(YARA) YARA_Detect_RDTSC

Download Raw

rule Detect_RDTSC: AntiDebug AntiSandbox{
    meta: 
        description = "Detect RDTSC as anti-debug and anti-sandbox"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = { 0F 31 }
    condition:   
       uint16(0) == 0x5A4D and filesize < 1000KB and $1
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
RDTSC U0126

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
prot-emul.exe 8 2025-08-19 1 week, 2 days ago
hemlockwin.exe 8 2025-08-06 3 weeks, 1 day ago
IObitUnlocker.sys 5 2025-07-12 1 month, 2 weeks ago
ePSXe.exe 7 2025-07-12 1 month, 2 weeks ago
binary2.exe 7 2025-06-28 2 months ago
wireguard-installer.exe 7 2025-06-12 2 months, 2 weeks ago
131da83b521f610819141d5c7403...abb22ef504a7593955a65f07.exe 9 2025-06-12 2 months, 2 weeks ago
MSBuild.exe 10 2024-11-15 2 months, 2 weeks ago
RuntimeBroker.exe 11 2025-06-05 2 months, 3 weeks ago
tel.exe 13 2025-06-01 2 months, 3 weeks ago
View All

Created

June 22, 2022

Last Revised

June 22, 2022