(YARA) YARA_Detect_Possible_GetForegroundWindow_Evasion

import "pe"
 
rule UNPROTECT_Possible_GetForegroundWindow_Evasion
{
    meta:
        description = "Attempts to detect possible usage of sandbox evasion techniques using GetForegroundWindow API, based on module imports."
        author = "Kyle Cucci"
        date = "2020-09-30"
 
    condition:
        uint16(0) == 0x5A4D and
        pe.imports("user32.dll", "GetForegroundWindow") and
        pe.imports("kernel32.dll", "Sleep")
}

Associated Techniques

No associated technique found so far.

Matching Samples 10 most recent

Sample Name	Matching Techniques	First Seen	Last Seen
VNC-Viewer-7.15.0-Windows-64bit.exe	5	2025-09-04	4 days, 15 hours ago
avbox.exe	9	2025-08-31	1 week, 2 days ago
LINTools.exe	4	2025-08-26	1 week, 6 days ago
0b98de4fbe9e42aa1b79f642c241...ac19b3fc5400705cfba61968.exe	5	2025-08-13	3 weeks, 5 days ago
TORKpro300.exe	3	2025-07-08	2 months ago
mel.exe.exe	4	2025-06-25	2 months, 2 weeks ago
tel.exe	13	2025-06-01	3 months, 1 week ago
5.exe	9	2025-05-30	3 months, 1 week ago
q.apk.exe	8	2025-05-30	3 months, 1 week ago
familyhook hackvshack.net.dll	5	2025-05-15	3 months, 3 weeks ago

View All

Created

June 20, 2022

Last Revised

June 20, 2022