sphinx moth threat group file nvcplex.dat

Hunt Hypothesis

The detection identifies potential malicious activity associated with the Sphinx Moth threat group through the presence of the file nvcplex.dat, which may be used for initial compromise or data exfiltration. SOC teams should proactively hunt for this indicator in Azure Sentinel to identify early-stage threats and prevent lateral movement or data loss.

YARA Rule

rule Sphinx_Moth_nvcplex 
{ 

    meta:
        description = "sphinx moth threat group file nvcplex.dat" 
        author = "Kudelski Security - Nagravision SA"
        reference = "www.kudelskisecurity.com"
        date = "2015-08-06"

    strings:
        $s0 = "mshtaex.exe" fullword wide
        $op0 = { 41 8b cc 44 89 6c 24 28 48 89 7c 24 20 ff 15 d3 } /* Opcode */ 
        $op1 = { 48 3b 0d ad 8f 00 00 74 05 e8 ba f5 ff ff 48 8b } /* Opcode */ 
        $op2 = { 8b ce e8 49 47 00 00 90 8b 43 04 89 05 93 f1 00 } /* Opcode */

    condition:
        uint16(0) == 0x5a4d and filesize < 214KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• www.kudelskisecurity.com
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate system maintenance job (e.g., Microsoft Windows Update or Windows Task Scheduler job) downloads or generates the file nvcplex.dat as part of a patching or configuration process.
  Filter/Exclusion: Check for file creation context (e.g., ProcessName = "wusa.exe" or CommandLine contains "wuauclt.exe")

• Scenario: Software Installation or Update
  Description: A legitimate software update or installation (e.g., from Microsoft, Adobe, or other enterprise tools) creates the file nvcplex.dat as part of its installation process.
  Filter/Exclusion: Check for file creation context (e.g., ProcessName = "msiexec.exe" or CommandLine contains "setup.exe")

• Scenario: Log File or Temporary File Generation
  Description: A legitimate application (e.g., SQL Server, IIS, or Windows Event Log) generates the file nvcplex.dat as a temporary or log file.
  Filter/Exclusion: Check for file type or location (e.g., FileLocation contains "C:\Windows\Temp\" or FileExtension = ".dat")

• Scenario: Administrative Tool Usage
  Description: An administrator uses a legitimate tool (e.g., PowerShell, DISM, or Group Policy Management Console) to create or modify the file nvcplex.dat as part of system configuration.
  Filter/Exclusion: Check for user context (e.g., User = "Administrator" or ProcessName = "powershell.exe" with known administrative tasks)

• Scenario: Third-Party Application Artifact
  Description: A third-party enterprise application (e.g., Citrix,