(YARA) YARA_detect_tlscallback
rule detect_tlscallback {
meta:
description = "Simple rule to detect tls callback as anti-debug."
author = "Thomas Roccia | @fr0gger_"
strings:
$str1 = "TLS_CALLBACK" nocase
$str2 = "TLScallback" nocase
condition:
uint32(uint32(0x3C)) == 0x4550 and any of them
}
Associated Techniques
Technique Name | Technique ID's | Snippet(s) | OS |
---|---|---|---|
TLS Callback | U0124 |
Matching Samples 10 most recent
Sample Name | Matching Techniques | First Seen | Last Seen |
---|---|---|---|
a.exe | 7 | 2025-10-03 | 4 days, 17 hours ago |
program.exe | 6 | 2025-10-01 | 1 week ago |
DSViper_AES.exe | 8 | 2025-09-23 | 2 weeks, 1 day ago |
xor.exe | 6 | 2025-08-30 | 1 month, 1 week ago |
hemlockwin.exe | 8 | 2025-08-06 | 2 months ago |
teste.exe | 6 | 2025-07-29 | 2 months, 1 week ago |
libcrypto-1_1.dll | 7 | 2025-07-01 | 3 months ago |
loader.exe | 8 | 2025-05-29 | 4 months, 1 week ago |
hello.exe | 8 | 2024-12-27 | 9 months, 1 week ago |
test.exe | 7 | 2024-12-06 | 10 months ago |
Created
June 20, 2022
Last Revised
June 20, 2022