EQGRP Toolset Firewall - file BFLEA-2201.exe

Hunt Hypothesis

The detection identifies potential adversary use of the BFLEA-2201.exe file, which is associated with the EQGRP toolset and may be used for network traffic manipulation or firewall evasion. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage persistent threats leveraging compromised network infrastructure.

YARA Rule

rule EQGRP_BFLEA_2201 
{

    meta:
        description = "EQGRP Toolset Firewall - file BFLEA-2201.exe"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "15e8c743770e44314496c5f27b6297c5d7a4af09404c4aa507757e0cc8edc79e"

    strings:
        $s1 = ".got_loader" fullword ascii
        $s2 = "LOADED" fullword ascii
        $s3 = "readFlashHandler" fullword ascii
        $s4 = "KEEPGOING" fullword ascii
        $s5 = "flashRtnsPix6x.c" fullword ascii
        $s6 = "fix_ip_cksum_incr" fullword ascii
        $s7 = "writeFlashHandler" fullword ascii

    condition:
        ( uint16(0) == 0x457f and filesize < 30KB and 5 of them ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Legitimate use of BFLEA-2201.exe as part of the EQGRP Toolset Firewall configuration
  Filter/Exclusion: Check for the presence of the EQGRP Toolset installation directory in the file path, e.g., process.parent_process.name == "EQGRPToolset.exe" or file.path contains "EQGRPToolset"

• Scenario: Scheduled maintenance task running BFLEA-2201.exe for firewall rule updates
  Filter/Exclusion: Filter by process owner, e.g., process.user == "maintenance\svc_firewall" or check for a known scheduled task name, e.g., task_name == "EQGRP_Firewall_Update_Task"

• Scenario: Admin manually running BFLEA-2201.exe to troubleshoot firewall connectivity issues
  Filter/Exclusion: Include process owner as a known admin user, e.g., process.user == "admin\john_doe" or check for command-line arguments indicating troubleshooting, e.g., process.args contains "/debug"

• Scenario: BFLEA-2201.exe is used in a third-party integration for network monitoring
  Filter/Exclusion: Check for co-occurrence with known monitoring tools, e.g., file.name == "BFLEA-2201.exe" and file.name == "NetMonitor.exe" or check for a specific integration directory, e.g., file.path contains "ThirdPartyIntegration"

• Scenario: BFLEA-2201.exe is part of a software update or patching process
  Filter/Exclusion: Filter by process parent, e.g., process.parent_process.name == "msiexec.exe" or check for update-related command-line arguments, e.g., process.args contains "/update"