← Back to SOC feed Coverage →

Detects EquationGroup Tool - April Leak

yara LOW Yara-Rules
community
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Yara-Rules →
Retrieved: 2026-06-10T11:00:00Z · Confidence: medium

Hunt Hypothesis

The hypothesis is that the detection of EquationGroup Tool - April Leak indicates potential adversary use of legacy malware associated with advanced persistent threats, which may be used for data exfiltration or system persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term compromise of critical systems.

YARA Rule

rule EquationGroup_Toolset_Apr17_msgks_mskgu {
   meta:
      description = "Detects EquationGroup Tool - April Leak"
      author = "Florian Roth"
      reference = "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation"
      date = "2017-04-15"
      hash1 = "7b4986aee8f5c4dca255431902907b36408f528f6c0f7d7fa21f079fa0a42e09"
      hash2 = "ef906b8a8ad9dca7407e0a467b32d7f7cf32814210964be2bfb5b0e6d2ca1998"
   strings:
      $op1 = { f4 65 c6 45 f5 6c c6 45 f6 33 c6 45 f7 32 c6 45 }
      $op2 = { 36 c6 45 e6 34 c6 45 e7 50 c6 45 e8 72 c6 45 e9 }
      $op3 = { c6 45 e8 65 c6 45 e9 70 c6 45 ea 74 c6 45 eb 5f }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and all of them )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

This rule contains 3 string patterns in its detection logic.

References

False Positive Guidance

Original source: https://github.com/Yara-Rules/rules/blob/main/malware/APT_eqgrp_apr17.yar