(YARA) YARA_Detect_SuspendThread

Download Raw 

rule Detect_SuspendThread: AntiDebug {
    meta: 
        description = "Detect SuspendThread as anti-debug"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "SuspendThread" fullword ascii
        $2 = "NtSuspendThread" fullword ascii
        $3 = "OpenThread" fullword ascii
        $4 = "SetThreadContext" fullword ascii
        $5 = "SetInformationThread" fullword ascii
        $x1 = "CreateToolHelp32Snapshot" fullword ascii
        $x2 = "EnumWindows" fullword ascii
    condition:   
        uint16(0) == 0x5A4D and filesize < 1000KB and ($x1 or $x2) and 2 of them
}

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
SuspendThread U0101 C0055

Matching Samples 10 most recent

Sample Name Matching Techniques First Seen Last Seen
57e0cadabe82b0c02a5d4606b0a3...6672d88e5a1ea4651969392c290b 12 2024-11-19 2 days ago
al-khaser.exe 24 2024-11-13 1 week ago
View All
Created

June 22, 2022

Last Revised

November 5, 2024