The detection identifies potential FiveEyes QUERTY malware activity through the presence of the 20120.dll.bin file, which is associated with known malicious behavior. SOC teams should proactively hunt for this indicator in Azure Sentinel to identify and mitigate advanced persistent threats leveraging this malware variant.
YARA Rule
rule FiveEyes_QUERTY_Malwaresig_20120_dll
{
meta:
description = "FiveEyes QUERTY Malware - file 20120.dll.bin"
author = "Florian Roth"
reference = "http://www.spiegel.de/media/media-35668.pdf"
date = "2015/01/18"
hash = "6811bfa3b8cda5147440918f83c40237183dbd25"
strings:
$s0 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.txt" fullword wide
$s1 = "\\QwLog_%d-%02d-%02d-%02d%02d%02d.xml" fullword wide
$s2 = "Failed to send the EQwerty_driverStatusCommand to the implant." fullword ascii
$s3 = "- Log Used (number of windows) - %d" fullword wide
$s4 = "- Log Limit (number of windows) - %d" fullword wide
$s5 = "Process or User Default Language" fullword wide
$s6 = "Windows 98/Me, Windows NT 4.0 and later: Vietnamese" fullword wide
$s7 = "- Logging of keystrokes is switched ON" fullword wide
$s8 = "- Logging of keystrokes is switched OFF" fullword wide
$s9 = "Qwerty is currently logging active windows with titles containing the fo" wide
$s10 = "Windows 95, Windows NT 4.0 only: Korean (Johab)" fullword wide
$s11 = "FAILED to get Qwerty Status" fullword wide
$s12 = "- Successfully retrieved Log from Implant." fullword wide
$s13 = "- Logging of all Windows is toggled ON" fullword wide
$s14 = "- Logging of all Windows is toggled OFF" fullword wide
$s15 = "Qwerty FAILED to retrieve window list." fullword wide
$s16 = "- UNSUCCESSFUL Log Retrieval from Implant." fullword wide
$s17 = "The implant failed to return a valid status" fullword ascii
$s18 = "- Log files were NOT generated!" fullword wide
$s19 = "Windows 2000/XP: Armenian. This is Unicode only." fullword wide
$s20 = "- This machine is using a PS/2 Keyboard - Continue on using QWERTY" fullword wide
condition:
10 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 21 string patterns in its detection logic.
Scenario: A system administrator is using Sysinternals Process Explorer to manually inspect processes and accidentally triggers the rule by opening a legitimate .dll file.
Filter/Exclusion: Exclude processes associated with Process Explorer or check for the presence of sysinternals in the process name or command line.
Scenario: A Windows Update or Microsoft Defender Antivirus scan temporarily creates or accesses the 20120.dll.bin file as part of its operations.
Filter/Exclusion: Exclude processes related to Windows Update (e.g., wuauserv, svchost.exe with Windows Update service) or Microsoft Defender (e.g., MsMpEng.exe).
Scenario: A scheduled task runs a legitimate script or tool that dynamically generates or references the 20120.dll.bin file for internal use (e.g., a custom logging or monitoring tool).
Filter/Exclusion: Exclude tasks with known legitimate names or check for the presence of a specific task scheduler name or user account associated with internal tools.
Scenario: A third-party software tool (e.g., Wireshark, tcpdump, or LogParser) uses a .dll file with a similar name during packet capture or log analysis.
Filter/Exclusion: Exclude processes associated with the specific tool (e.g., wireshark.exe, logparser.exe) or check for the presence of known tool-specific command-line arguments.
Scenario: A system backup or restore operation temporarily places a file with the same name as the malware file in the system path or temporary directory.
Filter/Exclusion: Exclude files located in known backup directories (e.g., C:\Windows\Temp, C:\Users\*\AppData\Local\Temp,