EQGRP Toolset Firewall - file BBANJO-3011.exe

Hunt Hypothesis

The detection identifies potential adversary use of the BBANJO-3011.exe file, which is associated with the EQGRP toolset and may be used for network firewall manipulation. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage adversarial activity that could compromise network defenses.

YARA Rule

rule EQGRP_BBANJO 
{

    meta:
        description = "EQGRP Toolset Firewall - file BBANJO-3011.exe"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "f09c2f90464781a08436321f6549d350ecef3d92b4f25b95518760f5d4c9b2c3"

    strings:
        $s1 = "get_lsl_interfaces" fullword ascii
        $s2 = "encryptFC4Payload" fullword ascii
        $s3 = ".got_loader" fullword ascii
        $s4 = "beacon_getconfig" fullword ascii
        $s5 = "LOADED" fullword ascii
        $s6 = "FormBeaconPacket" fullword ascii
        $s7 = "beacon_reconfigure" fullword ascii

    condition:
        ( uint16(0) == 0x457f and filesize < 50KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: A legitimate system update or patching process includes the execution of BBANJO-3011.exe as part of a scheduled maintenance job.
  Filter/Exclusion: Check for execution context within a known patching or update schedule, or filter by the presence of a related update management tool (e.g., SCCM, WSUS).

• Scenario: The file BBANJO-3011.exe is part of a third-party enterprise tool used for network monitoring or firewall configuration, such as SolarWinds Network Configuration Manager or PRTG Network Monitor.
  Filter/Exclusion: Exclude files executed from known enterprise monitoring tool directories or filter based on the process parent process (e.g., nccm.exe, prtg_agent.exe).

• Scenario: An administrator is manually configuring the EQGRP Toolset Firewall using a script or command-line interface, which temporarily executes BBANJO-3011.exe.
  Filter/Exclusion: Filter based on the user context (e.g., Administrators group) and check for execution within a known administrative task or script execution time window.

• Scenario: A legitimate endpoint protection tool, such as Microsoft Defender or CrowdStrike Falcon, performs a scan or integrity check that results in the execution of BBANJO-3011.exe as part of a file integrity monitoring process.
  Filter/Exclusion: Exclude files executed by known endpoint protection tools (e.g., MsMpEng.exe, falcon.exe) or filter based on the presence of a related security tool in the process tree.

• Scenario: A backup or synchronization job (e.g., Veeam Backup & Replication, SyncToy, or Robocopy) includes the file BBANJO-3011.exe in its transfer list,