Detects a malicious PotPlayer.dll

Hunt Hypothesis

A malicious PotPlayer.dll is often used by adversaries to execute arbitrary code and establish persistence within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise early in the attack lifecycle.

YARA Rule

rule Mal_PotPlayer_DLL : dll {
	meta:
		description = "Detects a malicious PotPlayer.dll"
		author = "Florian Roth"
		reference = "https://goo.gl/13Wgy1"
		date = "2016-05-25"
		score = 70
		hash1 = "705409bc11fb45fa3c4e2fa9dd35af7d4613e52a713d9c6ea6bc4baff49aa74a"
	strings:
		$x1 = "C:\\Users\\john\\Desktop\\PotPlayer\\Release\\PotPlayer.pdb" fullword ascii

		$s3 = "PotPlayer.dll" fullword ascii
		$s4 = "\\update.dat" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 200KB and $x1 or all of ($s*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://goo.gl/13Wgy1
• Source Rule

False Positive Guidance

• Scenario: Legitimate PotPlayer installation by end-users
  Description: A user installs the legitimate PotPlayer media player, which includes the PotPlayer.dll file.
  Filter/Exclusion: Check the file path against known legitimate installation directories (e.g., C:\Program Files\Kakao\KakaoPotPlayer\). Use a filter like:

  file.path != "C:\Program Files\Kakao\KakaoPotPlayer\"

• Scenario: System update or patch includes PotPlayer.dll
  Description: A system update or patch from a trusted vendor includes the PotPlayer.dll as part of a bundled application or service.
  Filter/Exclusion: Check the file’s digital signature and source. Use a filter like:

  file.signer != "Unknown" AND file.source != "Untrusted"

• Scenario: Scheduled task runs a legitimate script that references PotPlayer.dll
  Description: A scheduled task or automation script (e.g., PowerShell or batch script) references PotPlayer.dll for media playback or encoding.
  Filter/Exclusion: Check the process owner and command line arguments. Use a filter like:

  process.owner == "SYSTEM" OR process.command_line contains "script_name.ps1"

• Scenario: Admin task uses PotPlayer.dll for media processing
  Description: An administrator uses a tool like ffmpeg or VLC (which may reference PotPlayer.dll internally) for video processing.
  Filter/Exclusion: Check the parent process or command line context. Use a filter like:

  parent_process == "ffmpeg.exe" OR parent_process == "vlc.exe"

• **Scenario: Malware analysis environment includes PotPlayer