MAL_APT_Q_27_Renamed_Regsvr32_Specific_Execution_May23

Rule Info

Name
MAL_APT_Q_27_Renamed_Regsvr32_Specific_Execution_May23
Minimum Yara
1.7
Date
2023-05-04
Description
Detects specific command line flags and commandline order of a renamed regsvr32.exe - used by APT-Q-27 to load extra code
Reference
https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/
Author
X__Junior
Rule Hash
69a5697824f3d9c8fb8ce4869ec2b355
Tags
['MAL', 'ANOMALY', 'T1117', 'APT', 'SCRIPT']
Score
80
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/mal_apt_q_27_renamed_regsvr32_specific_execution_may23/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
0
Suspicious (< 10 engines)
0
Clean (0 engines)
12

Rule Matches

Hash
Timestamp
Total
Positives
VT
d715ad1939d5168b392eb9d6c235142bd945427a24ec8ebb779329a8ed474b22
2023-06-07 01:53:16
60
0
04ea1d496be78ac759af45d51a27c28f5e0e6feb616ea53a2d28c1485c2c88a3
2023-05-24 21:08:06
60
0
3e040c1e64ea892551af0cf1db30d53f34e7da9047af8ac9df5c928f666c97b6
2023-05-24 21:08:05
59
0
f5bc9ebb529610f9c4ff2eb2247a5e13cb808e22ae1407895432af7c67dfceca
2023-05-22 14:11:44
57
0
261e13a2a4951f268554e162dae63fd82032121413a5624a6ce19e8adee1ea44
2023-05-22 14:11:44
57
0
e37b8c800d0fa3097a422a1eff36b77e2e5afe603ff7fce502a3cddbf7634aff
2023-05-22 14:11:34
59
0
e84ec0b1dde0a5c7625d9b778bfc7d7fc1d7bd2aca0830cf4e4e6da987d6521b
2023-05-19 13:06:37
60
0
2a860436407eb1d5741f7a92c340f155929baac1efec4c4cd0f31cc8a64939fe
2023-05-19 13:06:37
60
0
2451f432c8ea025fdd41a129dca602215ea9823f64fc61766a04069be26468ca
2023-05-19 13:06:35
60
0
26a8a8deff5742485496e5973714685de3aba66526e338e77e88a78f379c669c
2023-05-16 12:11:34
60
0
aedbbc1cf59ef4567c46624e02054c079cb1c22eb5d11000a7f462824f80f7db
2023-05-16 12:11:34
60
0
65a6c95c3b6f853defeef43dcf87cb2a45583679060ba5a6ffe481a12cda3b60
2023-05-16 12:11:31
60
0

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022