(YARA) YARA_Detect_CloseHandle
rule Detect_CloseHandle: AntiDebug {
meta:
description = "Detect CloseHandle as anti-debug"
author = "Unprotect"
comment = "Experimental rule"
strings:
$1 = "NtClose" fullword ascii
$2 = "CloseHandle" fullword ascii
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| CloseHandle, NtClose | U0114 B0001.003 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| Lightshot.exe | 10 | 2025-10-24 | 1 week, 2 days ago |
| Scalper_Telegram@Val1312q.dll | 8 | 2025-10-21 | 1 week, 5 days ago |
| HogwartsLegacy.exe | 7 | 2025-10-16 | 2 weeks, 3 days ago |
| Lab01-04.exe | 6 | 2025-09-26 | 1 month, 1 week ago |
| botnpwds.exe | 10 | 2025-09-24 | 1 month, 1 week ago |
| DNS-C2.exe84-rednefed-swodniw-8snoci.exe | 6 | 2025-09-23 | 1 month, 1 week ago |
| hid-tools.dll | 13 | 2025-09-22 | 1 month, 1 week ago |
| DelphinDesktop.dll | 9 | 2025-08-31 | 2 months ago |
| avbox.exe | 9 | 2025-08-31 | 2 months ago |
| Krbtool.exe | 8 | 2025-08-11 | 2 months, 3 weeks ago |
Created
June 22, 2022
Last Revised
June 22, 2022