(YARA) YARA_Detect_Possible_GetForegroundWindow_Evasion

Download Raw

import "pe"
 
rule UNPROTECT_Possible_GetForegroundWindow_Evasion
{
    meta:
        description = "Attempts to detect possible usage of sandbox evasion techniques using GetForegroundWindow API, based on module imports."
        author = "Kyle Cucci"
        date = "2020-09-30"
 
    condition:
        uint16(0) == 0x5A4D and
        pe.imports("user32.dll", "GetForegroundWindow") and
        pe.imports("kernel32.dll", "Sleep")
}

Associated Techniques

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
VNC-Viewer-7.15.0-Windows-64bit.exe 5 2025-09-04 4 days, 15 hours ago
avbox.exe 9 2025-08-31 1 week, 2 days ago
LINTools.exe 4 2025-08-26 1 week, 6 days ago
0b98de4fbe9e42aa1b79f642c241...ac19b3fc5400705cfba61968.exe 5 2025-08-13 3 weeks, 5 days ago
TORKpro300.exe 3 2025-07-08 2 months ago
mel.exe.exe 4 2025-06-25 2 months, 2 weeks ago
tel.exe 13 2025-06-01 3 months, 1 week ago
5.exe 9 2025-05-30 3 months, 1 week ago
q.apk.exe 8 2025-05-30 3 months, 1 week ago
familyhook hackvshack.net.dll 5 2025-05-15 3 months, 3 weeks ago
View All

Created

June 20, 2022

Last Revised

June 20, 2022