(YARA) YARA_detect_tlscallback
rule detect_tlscallback {
meta:
description = "Simple rule to detect tls callback as anti-debug."
author = "Thomas Roccia | @fr0gger_"
strings:
$str1 = "TLS_CALLBACK" nocase
$str2 = "TLScallback" nocase
condition:
uint32(uint32(0x3C)) == 0x4550 and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| TLS Callback | U0124 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| a.exe | 7 | 2025-10-03 | 3 weeks, 4 days ago |
| program.exe | 6 | 2025-10-01 | 4 weeks ago |
| DSViper_AES.exe | 8 | 2025-09-23 | 1 month ago |
| xor.exe | 6 | 2025-08-30 | 1 month, 4 weeks ago |
| hemlockwin.exe | 8 | 2025-08-06 | 2 months, 3 weeks ago |
| teste.exe | 6 | 2025-07-29 | 3 months ago |
| libcrypto-1_1.dll | 7 | 2025-07-01 | 3 months, 3 weeks ago |
| loader.exe | 8 | 2025-05-29 | 5 months ago |
| hello.exe | 8 | 2024-12-27 | 10 months ago |
| test.exe | 7 | 2024-12-06 | 10 months, 3 weeks ago |
Created
June 20, 2022
Last Revised
June 20, 2022