Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware with known persistence mechanisms. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term threats that may have evaded traditional detection methods.

YARA Rule

rule EquationGroup_Toolset_Apr17_Darkpulsar_1_1_0 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "b439ed18262aec387984184e86bfdb31ca501172b1c066398f8c56d128ba855a"
   strings:
      $x1 = "[%s] - Error upgraded DLL architecture does not match target architecture (0x%x)" fullword ascii
      $x2 = "[%s] - Error building DLL loading shellcode" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 100KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task (e.g., schtasks.exe) is running a maintenance script that includes a file named equationgroup.exe as part of a naming convention.
  Filter/Exclusion: Check for process.parent_process_name == "schtasks.exe" or process.command_line contains "schtasks.exe /create"

• Scenario: Antivirus Quarantine Process
  Description: A security tool (e.g., Windows Defender or Malwarebytes) is quarantining a file that matches the hash of the EquationGroup tool.
  Filter/Exclusion: Check for process.name == "MsMpEng.exe" or process.name == "mbam.exe"

• Scenario: Admin Debugging Session
  Description: A system administrator is using a debugging tool (e.g., ProcMon.exe or Process Explorer) to analyze a file named equationgroup.exe for troubleshooting.
  Filter/Exclusion: Check for process.name == "procmon.exe" or process.name == "procexp.exe"

• Scenario: Legacy Software Compatibility Check
  Description: A legacy application (e.g., LegacyApp.exe) is being tested in a sandboxed environment and includes a file named equationgroup.exe as part of a compatibility test.
  Filter/Exclusion: Check for process.name == "LegacyApp.exe" or process.parent_process_name == "explorer.exe" with a known test environment tag

• Scenario: Custom Script for Log Analysis
  Description: A custom PowerShell script (e.g., LogAnalyzer.ps1) is processing log files and temporarily creates a file named equationgroup.exe for internal use.
  Filter/Exclusion: Check for `process.name ==