Rule to detect Regin 32 bit stage 1 loaders

Hunt Hypothesis

Adversaries may use Regin 32-bit stage 1 loaders to establish initial persistence and execute malicious payloads within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and prevent further lateral movement and data exfiltration.

YARA Rule

rule apt_regin_2011_32bit_stage1 
{
    
    meta:
        copyright = "Kaspersky Lab"
        description = "Rule to detect Regin 32 bit stage 1 loaders"
        version = "1.0"
        last_modified = "2014-11-18"
    
    strings:
        $key1={331015EA261D38A7}
        $key2={9145A98BA37617DE}
        $key3={EF745F23AA67243D}
        $mz="MZ"

    condition:
        ($mz at 0) and any of ($key*) and filesize < 300000
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to run a legitimate scheduled job that executes a 32-bit executable for system maintenance.
  Filter/Exclusion: Check for ProcessName containing powershell.exe and CommandLine containing -Command or -File with a known legitimate script path.

• Scenario: A Windows Update process is running a 32-bit installer as part of a system patching task.
  Filter/Exclusion: Filter by ProcessName containing wuauclt.exe or WindowsUpdate.exe and check for ParentProcessName matching svchost.exe.

• Scenario: A backup tool like Veeam or Acronis is executing a 32-bit executable during a scheduled backup operation.
  Filter/Exclusion: Use ProcessName matching the backup tool’s executable name (e.g., veeam.exe, acronisbackup.exe) and check for CommandLine containing backup-related arguments.

• Scenario: A system diagnostic tool such as Process Monitor or ProcMon is running a 32-bit executable for troubleshooting.
  Filter/Exclusion: Filter by ProcessName matching procmon.exe or ProcMon.exe and check for ParentProcessName matching a known legitimate application.

• Scenario: A custom admin script written in VBScript or Batch is being executed to perform routine system checks, which may involve a 32-bit executable.
  Filter/Exclusion: Use ProcessName containing cscript.exe or wscript.exe and check for CommandLine containing .vbs or .bat files from a known trusted location.