Carbanak Malware

Hunt Hypothesis

Carbanak Malware is likely being used to exfiltrate sensitive data through covert network communications. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threat activity before significant data loss occurs.

YARA Rule

rule Carbanak_0915_1
{

    meta:
        description = "Carbanak Malware"
        author = "Florian Roth"
        reference = "https://www.csis.dk/en/csis/blog/4710/"
        date = "2015-09-03"
        score = 70

    strings:
        $s1 = "evict1.pdb" fullword ascii
        $s2 = "http://testing.corp 0" fullword ascii

    condition:
        uint16(0) == 0x5a4d and filesize < 100KB and 1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://www.csis.dk/en/csis/blog/4710/
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as schtasks.exe running a cleanup or update job, may trigger the rule due to similar command-line behavior.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe with known benign command-line arguments (e.g., schtasks /run /TN "CleanupTask").

• Scenario: Admin PowerShell Script Execution
  Description: An administrator running a PowerShell script to configure system settings or deploy software may trigger the rule due to similar script execution patterns.
  Filter/Exclusion: Exclude PowerShell scripts executed from trusted locations (e.g., C:\Windows\System32\) or signed by a known enterprise CA.

• Scenario: Database Backup Job
  Description: A scheduled SQL Server backup job using sqlcmd.exe or osql.exe may be flagged due to similar process execution patterns.
  Filter/Exclusion: Exclude processes with command-line arguments containing BACKUP DATABASE or sqlcmd -Q "BACKUP DATABASE".

• Scenario: Software Deployment via Group Policy
  Description: A Group Policy Object (GPO) deployment using gpupdate.exe or msiexec.exe may trigger the rule due to similar process execution.
  Filter/Exclusion: Exclude processes initiated by gpupdate.exe or msiexec.exe with known deployment command-line arguments (e.g., /i "software.msi").

• Scenario: Log File Analysis Tool Execution
  Description: A log analysis tool such as logparser.exe or splunkcmd.exe may be flagged due to similar process execution patterns.
  Filter/Exclusion: Exclude processes with command-line arguments containing known log analysis tools or paths to log directories.