108 B0001.030 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| Real Ghost Hollowing Test Notepad Calc.exe | 6 | 2025-07-05 | 4 hours, 14 minutes ago |
| Клиент.exe | 9 | 2025-07-01 | 4 days, 6 hours ago |
| ArtifactDLL.x64.dll | 5 | 2025-06-20 | 2 weeks, 1 day ago |
| Artifact.exe | 5 | 2025-06-20 | 2 weeks, 1 day ago |
| wireguard-installer.exe | 7 | 2025-06-12 | 3 weeks, 2 days ago |
| 131da83b521f610819141d5c7403...abb22ef504a7593955a65f07.exe | 9 | 2025-06-12 | 3 weeks, 2 days ago |
| tel.exe | 13 | 2025-06-01 | 1 month ago |
| loader.exe | 8 | 2025-05-29 | 1 month ago |
| cobalt_sample.exe | 13 | 2025-05-25 | 1 month, 1 week ago |
| unload_sysmon_x64.exe | 6 | 2025-05-18 | 1 month, 2 weeks ago |
Created
June 22, 2022
Last Revised
June 22, 2022