The detection rule identifies potential APT Hellsing installer artifacts, which may indicate the presence of a sophisticated adversary establishing a foothold in the environment. SOC teams should proactively hunt for this behavior to detect early-stage compromise and prevent further lateral movement and data exfiltration.
YARA Rule
rule apt_hellsing_installer
{
meta:
Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07"
Description = "detection for Hellsing xweber/msger installers"
Reference = "http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back"
strings:
$mz="MZ"
$cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
$a1="xweber_install_uac.exe"
$a2="system32\\cmd.exe" wide
$a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y="
$a5="S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g="
$a7="vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw=="
$a8="vd/m7OXd2ai/usPl5qjY2uXp69nZqO7l2qjf5u7a59rr7Kjf5tzr2u7n6euo4+Xm39zl2qju5dqo4+Xm39zl2t/m7ajr19vf2OPr39rj5eaZmqbs5OSI Njl2tyI" $a9="C:\\Windows\\System32\\sysprep\\sysprep.exe" wide
$a10="%SystemRoot%\\system32\\cmd.exe" wide
$a11="msger_install.dll"
$a12={00 65 78 2E 64 6C 6C 00}
condition:
($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
}This YARA rule can be deployed in the following contexts:
This rule contains 13 string patterns in its detection logic.
Scenario: A system administrator is installing the Hellsing malware analysis tool for security research purposes.
Filter/Exclusion: Check for the presence of a known security research tool or a signed installer from a trusted source (e.g., file.name contains "hellsing-research" or process.parent_process contains "powershell.exe" with a known research script).
Scenario: A scheduled job runs a legitimate script that matches the YARA signature due to similar file naming conventions.
Filter/Exclusion: Exclude files that match a known legitimate script or tool (e.g., file.name contains "hellsing_tool.sh" or process.name contains "scheduled_task.exe").
Scenario: A developer is using a tool like Ghidra or IDA Pro to analyze a binary that happens to match the YARA signature.
Filter/Exclusion: Exclude processes associated with reverse engineering tools (e.g., process.name contains "ghidra" or "idaq.exe").
Scenario: An admin is using PowerShell to deploy a legitimate application that has similar code structure to the Hellsing installer.
Filter/Exclusion: Exclude PowerShell scripts that are part of a known deployment tool (e.g., process.name contains "powershell.exe" and process.args contains "deploy-script.ps1").
Scenario: A system update or patching tool (like Chocolatey or WSUS) installs a package that coincidentally matches the YARA signature.
Filter/Exclusion: Exclude processes related to package managers (e.g., process.name contains "choco.exe" or process.name contains "wsusutil.exe").