marcher3

Hunt Hypothesis

The marcher3 rule detects potential malicious activity associated with the Marcher malware family, which may indicate unauthorized access or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to broader network infiltration.

YARA Rule

rule marcher3
{
	meta:
		author = "Antonio S. <asanchez@koodous.com>"
		source = "https://analyst.koodous.com/rulesets/890"
		sample1 = "087710b944c09c3905a5a9c94337a75ad88706587c10c632b78fad52ec8dfcbe"
		sample2 = "fa7a9145b8fc32e3ac16fa4a4cf681b2fa5405fc154327f879eaf71dd42595c2"
	strings:
		$a = "certificado # 73828394"
		$b = "A compania TMN informa que o vosso sistema Android tem vulnerabilidade"
		
	condition:
		all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as a Windows Task Scheduler job that runs a script or executable, may trigger the rule due to similar code patterns.
  Filter/Exclusion: Check for ProcessName containing taskhost.exe or schtasks.exe and filter out processes associated with scheduled tasks.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: Antivirus tools like Kaspersky, Bitdefender, or Malwarebytes may execute payloads during a full system scan, which could match the YARA rule.
  Filter/Exclusion: Use ProcessName containing avp.exe, mbam.exe, or kav64.exe and exclude processes with known antivirus signatures.

• Scenario: Software Update or Patch Installation
  Description: A legitimate software update, such as Windows Update or Chocolatey package installation, may include scripts or binaries that resemble malicious behavior.
  Filter/Exclusion: Filter processes with ProcessName like wuauclt.exe, choco.exe, or msiexec.exe and check for known update-related hashes.

• Scenario: Admin Task Using PowerShell for Configuration
  Description: An administrator may use PowerShell to configure system settings, which could involve scripts that match the YARA rule due to similar string patterns.
  Filter/Exclusion: Filter processes with ProcessName containing powershell.exe and check for CommandLine arguments related to administrative tasks (e.g., -Command, -File).

• Scenario: Legitimate Code Signing or Signing Tool Usage
  Description: Tools like SignTool (Microsoft) or CodeSign (Apple) may execute code signing operations that could trigger the rule due to similar code structures.