Detects EquationGroup Tool - April Leak

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-lived, stealthy threats that may have evaded traditional detection mechanisms.

YARA Rule

rule EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_3 {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "515374423b8b132258bd91acf6f29168dcc267a3f45ecb9d1fe18ee3a253195b"
   strings:
      $a = { f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 }
      $b = { 36 c6 45 e6 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 }
      $c = { c6 45 e8 65 c6 45 e9 70 c6 45 ea 74 c6 45 eb 5f }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
• Source Rule

False Positive Guidance

• Scenario: Legitimate System Update via Windows Update
  Description: A Windows Update process may trigger the detection logic due to similar file names or behaviors.
  Filter/Exclusion: Exclude processes associated with wuauclt.exe or svchost.exe when the file path contains C:\Windows\ or C:\Windows\System32\.

• Scenario: Scheduled Job Running PowerShell Script
  Description: A scheduled task running a PowerShell script (e.g., PowerShell.exe) may be flagged due to similar command-line arguments or file names.
  Filter/Exclusion: Exclude processes where the command line includes -Command or -File and the script path is within a known trusted directory (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\).

• Scenario: Admin Task Using Process Explorer
  Description: An administrator using tools like procmon.exe or Process Explorer (from Sysinternals) may trigger the rule due to similar process names.
  Filter/Exclusion: Exclude processes with procmon.exe, procexp.exe, or Process Explorer.exe when running from the Sysinternals directory (C:\Sysinternals\).

• Scenario: Malicious File Analysis in Sandbox Environment
  Description: A sandbox or analysis environment may execute files that match the rule’s signature, leading to false positives.
  Filter/Exclusion: Exclude processes running from a sandboxed environment (e.g., C:\Program Files (x86)\Sandboxie\, C:\Users\AnalysisUser\).

• Scenario: Legitimate Use of mshta.exe for HTML Scripting
  Description: mshta.exe is used in legitimate scenarios to run HTML applications, which may trigger the rule if the file name or behavior