MAL_APT_Q_27_Renamed_Regsvr32_Specific_Execution_May23

Rule Info

Name
MAL_APT_Q_27_Renamed_Regsvr32_Specific_Execution_May23
Author
X__Junior
Description
Detects specific command line flags and commandline order of a renamed regsvr32.exe - used by APT-Q-27 to load extra code
Score
80
Reference
https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/
Date
2023-05-04
Minimum Yara
1.7
Rule Hash
69a5697824f3d9c8fb8ce4869ec2b355
Tags
['ANOMALY', 'APT', 'T1218_010', 'MAL', 'SCRIPT']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/mal_apt_q_27_renamed_regsvr32_specific_execution_may23/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
2
Suspicious (< 10 engines)
5
Clean (0 engines)
16

Rule Matches

Timestamp
Positives
Total
Hash
VT
2023-09-13 16:08:48
4
60
6caffb43c3ce8a83d6b4836823c98bdd9903343d87f2678b40a780f2d40a04dc
2023-08-30 12:12:22
0
54
8471befaa3868b11bf38a8dcaef0ac477f4dcfcde2df0f2b759e46b9c28c874f
2023-08-30 12:12:22
0
56
ca752471b87e5d5b1b3587bff7a3cf250fc8271afea77f1dbce57f8c82752f23
2023-08-30 12:05:16
11
59
4f32c9ce20495b4547515bb8dee5b5b18a11ecaf076af97d0708238ffb8a7f39
2023-08-06 14:03:50
6
60
326ed33921bffe36231cdce9be77c04899fa1d72951244fe20ac7dae18d752f4
2023-07-21 11:07:45
12
59
95b88f348bd5783ad0c684b0c407c897f03ab5c9121287ac4b4f7e77e44a0490
2023-07-21 11:05:26
0
53
2acedd69a49e2f01132e9f5474436d89973849b0dd85924ecd5c4647f11e58a0
2023-07-21 11:05:26
0
60
4c539f1f992f380c231de2acec01b9cefe6d0f8c24c86c551867806a1c3d6ed2
2023-07-19 14:40:26
4
60
40784503a1772aa1db2a57d9582cc6d11bb71ba9e1395eb60752c7820e521d51
2023-06-25 16:03:38
1
60
c739cf3f7a4d0b778d72662aa668c7c905a842ede8314253f64116cb36037074
2023-06-16 12:11:40
2
57
457eacaa363e68e637fa6395be1e072735dc710debfd1846c3a54a5d6d58586e
2023-06-07 01:53:16
0
60
d715ad1939d5168b392eb9d6c235142bd945427a24ec8ebb779329a8ed474b22
2023-05-24 21:08:06
0
60
04ea1d496be78ac759af45d51a27c28f5e0e6feb616ea53a2d28c1485c2c88a3
2023-05-24 21:08:05
0
59
3e040c1e64ea892551af0cf1db30d53f34e7da9047af8ac9df5c928f666c97b6
2023-05-22 14:11:44
0
57
f5bc9ebb529610f9c4ff2eb2247a5e13cb808e22ae1407895432af7c67dfceca
2023-05-22 14:11:44
0
57
261e13a2a4951f268554e162dae63fd82032121413a5624a6ce19e8adee1ea44
2023-05-22 14:11:34
0
59
e37b8c800d0fa3097a422a1eff36b77e2e5afe603ff7fce502a3cddbf7634aff
2023-05-19 13:06:37
0
60
e84ec0b1dde0a5c7625d9b778bfc7d7fc1d7bd2aca0830cf4e4e6da987d6521b
2023-05-19 13:06:37
0
60
2a860436407eb1d5741f7a92c340f155929baac1efec4c4cd0f31cc8a64939fe
2023-05-19 13:06:35
0
60
2451f432c8ea025fdd41a129dca602215ea9823f64fc61766a04069be26468ca
2023-05-16 12:11:34
0
60
26a8a8deff5742485496e5973714685de3aba66526e338e77e88a78f379c669c
2023-05-16 12:11:34
0
60
aedbbc1cf59ef4567c46624e02054c079cb1c22eb5d11000a7f462824f80f7db
2023-05-16 12:11:31
0
60
65a6c95c3b6f853defeef43dcf87cb2a45583679060ba5a6ffe481a12cda3b60

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022