(YARA) YARA_Detect_CloseHandle
rule Detect_CloseHandle: AntiDebug {
meta:
description = "Detect CloseHandle as anti-debug"
author = "Unprotect"
comment = "Experimental rule"
strings:
$1 = "NtClose" fullword ascii
$2 = "CloseHandle" fullword ascii
condition:
uint16(0) == 0x5A4D and filesize < 1000KB and any of them
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| CloseHandle, NtClose | U0114 B0001.003 |
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| ngen.exe | 7 | 2026-03-20 | 1 day, 6 hours ago |
| UnPackMe_VMProtect_1.53.exe | 7 | 2026-03-19 | 2 days, 9 hours ago |
| main.exe | 11 | 2026-02-07 | 1 month, 2 weeks ago |
| main.exe | 7 | 2026-02-03 | 1 month, 2 weeks ago |
| loader_complete.exe | 10 | 2026-01-27 | 1 month, 3 weeks ago |
| Torture.exe | 9 | 2025-12-16 | 3 months ago |
| cmd.exe | 7 | 2025-12-10 | 3 months, 1 week ago |
| setup.exe | 11 | 2025-12-09 | 3 months, 1 week ago |
| pafish64.exe | 10 | 2025-12-06 | 3 months, 2 weeks ago |
| fpCSEvtSvc.scam | 5 | 2025-12-01 | 3 months, 2 weeks ago |
Created
June 22, 2022
Last Revised
June 22, 2022