(YARA) YARA_Detect_Possible_GetForegroundWindow_Evasion

import "pe"
 
rule UNPROTECT_Possible_GetForegroundWindow_Evasion
{
    meta:
        description = "Attempts to detect possible usage of sandbox evasion techniques using GetForegroundWindow API, based on module imports."
        author = "Kyle Cucci"
        date = "2020-09-30"
 
    condition:
        uint16(0) == 0x5A4D and
        pe.imports("user32.dll", "GetForegroundWindow") and
        pe.imports("kernel32.dll", "Sleep")
}

Associated Techniques

No associated technique found so far.

Matching Samples 10 most recent

Sample Name	Matching Techniques	First Seen	Last Seen
hmpalert.exe	8	2025-04-20	1 day, 16 hours ago
DarkComet.exe	8	2025-04-25	5 days, 4 hours ago
DarkComet Remover 2 Portable.exe	4	2025-04-19	1 week, 3 days ago
FBH.dll	10	2025-03-22	1 month, 1 week ago
OutlastDev hackvshack.net.dll	4	2025-03-02	1 month, 3 weeks ago
hmpalert pre-patched.exe	7	2025-02-12	2 months, 2 weeks ago
weave hackvshack.net.dll	6	2025-02-12	2 months, 2 weeks ago
cracked-by-txmuxn.exe	6	2025-02-09	2 months, 3 weeks ago
penis.dll	1	2025-02-05	2 months, 3 weeks ago
FL Keys_x64.dll	4	2025-02-03	2 months, 3 weeks ago

View All

Created

June 20, 2022

Last Revised

June 20, 2022