(YARA) YARA_Detect_Possible_GetForegroundWindow_Evasion

Download Raw

import "pe"
 
rule UNPROTECT_Possible_GetForegroundWindow_Evasion
{
    meta:
        description = "Attempts to detect possible usage of sandbox evasion techniques using GetForegroundWindow API, based on module imports."
        author = "Kyle Cucci"
        date = "2020-09-30"
 
    condition:
        uint16(0) == 0x5A4D and
        pe.imports("user32.dll", "GetForegroundWindow") and
        pe.imports("kernel32.dll", "Sleep")
}

Associated Techniques

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
hmpalert pre-patched.exe 7 2025-02-12 1 day, 3 hours ago
weave hackvshack.net.dll 6 2025-02-12 1 day, 7 hours ago
cracked-by-txmuxn.exe 6 2025-02-09 3 days, 17 hours ago
penis.dll 1 2025-02-05 1 week ago
FL Keys_x64.dll 4 2025-02-03 1 week, 2 days ago
0b863912f72efc4e514d3165e6ae...821dfa56a1fd545dba5960f6.exe 3 2025-01-11 1 month ago
kernel32.dll 13 2024-12-30 1 month, 1 week ago
honeypot.exe 5 2024-12-04 2 months, 1 week ago
br1.dll 10 2024-12-03 2 months, 1 week ago
Niple_v6.exe 2 2024-12-01 2 months, 1 week ago
View All

Created

June 20, 2022

Last Revised

June 20, 2022