EQGRP Toolset Firewall - file BUSURPER-3001-724.exe

Hunt Hypothesis

The detection identifies potential adversary use of the BUSURPER-3001-724.exe file, which is associated with the EQGRP toolset and may be used for network firewall manipulation. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage adversarial activity that could lead to persistent network access or data exfiltration.

YARA Rule

rule EQGRP_BUSURPER_3001_724 
{

    meta:
        description = "EQGRP Toolset Firewall - file BUSURPER-3001-724.exe"
        author = "Florian Roth"
        reference = "Research"
        date = "2016-08-16"
        hash1 = "6b558a6b8bf3735a869365256f9f2ad2ed75ccaa0eefdc61d6274df4705e978b"

    strings:
        $s1 = "IMPLANT" fullword ascii
        $s2 = "KEEPGOING" fullword ascii
        $s3 = "upgrade_implant" fullword ascii

    condition:
        ( uint16(0) == 0x457f and filesize < 200KB and 2 of them ) or ( all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• Research
• Source Rule

False Positive Guidance

• Scenario: Legitimate Scheduled Job Execution
  Description: A scheduled job runs the BUSURPER-3001-724.exe file as part of a routine maintenance task for the EQGRP Toolset Firewall.
  Filter/Exclusion: process.parent_process == "Task Scheduler" or process.command_line contains "scheduled_task_id"

• Scenario: Admin Task for Configuration Update
  Description: An administrator manually executes BUSURPER-3001-724.exe to update firewall settings or apply a configuration change.
  Filter/Exclusion: process.user == "admin_user" or process.command_line contains "config_update"

• Scenario: Software Update or Patch Deployment
  Description: The file is part of a software update or patch for the EQGRP Toolset Firewall, and is executed during a routine update process.
  Filter/Exclusion: process.command_line contains "update.exe" or process.parent_process == "msiexec.exe"

• Scenario: File Integrity Monitoring Tool Scan
  Description: A file integrity monitoring tool (e.g., Tripwire, OSSEC) runs BUSURPER-3001-724.exe as part of its scanning process to verify system files.
  Filter/Exclusion: process.parent_process == "tripwire.exe" or process.parent_process == "ossec.exe"

• Scenario: Custom Script or Automation Tool Execution
  Description: A custom script or automation tool (e.g., PowerShell, Python) invokes BUSURPER-3001-724.exe as part of an automated workflow for firewall management.
  Filter/Exclusion: process.parent_process contains "powershell.exe" or process.parent_process contains "python.exe"