(YARA) YARA_Detect_SuspendThread
rule Detect_SuspendThread: AntiDebug {
meta:
description = "Detect SuspendThread as anti-debug"
author = "Unprotect"
comment = "Experimental rule"
strings:
$1 = "SuspendThread" fullword ascii
$2 = "NtSuspendThread" fullword ascii
$3 = "OpenThread" fullword ascii
$4 = "SetThreadContext" fullword ascii
$5 = "SetInformationThread" fullword ascii
$x1 = "CreateToolHelp32Snapshot" fullword ascii
$x2 = "EnumWindows" fullword ascii
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and ($x1 or $x2) and 2 of them
}
Associated Techniques
Technique Name | Technique ID's | Snippet(s) | OS |
---|---|---|---|
SuspendThread | U0101 C0055 |
Matching Samples 10 most recent
Sample Name | Matching Techniques | First Seen | Last Seen |
---|---|---|---|
57e0cadabe82b0c02a5d4606b0a3...6672d88e5a1ea4651969392c290b | 12 | 2024-11-19 | 1 month ago |
al-khaser.exe | 24 | 2024-11-13 | 1 month, 1 week ago |
Created
June 22, 2022
Last Revised
November 5, 2024