Banker Acecard

Hunt Hypothesis

The Banker Acecard rule detects potential credential harvesting or lateral movement by identifying suspicious file artifacts associated with known malicious actors. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromises and prevent further network infiltration.

YARA Rule

rule Banker_Acecard
{
meta:
author = "https://twitter.com/SadFud75"
more_information = "https://threats.kaspersky.com/en/threat/Trojan-Banker.AndroidOS.Acecard/"
samples_sha1 = "ad9fff7fd019cf2a2684db650ea542fdeaaeaebb 53cca0a642d2f120dea289d4c7bd0d644a121252"
strings:
$str_1 = "Cardholder name"
$str_2 = "instagram.php"
condition:
((androguard.package_name("starter.fl") and androguard.service("starter.CosmetiqFlServicesCallHeadlessSmsSendService")) or androguard.package_name("cosmetiq.fl") or all of ($str_*)) and androguard.permissions_number > 19
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Using Veeam Backup & Replication
  Description: A legitimate backup job initiated by Veeam Backup & Replication may trigger the rule due to similar file patterns or behavior.
  Filter/Exclusion: Check for the presence of veeam in the process name or command line arguments, or filter by file paths containing veeam or backup.

• Scenario: Windows Task Scheduler Job for Log Rotation
  Description: A scheduled task using Windows Task Scheduler might execute scripts or tools that resemble the malicious behavior described in the rule.
  Filter/Exclusion: Filter events where the process is launched by schtasks.exe or where the command line includes schtasks or task scheduler.

• Scenario: Admin Performing Disk Cleanup Using DISM
  Description: A system administrator using DISM (Deployment Imaging Servicing and Management) for disk cleanup or system image maintenance might trigger the rule.
  Filter/Exclusion: Filter for processes with dism.exe in the command line, or check for known admin tools in the process tree.

• Scenario: Antivirus Scan Using Bitdefender
  Description: A full system scan initiated by Bitdefender may involve scanning files that match the YARA signature due to similar file structures.
  Filter/Exclusion: Filter for processes with bitdefender or bdagent in the process name, or check for known antivirus tool paths.

• Scenario: Database Maintenance Job Using SQL Server Agent
  Description: A SQL Server Agent job performing routine maintenance tasks (e.g., index rebuilds, statistics updates) may trigger the rule due to similar file access patterns.
  Filter/Exclusion: Filter for processes with sqlservr.exe or sqlagent.exe in the process tree, or check for known SQL Server maintenance