FiveEyes QUERTY Malware - file 20123.sys.bin

Hunt Hypothesis

The detection identifies potential FiveEyes QUERTY malware activity through the presence of the 20123.sys.bin file, which is associated with advanced persistent threat operations. SOC teams should proactively hunt for this indicator in Azure Sentinel to identify and mitigate early-stage compromise by state-sponsored actors leveraging sophisticated malware.

YARA Rule

rule FiveEyes_QUERTY_Malwaresig_20123_sys 
{
   
    meta:
        description = "FiveEyes QUERTY Malware - file 20123.sys.bin"
        author = "Florian Roth"
        reference = "http://www.spiegel.de/media/media-35668.pdf"
        date = "2015/01/18"
        hash = "a0f0087bd1f8234d5e847363d7e15be8a3e6f099"
  
    strings:
        $s0 = "20123.dll" fullword ascii
        $s1 = "kbdclass.sys" fullword wide
        $s2 = "IoFreeMdl" fullword ascii
        $s3 = "ntoskrnl.exe" fullword ascii
        $s4 = "KfReleaseSpinLock" fullword ascii
  
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• http://www.spiegel.de/media/media-35668.pdf
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Sysinternals Process Explorer to debug a legitimate system service.
  Filter/Exclusion: Check for process.name containing “Process Explorer” or “Sysinternals” and exclude processes running under non-administrator accounts.

• Scenario: A scheduled job runs Microsoft System Configuration Tool (msconfig.exe) to configure startup items during routine maintenance.
  Filter/Exclusion: Exclude processes with process.name equal to “msconfig.exe” and filter by user.name as “SYSTEM” or known admin accounts.

• Scenario: A security tool like Malwarebytes or Bitdefender performs a scan and temporarily loads a system file for analysis.
  Filter/Exclusion: Exclude processes where process.name matches known security tools and filter by process.parent.name as the security tool’s process.

• Scenario: A developer uses Windows Debugger (WinDbg) to analyze a legitimate kernel-mode driver during troubleshooting.
  Filter/Exclusion: Exclude processes with process.name containing “WinDbg” or “kd.exe” and filter by process.parent.name as a known development tool.

• Scenario: A backup job uses Veeam Backup & Replication to copy system files, including kernel-mode components, to a remote server.
  Filter/Exclusion: Exclude processes with process.name containing “Veeam” or “VeeamBackup” and filter by process.parent.name as the backup service.