(YARA) YARA_Detect_Possible_GetForegroundWindow_Evasion
import "pe"
rule UNPROTECT_Possible_GetForegroundWindow_Evasion
{
meta:
description = "Attempts to detect possible usage of sandbox evasion techniques using GetForegroundWindow API, based on module imports."
author = "Kyle Cucci"
date = "2020-09-30"
condition:
uint16(0) == 0x5A4D and
pe.imports("user32.dll", "GetForegroundWindow") and
pe.imports("kernel32.dll", "Sleep")
}
Associated Techniques
No associated technique found so far.
Matching Samples 10 most recent
Sample Name | Matching Techniques | First Seen | Last Seen |
---|---|---|---|
hmpalert pre-patched.exe | 7 | 2025-02-12 | 1 day, 3 hours ago |
weave hackvshack.net.dll | 6 | 2025-02-12 | 1 day, 7 hours ago |
cracked-by-txmuxn.exe | 6 | 2025-02-09 | 3 days, 17 hours ago |
penis.dll | 1 | 2025-02-05 | 1 week ago |
FL Keys_x64.dll | 4 | 2025-02-03 | 1 week, 2 days ago |
0b863912f72efc4e514d3165e6ae...821dfa56a1fd545dba5960f6.exe | 3 | 2025-01-11 | 1 month ago |
kernel32.dll | 13 | 2024-12-30 | 1 month, 1 week ago |
honeypot.exe | 5 | 2024-12-04 | 2 months, 1 week ago |
br1.dll | 10 | 2024-12-03 | 2 months, 1 week ago |
Niple_v6.exe | 2 | 2024-12-01 | 2 months, 1 week ago |
Created
June 20, 2022
Last Revised
June 20, 2022