Rule to detect trojans imitating banks of North America, Eurpope and Asia

Hunt Hypothesis

Adversaries may use trojans mimicking North American, European, and Asian banks to evade detection and gain initial access to victim networks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential theft and lateral movement attempts.

YARA Rule

rule SlemBunk : android
{
	meta:
		description = "Rule to detect trojans imitating banks of North America, Eurpope and Asia"
		author = "@plutec_net"
		sample = "e6ef34577a75fc0dc0a1f473304de1fc3a0d7d330bf58448db5f3108ed92741b"
		source = "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html"

	strings:
		$a = "#intercept_sms_start"
		$b = "#intercept_sms_stop"
		$c = "#block_numbers"
		$d = "#wipe_data"
		$e = "Visa Electron"

	condition:
		all of them
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Backup Job
  Description: A legitimate scheduled backup job using Veeam Backup & Replication or Commvault may generate traffic resembling trojan behavior (e.g., connecting to external IPs or using similar command-line arguments).
  Filter/Exclusion: Check for process parentage (parent_process = "task scheduler" or parent_process = "services.exe") and verify if the process is associated with a known backup tool.

• Scenario: Admin Task for Patch Management
  Description: A system administrator may run a Microsoft Update Assistant or WSUS task that temporarily connects to Microsoft servers or uses similar command-line syntax as a trojan.
  Filter/Exclusion: Include a filter for process_name = "wuauclt.exe" or process_name = "msupdate.exe" and check for known patch management tools in the process tree.

• Scenario: Legitimate Software Update via Chocolatey
  Description: A Chocolatey package installation might trigger network activity that matches the rule’s signature, especially if it downloads from a trusted source like chocolatey.org.
  Filter/Exclusion: Use a filter for process_name = "choco.exe" and verify the download source against known trusted repositories.

• Scenario: Database Backup Using SQL Server Agent Job
  Description: A SQL Server Agent Job might initiate a connection to a remote database or use command-line tools like sqlcmd that could be mistaken for a trojan.
  Filter/Exclusion: Filter by process_name = "sqlcmd.exe" and check for presence of SQL Server services or known backup scripts in the job definition.

• Scenario: Network Monitoring Tool Traffic
  Description: A tool like Wireshark or tcpdump may generate network traffic that resembles malicious activity, especially when