Dipsind Family

Hunt Hypothesis

The Dipsind Family detection rule identifies potential adversary activity involving suspicious process execution and network communication patterns commonly associated with this malware family. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to early-stage compromises that may evade traditional detection methods.

YARA Rule

rule Trojan_Win32_Dipsind_B
{

    meta:
        author = "Microsoft"
        description = "Dipsind Family"
        sample_sha1 = "09e0dfbb5543c708c0dd6a89fd22bbb96dc4ca1c"
        activity_group = "Platinum"
        version = "1.0"
        last_modified = "2016-04-12"

    strings:
        $frg1 = {8D 90 04 01 00 00 33 C0 F2 AE F7 D1 2B F9 8B C1 8B F7 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 4D EC 8B 15 ?? ?? ?? ?? 89 91 ?? 07 00 00 }
        $frg2 = {68 A1 86 01 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA}
        $frg3 = {C0 E8 07 D0 E1 0A C1 8A C8 32 D0 C0 E9 07 D0 E0 0A C8 32 CA 80 F1 63}
    
    condition:
        $frg1 and $frg2 and $frg3
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is performing a scheduled backup using Veeam Backup & Replication and the backup process generates a large number of file access events that match the Dipsind Family pattern.
  Filter/Exclusion: Exclude events related to Veeam Backup or processes with veeambackup.exe in the command line.

• Scenario: A database administrator is running a SQL Server Agent Job that performs index optimization, which results in frequent file system access patterns similar to those seen in the Dipsind Family.
  Filter/Exclusion: Exclude events where the process name is sqlservr.exe or where the event source is SQL Server Agent.

• Scenario: A DevOps engineer is using Ansible to deploy configuration changes across multiple servers, which involves repeated file modifications that trigger the Dipsind Family detection.
  Filter/Exclusion: Exclude events where the process name is ansible or where the user is a DevOps service account (e.g., devops-user).

• Scenario: A system update via Windows Server Update Services (WSUS) is being applied, causing a surge in file access and modification events that match the Dipsind Family signature.
  Filter/Exclusion: Exclude events related to wuauclt.exe or where the event source is WSUS Update.

• Scenario: A security analyst is using Wireshark to capture and analyze network traffic, which involves writing to log files that trigger the Dipsind Family detection.
  Filter/Exclusion: Exclude events where the process name is wireshark.exe or where the file path contains wireshark_logs.