The presence of the native.dll file may indicate the deployment of Furtim malware, which is known to use this file for persistence and execution. SOC teams should proactively hunt for this artifact in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
YARA Rule
rule Furtim_nativeDLL
{
meta:
description = "Detects Furtim malware - file native.dll"
author = "Florian Roth"
reference = "MISP 3971"
date = "2016-06-13"
hash1 = "4f39d3e70ed1278d5fa83ed9f148ca92383ec662ac34635f7e56cc42eeaee948"
strings:
$s1 = "FqkVpTvBwTrhPFjfFF6ZQRK44hHl26" fullword ascii
$op0 = { e0 b3 42 00 c7 84 24 ac } /* Opcode */
$op1 = { a1 e0 79 44 00 56 ff 90 10 01 00 00 a1 e0 79 44 } /* Opcode */
$op2 = { bf d0 25 44 00 57 89 4d f0 ff 90 d4 02 00 00 59 } /* Opcode */
condition:
uint16(0) == 0x5a4d and filesize < 900KB and $s1 or all of ($op*)
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: A legitimate system update or patching process deploys a file named native.dll as part of a Windows Update or Microsoft Security Update.
Filter/Exclusion: Check the file’s hash against known good hashes from Microsoft or use a filter based on the file’s location (e.g., C:\Windows\System32\ or C:\Windows\Temp\).
Scenario: A system administrator is using a legitimate tool like Process Monitor or Procmon to debug or analyze system behavior, which may temporarily create or modify a native.dll file in a temporary directory.
Filter/Exclusion: Exclude files located in temporary directories (e.g., C:\Users\*\AppData\Local\Temp\) or filter by process name (e.g., procmon.exe).
Scenario: A scheduled job or service (e.g., Windows Task Scheduler or SQL Server Agent) is executing a script or application that legitimately uses a native.dll file for compatibility or runtime purposes.
Filter/Exclusion: Filter by process owner (e.g., NT AUTHORITY\SYSTEM) or check the file’s parent process (e.g., schtasks.exe or sqlagent.exe).
Scenario: A third-party application or service (e.g., Oracle Database or VMware Tools) includes a native.dll file as part of its installation, which is used for system integration or performance monitoring.
Filter/Exclusion: Exclude files located in application-specific directories (e.g., C:\Program Files\Oracle\) or use a file hash exclusion for known legitimate versions.
Scenario: A developer or DevOps team is using a tool like Visual Studio or Docker to run or debug applications that dynamically load a native.dll file for testing or runtime support.