This rule detects fake samples with a backdoor/dropper

Hunt Hypothesis

Adversaries may use fake samples with backdoor/dropper functionality to covertly deploy additional malware, leveraging these files to establish persistence or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and neutralize potential initial compromise vectors before they escalate.

YARA Rule

rule backdoor: dropper
{
	meta:
		author = "Antonio Sanchez <asanchez@koodous.com>"
		description = "This rule detects fake samples with a backdoor/dropper"
		sample = "0c3bc51952c71e5bb05c35346005da3baa098faf3911b9b45c3487844de9f539"
		source = "https://koodous.com/rulesets/1765"

	condition:
		androguard.url("http://sys.wksnkys7.com") 
		or androguard.url("http://sys.hdyfhpoi.com") 
		or androguard.url("http://sys.syllyq1n.com") 
		or androguard.url("http://sys.aedxdrcb.com")
		or androguard.url("http://sys.aedxdrcb.com")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Legitimate system update or patch deployment
  Description: A scheduled job runs a legitimate update or patch that includes a dropper-like payload as part of the update package.
  Filter/Exclusion: Exclude files signed by trusted vendors (e.g., Microsoft, Adobe) and associated with known update processes (e.g., WindowsUpdate.exe, msiexec.exe).

• Scenario: Admin task using a known backdoor tool for remote access
  Description: An administrator uses a legitimate remote access tool (e.g., PsExec, Remote Desktop Services) to manage systems, which may trigger the rule due to similar code patterns.
  Filter/Exclusion: Exclude processes initiated by admin accounts with known remote management tools, or filter by process names like PsExec.exe, mstsc.exe.

• Scenario: Email attachment containing a legitimate dropper for a software installer
  Description: An email gateway receives an attachment that is a legitimate installer (e.g., setup.exe for a software update) which includes a dropper-like structure.
  Filter/Exclusion: Exclude files with known digital signatures from trusted vendors, or filter by file hashes of known legitimate installers.

• Scenario: Scheduled backup job using a dropper-like script
  Description: A backup script (e.g., backup.bat, backup.sh) includes a dropper-like payload for logging or monitoring purposes, which is part of a legitimate compliance process.
  Filter/Exclusion: Exclude scripts associated with known backup tools (e.g., Veeam, Commvault) or filter by user context (e.g., backup user account).

• Scenario: Security tool or EDR agent using a backdoor-like component
  Description: A legitimate endpoint detection and response (EDR) agent or security tool (e.g., `Microsoft