The detection identifies potential Regin backdoor activity through specific hash signatures, indicating an adversary may have established a persistent, stealthy remote access mechanism. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate long-term compromise from advanced persistent threats.
YARA Rule
rule Regin_Sample_Set_2
{
meta:
description = "Detects Regin Backdoor sample 4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be and e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
author = "@MalwrSignatures"
date = "27.11.14"
hash1 = "4139149552b0322f2c5c993abccc0f0d1b38db4476189a9f9901ac0d57a656be"
hash2 = "e420d0cf7a7983f78f5a15e6cb460e93c7603683ae6c41b27bf7f2fa34b2d935"
strings:
$hd = { fe ba dc fe }
$s0 = "d%ls%ls" fullword wide
$s1 = "\\\\?\\UNC" fullword wide
$s2 = "Software\\Microsoft\\Windows\\CurrentVersion" fullword wide
$s3 = "\\\\?\\UNC\\" fullword wide
$s4 = "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" fullword wide
$s5 = "System\\CurrentControlSet\\Services\\Tcpip\\Linkage" wide fullword
$s6 = "\\\\.\\Global\\%s" fullword wide
$s7 = "temp" fullword wide
$s8 = "\\\\.\\%s" fullword wide
$s9 = "Memory location: 0x%p, size 0x%08x" fullword wide
$s10 = "sscanf" fullword ascii
$s11 = "disp.dll" fullword ascii
$s12 = "%x:%x:%x:%x:%x:%x:%x:%x%c" fullword ascii
$s13 = "%d.%d.%d.%d%c" fullword ascii
$s14 = "imagehlp.dll" fullword ascii
$s15 = "%hd %d" fullword ascii
condition:
( $hd at 0 ) and all of ($s*) and filesize < 450KB and filesize > 360KB
}This YARA rule can be deployed in the following contexts:
This rule contains 17 string patterns in its detection logic.
Scenario: Legitimate system update using Microsoft Windows Update
Filter/Exclusion: Check for process.name containing wuauclt.exe or WindowsUpdate.exe and ensure the hash matches a known Windows Update component.
Scenario: Scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Filter by process.name containing veeam.exe and check for process.parent.name matching a known backup service or scheduler like schtasks.exe.
Scenario: Admin task using PowerShell for log management with Splunk
Filter/Exclusion: Filter by process.name containing powershell.exe and check for process.args containing Splunk or splunkforwarder.
Scenario: Antivirus scan using Bitdefender with real-time protection
Filter/Exclusion: Filter by process.name containing bdagent.exe or bdtray.exe and check for process.parent.name matching svchost.exe or bitdefender service.
Scenario: Network monitoring tool using PRTG Network Monitor
Filter/Exclusion: Filter by process.name containing prtg.exe and ensure the hash is associated with a legitimate PRTG Network Monitor version.