This rule detects is to detect a type of banking malware

Hunt Hypothesis

The hypothesis is that the detected behavior indicates an adversary attempting to compromise a user’s banking credentials through a sophisticated malware payload. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential financial fraud or data exfiltration before significant damage occurs.

YARA Rule

rule marcher1
{
	meta:
		author = "Antonio S. <asanchez@koodous.com>"
		source = "https://analyst.koodous.com/rulesets/890"
		description = "This rule detects is to detect a type of banking malware"
		sample = "33b1a9e4a1591c1a39fdd5295874e365dbde9448098254a938525385498da070"

	strings:
		$a = "cmVudCYmJg=="
		$b = "dXNzZCYmJg=="

	condition:
		all of them
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Microsoft Baseline Security Analyzer (MBSA) to perform a routine security scan.
  Filter/Exclusion: Check for the presence of mbsa.exe or mbsa.log in the process or file system, and exclude processes running under the Administrators group or with a known security tool signature.

• Scenario: A scheduled job runs PowerShell scripts to automate system updates or patch management using Windows Update.
  Filter/Exclusion: Exclude processes with powershell.exe that are running under the SYSTEM account or have a script path containing C:\Windows\ or C:\Program Files\.

• Scenario: A developer is using Wireshark to analyze network traffic for debugging a custom banking application.
  Filter/Exclusion: Exclude processes with wireshark.exe or tshark.exe and filter out traffic to/from known internal development servers or IPs.

• Scenario: A user is accessing a banking portal through a Citrix Virtual Desktop environment for remote work.
  Filter/Exclusion: Exclude traffic to/from the Citrix server IP or domain, and filter out connections to known banking portals using SSL/TLS inspection or application-layer filtering.

• Scenario: A backup job is running using Veeam Backup & Replication to archive sensitive financial data.
  Filter/Exclusion: Exclude processes with veeam.exe or veeambackup.exe and filter out file access to backup directories or encrypted data stores.