← Back to SOC feed Coverage →

Detects Furtim Parent Malware

yara LOW Yara-Rules
community
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Yara-Rules →
Retrieved: 2026-06-12T23:00:00Z · Confidence: medium

Hunt Hypothesis

The hypothesis is that the detection identifies potential Furtim parent malware activity through suspicious process behavior indicative of command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary presence before it leads to data exfiltration or system compromise.

YARA Rule

rule Furtim_Parent_1 
{

    meta:
        description = "Detects Furtim Parent Malware"
        author = "Florian Roth"
        reference = "https://sentinelone.com/blogs/sfg-furtims-parent/"
        date = "2016-07-16"
        hash1 = "766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963"

    strings:
        /* RC4 encryption password */
        $x1 = "dqrChZonUF" fullword ascii
        /* Other strings */
        $s1 = "Egistec" fullword wide
        $s2 = "Copyright (C) 2016" fullword wide
        /* Op Code */
        $op1 = { c0 ea 02 88 55 f8 8a d1 80 e2 03 }
        $op2 = { 5d fe 88 55 f9 8a d0 80 e2 0f c0 }
        $op3 = { c4 0c 8a d9 c0 eb 02 80 e1 03 88 5d f8 8a d8 c0 }
  
    condition:
        ( uint16(0) == 0x5a4d and filesize < 900KB and ( $x1 or ( all of ($s*) and all of ($op*) ) ) ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

This rule contains 6 string patterns in its detection logic.

References

False Positive Guidance

Original source: https://github.com/Yara-Rules/rules/blob/main/malware/APT_furtim.yar