The hypothesis is that the detection identifies potential .NET RAT/Agent activity where memory-resident malware is leveraging a .pdb file referencing “almashreq,” which may indicate obfuscation or evasion tactics. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage adversaries using memory-based persistence and evasion techniques commonly associated with advanced threats.
YARA Rule
rule almashreq_agent_dotnet : almashreq_agent_dotnet
{
meta:
description = "Memory rule for a .net RAT/Agent first found with .pdb referencing almashreq"
author = "J from THL <[email protected]> with thx to @malwrhunterteam !!1!"
date = "2019-05-12"
reference1 = "https://twitter.com/JayTHL/status/1127334608142503936"
reference2 = "https://www.virustotal.com/#/file/f6e1e425650abc6c0465758edf3c089a1dde5b9f58d26a50d3b8682cc38f12c8/details"
reference3 = "https://www.virustotal.com/#/file/7e4231dc2bdab53f494b84bc13c6cb99478a6405405004c649478323ed5a9071/detection"
reference4 = "https://www.virustotal.com/#/file/3cbaf6ddba3869ab68baf458afb25d2c8ba623153c43708bad2f312c4663161b/detection"
reference5 = "https://www.virustotal.com/#/file/0f5424614b3519a340198dd82ad0abc9711a23c3283dc25b519affe5d2959a92/detection"
maltype = "agent"
filetype = "memory"
strings:
$s01 = "WriteElementString(@\"PCName\"," wide
$s02 = "WriteElementString(@\"Command\"," wide
$s03 = "WriteElementStringRaw(@\"commandID\"," wide
$s04 = /^Try Run$/ wide
$s05 = " is running in PC :" wide
$s06 = "SOAPAction: \"http://tempuri.org/Set\"" wide
$s07 = "Try Run</obj><name>" wide
$s08 = "Disable</obj><name>" wide
$s09 = "http://tempuri.org/" wide
condition:
7 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: A legitimate .NET application using the almashreq.pdb file for debugging purposes during development or testing.
Filter/Exclusion: Exclude processes associated with known development environments (e.g., devenv.exe, VisualStudio.exe) or filter by process names containing “debug” or “dev”.
Scenario: A system administrator running a scheduled job to clean up temporary files, which includes deleting or renaming .pdb files, including almashreq.pdb.
Filter/Exclusion: Exclude processes related to system cleanup tools (e.g., schtasks.exe, cleanmgr.exe) or filter by process names containing “cleanup” or “temp”.
Scenario: A legitimate .NET application that dynamically loads .pdb files for symbol resolution, such as in a profiling or diagnostics tool like Application Insights or Diagnostic Tools.
Filter/Exclusion: Exclude processes associated with diagnostic tools (e.g., ApplicationInsightsAgent or DiagnosticHub) or filter by process names containing “diagnostics” or “profiler”.
Scenario: A legitimate .NET application that uses a third-party library or framework that includes a .pdb file named almashreq.pdb as part of its internal structure.
Filter/Exclusion: Exclude processes associated with known third-party libraries or frameworks (e.g., log4net, NLog, or Serilog) or filter by process names containing the library name.
Scenario: A Windows Update or patching process that temporarily references .pdb files during installation, including almashreq.pdb as part of a larger update package.
Filter/Exclusion: Exclude processes related to Windows Update (e.g., wusa.exe, setup.exe) or filter by process names containing “update” or “patch”.