anti-analysis/anti-vm/vm-detection

check for sandbox username or hostname

rule:
  meta:
    name: check for sandbox username or hostname
    namespace: anti-analysis/anti-vm/vm-detection
    authors:
      - "@_re_fox"
      - "echernofsky@google.com"
    scopes:
      static: function
      dynamic: span of calls
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion [T1497]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/LloydLabs/wsb-detect
      - https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer
    examples:
      - ccbf7cba35bab56563c0fbe4237fdc41:0x402B90
  features:
    - and:
      - or:
        - match: get session user name
        # Usernames often overlap with hostnames for many of these checks.
        - match: get hostname
      - or:
        - string: /WILLCARTER-PC/i
          description: Known sandbox hostname
        - string: /FORTI-PC/i
          description: Known sandbox hostname
        - string: /SFTOR-PC/i
          description: Known sandbox hostname
        - string: /Joe\s?Cage/i
          description: Known sandbox username
        - string: /STRAZNJICA\.GRUBUTT/i
          description: Known sandbox username
        - string: /Paul\s?Jones/i
          description: Known sandbox username
        - string: /PJones/i
          description: Known sandbox username
        - string: /Harry\s?Johnson/i
          description: Known sandbox username
        - string: /sal\.rosenburg/i
          description: Known sandbox username
        - string: /d5\.vc\/g/i
          description: Known sandbox username
        - string: /MALTEST/i
          description: Betabot Username Check
        - string: /TEQUILABOOMBOOM/i
          description: VirusTotal Sandbox
        - string: /SANDBOX/i
          description: Gookit Username Check
        - string: /^VIRUS/i
          description: Satan Username Check
        - string: /MALWARE/i
          description: Betabot Username Check
        - string: /SAND\s?BOX/i
          description: Betabot Username Check
        - string: /Test\sUser/i
          description: Betabot Username Check
        - string: /CurrentUser/i
          description: Gookit Username Check
        - string: /7SILVIA/i
          description: Gookit Username Check
        - string: /FORTINET/i
          description: Shifu Username Check
        - string: /John\s?Doe/i
          description: Emotet Username Check
        - string: /Emily/i
          description: Trickbot Downloader Username Check
        - string: /HANSPETER(-PC)?/i
          description: Trickbot Downloader Username Check
        - string: /HAPUBWS/i
          description: Trickbot Downloader Username Check
        - string: /Hong\sLee/i
          description: Trickbot Downloader Username Check
        - string: /IT-ADMIN/i
          description: Trickbot Downloader Username Check
        - string: /JOHN(-PC)?/i
          description: Trickbot Downloader Username Check
        - string: /Johnson/i
          description: Trickbot Downloader Username Check
        - string: /Miller/i
          description: Trickbot Downloader Username Check
        - string: /MUELLER(-PC)?/i
          description: Trickbot Downloader Username Check
        - string: /Peter\sWilson/i
          description: Trickbot Downloader Username Check
        - string: /SystemIT/i
          description: Trickbot Downloader Username Check
        - string: /Timmy/i
          description: Trickbot Downloader Username Check
        - string: /WIN7-TRAPS/i
          description: Trickbot Downloader Username Check
        - string: /WDAGUtilityAccount/i
          description: Windows Defender Application Guard
        - string: /HAL9TH/i
          description: Windows Defender Emulator

last edited: 2025-02-04 20:49:10