Fireball Archer Install

 1title: Fireball Archer Install
 2id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
 3status: test
 4description: Detects Archer malware invocation via rundll32
 5references:
 6    - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
 7    - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
 8author: Florian Roth (Nextron Systems)
 9date: 2017/06/03
10modified: 2021/11/27
11tags:
12    - attack.execution
13    - attack.defense_evasion
14    - attack.t1218.011
15    - detection.emerging_threats
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        CommandLine|contains|all:
22            - 'rundll32.exe'
23            - 'InstallArcherSvc'
24    condition: selection
25fields:
26    - CommandLine
27    - ParentCommandLine
28falsepositives:
29    - Unknown
30level: high

References

• VirusTotal

  VirusTotal

  
  Read More

• Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'archer.dll'

  Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

  
  Read More

Related rules

• ZxShell Malware
• EvilNum APT Golden Chickens Deployment Via OCX Files
• Greenbug Espionage Group Indicators
• Operation Wocao Activity
• Operation Wocao Activity - Security