New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

extend "check for sandbox username or hostname" #974

Open

mike-hunhoff opened this issue Dec 17, 2024 · 0 comments

Labels

good first issue rule idea

Collaborator

mike-hunhoff commented Dec 17, 2024

Next, the loader retrieves the computer name and name of the currently logged-in user against WILLCARTER-PC, FORTI-PC, SFTOR-PC and Joe Cage, STRAZNJICA.GRUBUTT, Paul Jones, PJones, Harry Johnson, WDAGUtilityAccount, sal.rosenburg, and d5.vc/g accordingly. The computer name and username values can indicate automated analysis environments or generic usernames commonly used in virtual environments.

source: https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer

target capa rule: https://github.com/mandiant/capa-rules/blob/e033410c8910f8b46718a5eefd9f0c7768be1b99/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml

mike-hunhoff added good first issue rule idea labels

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment