FiveEyes QUERTY Malware - file 20121.dll.bin

Hunt Hypothesis

The detection identifies potential FiveEyes QUERTY malware activity through the presence of the 20121.dll.bin file, which is associated with known malicious behavior. SOC teams should proactively hunt for this indicator in Azure Sentinel to identify and mitigate advanced persistent threats that may be leveraging this malware for data exfiltration or lateral movement.

YARA Rule

rule FiveEyes_QUERTY_Malwaresig_20121_dll 
{
    
    meta:
        description = "FiveEyes QUERTY Malware - file 20121.dll.bin"
        author = "Florian Roth"
        reference = "http://www.spiegel.de/media/media-35668.pdf"
        date = "2015/01/18"
        hash = "89504d91c5539a366e153894c1bc17277116342b"
    
    strings:
        $s0 = "WarriorPride\\production2.0\\package\\E_Wzowski" ascii
        $s1 = "20121.dll" fullword ascii
   
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://www.spiegel.de/media/media-35668.pdf
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to deploy a legitimate script that includes a file named 20121.dll.bin as part of a custom toolchain.
  Filter/Exclusion: Check for process.name containing powershell.exe and process.args containing -File or -Command with known administrative scripts.

• Scenario: A scheduled job runs a legitimate application that generates a file named 20121.dll.bin as part of its normal operation (e.g., a backup or log processing tool).
  Filter/Exclusion: Filter by process.name matching the known legitimate application name, or use a custom field like file.hash to exclude known benign hashes.

• Scenario: A software update or patching tool (e.g., Microsoft Update, WSUS, or Chocolatey) downloads a file named 20121.dll.bin as part of its installation process.
  Filter/Exclusion: Exclude files where process.name matches the update tool or where file.source is a known trusted repository or IP address.

• Scenario: A virtualization tool (e.g., VMware Tools, Hyper-V Integration Services) includes a file named 20121.dll.bin as part of its installation package.
  Filter/Exclusion: Exclude files where process.name matches the virtualization tool or where file.path contains known virtualization directories (e.g., C:\Program Files\VMware).

• Scenario: A third-party application (e.g., Adobe Acrobat, Microsoft Office, or Oracle Java) includes a file named 20121.dll.bin as part of its installation or runtime components.
  Filter/Exclusion: Exclude files where process.name matches the third