Rule to detect Regin disp.dll dispatcher

Hunt Hypothesis

The detection identifies potential Regin malware activity through the execution of the disp.dll dispatcher, which is a known component of this advanced persistent threat. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage Regin infections and prevent further lateral movement and data exfiltration.

YARA Rule

rule apt_regin_dispatcher_disp_dll 
{

    meta:
        copyright = "Kaspersky Lab"
        author = "Kaspersky Lab"
        description = "Rule to detect Regin disp.dll dispatcher"
        version = "1.0"
        last_modified = "2014-11-18"

    strings:
        $mz="MZ"
        $string1="shit"
        $string2="disp.dll"
        $string3="255.255.255.255"
        $string4="StackWalk64"
        $string5="imagehlp.dll"
    
    condition:
        ($mz at 0) and (all of ($string*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled maintenance task using disp.dll
  Description: A legitimate scheduled task may use disp.dll as part of a maintenance or cleanup process.
  Filter/Exclusion: Exclude processes where the parent process is a known system or maintenance scheduler (e.g., schtasks.exe, TaskScheduler), or filter by process name like maintenance.exe or cleanup.exe.

• Scenario: Microsoft .NET Framework update or installation
  Description: The disp.dll file is sometimes used by .NET Framework components during installation or updates.
  Filter/Exclusion: Exclude processes where the parent is msiexec.exe or dotnet.exe, or filter by file paths in the C:\Windows\Microsoft.NET\Framework directory.

• Scenario: Legitimate application using disp.dll for COM interop
  Description: Some enterprise applications use disp.dll for COM object dispatching, especially in legacy systems.
  Filter/Exclusion: Exclude processes associated with known enterprise applications (e.g., Excel.exe, Outlook.exe, SQLAgent.exe) or filter by file paths in application-specific directories.

• Scenario: Administrative task involving COM objects
  Description: An admin may use tools like regsvr32.exe or comsvcs.dll to register or manage COM components, which may involve disp.dll.
  Filter/Exclusion: Exclude processes initiated by regsvr32.exe or where the parent process is an administrative tool like mmc.exe or services.msc.

• Scenario: Antivirus or endpoint protection tool using disp.dll
  Description: Some security tools may use disp.dll for internal COM object handling or for integration with other system components.
  Filter/Exclusion: Exclude processes where the parent is an