The hypothesis is that the presence of morel.exe, a tool from the EQGRP toolset, may indicate the execution of malicious code associated with advanced persistent threat activities. SOC teams should proactively hunt for this artifact in Azure Sentinel to identify potential compromise and mitigate lateral movement or data exfiltration risks.
YARA Rule
rule EQGRP_morel
{
meta:
description = "Detects tool from EQGRP toolset - file morel.exe"
author = "Florian Roth"
reference = "Research"
date = "2016-08-15"
hash1 = "a9152e67f507c9a179bb8478b58e5c71c444a5a39ae3082e04820a0613cd6d9f"
strings:
$s1 = "%d - %d, %d" fullword ascii
$s2 = "%d - %lu.%lu %d.%lu" fullword ascii
$s3 = "%d - %d %d" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 60KB and all of them )
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate system update or patching process using morel.exe as part of a scheduled maintenance job
Filter/Exclusion: Check for presence of morel.exe in known system directories like C:\Windows\System32 or within a scheduled task that matches a known patching or update process.
Scenario: Use of morel.exe by a legitimate enterprise tool such as EQGRP’s own diagnostic or configuration utility during routine administration
Filter/Exclusion: Filter events where morel.exe is executed from the installation directory of the EQGRP toolset, or where the process is initiated by a known admin user or service account.
Scenario: Execution of morel.exe as part of a backup or restore operation managed by a third-party backup tool (e.g., Veeam, Commvault)
Filter/Exclusion: Exclude processes where morel.exe is launched in the context of a backup/restore directory or with a command line that includes backup-related parameters.
Scenario: morel.exe is used by a custom enterprise application that relies on EQGRP libraries for data processing or reporting
Filter/Exclusion: Filter based on the application’s installation path or process name, such as MyEnterpriseApp.exe, and ensure the command line includes known legitimate arguments.
Scenario: morel.exe is executed by a scheduled task that runs under a service account for routine system health checks or log analysis
Filter/Exclusion: Exclude tasks that are scheduled via Task Scheduler and run under a known service account, or where the command line includes health check or log analysis parameters.