EDRSilencer (Malware Family)

EDRSilencer

VTCollection
Trend Micro describes EDRSilencer as a red team tool originally designed to interfere with endpoint detection and response solutions via the Windows Filtering Platform, which is actively being used by threat actors.
References

2024-10-15 ⋅ Trend Micro ⋅ Cj Arsley Mateo, Jacob Santos, Sarah Pearl Camiling, Trend Micro Research
Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions
EDRSilencer
Yara Rules

[TLP:WHITE] win_edr_silencer_auto (20260504 | Detects win.edr_silencer.)
rule win_edr_silencer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.edr_silencer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.edr_silencer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488d0d28cb0000 e8???????? 488d0d5ccb0000 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   488d0d28cb0000       | add                 esp, 0x38
            //   e8????????           |                     
            //   488d0d5ccb0000       | pop                 ebx

        $sequence_1 = { e8???????? 898588040000 83bd8804000000 7416 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   898588040000         | mov                 eax, dword ptr [ebp - 0x20]
            //   83bd8804000000       | mov                 edx, eax
            //   7416                 | dec                 eax

        $sequence_2 = { b801000000 eb34 488b45f8 4889c1 }
            // n = 4, score = 100
            //   b801000000           | dec                 eax
            //   eb34                 | mov                 edx, dword ptr [ebp + 0x10]
            //   488b45f8             | dec                 eax
            //   4889c1               | lea                 ecx, [0xc9b5]

        $sequence_3 = { 6683f809 0f87f3060000 4183fe03 0f87e9060000 4585f6 0f850a020000 41be01000000 }
            // n = 7, score = 100
            //   6683f809             | mov                 ecx, eax
            //   0f87f3060000         | dec                 eax
            //   4183fe03             | mov                 eax, dword ptr [ebp - 0x28]
            //   0f87e9060000         | dec                 eax
            //   4585f6               | mov                 ecx, eax
            //   0f850a020000         | dec                 eax
            //   41be01000000         | mov                 edx, dword ptr [ebp - 0x30]

        $sequence_4 = { 4889c2 488d0d6dcc0000 e8???????? eb14 }
            // n = 4, score = 100
            //   4889c2               | mov                 dword ptr [ebp - 0x10], 0
            //   488d0d6dcc0000       | mov                 dword ptr [ebp - 4], 0
            //   e8????????           |                     
            //   eb14                 | dec                 eax

        $sequence_5 = { 488b5df0 b901000000 488b05???????? ffd0 4989d8 488b5520 4889c1 }
            // n = 7, score = 100
            //   488b5df0             | mov                 eax, dword ptr [ebp - 8]
            //   b901000000           | dec                 eax
            //   488b05????????       |                     
            //   ffd0                 | sub                 eax, dword ptr [ebp + 0x10]
            //   4989d8               | dec                 eax
            //   488b5520             | lea                 edx, [eax + 2]
            //   4889c1               | dec                 eax

        $sequence_6 = { 8985ac010000 83bdac01000000 740b 8b85ac010000 e9???????? b910000000 e8???????? }
            // n = 7, score = 100
            //   8985ac010000         | nop                 dword ptr [eax + eax]
            //   83bdac01000000       | dec                 eax
            //   740b                 | mov                 eax, dword ptr [ebx]
            //   8b85ac010000         | dec                 eax
            //   e9????????           |                     
            //   b910000000           | test                eax, eax
            //   e8????????           |                     

        $sequence_7 = { 4881c418050000 5f 5d c3 55 57 }
            // n = 6, score = 100
            //   4881c418050000       | mov                 edx, eax
            //   5f                   | dec                 eax
            //   5d                   | lea                 ecx, [0xcc97]
            //   c3                   | jmp                 0x9b5
            //   55                   | mov                 eax, dword ptr [ebp + 0x488]
            //   57                   | mov                 edx, eax

        $sequence_8 = { 488d0d16c90000 e8???????? 488b45e0 4889c1 488b05???????? ffd0 b800000000 }
            // n = 7, score = 100
            //   488d0d16c90000       | dec                 eax
            //   e8????????           |                     
            //   488b45e0             | mov                 eax, dword ptr [ebp - 8]
            //   4889c1               | dec                 eax
            //   488b05????????       |                     
            //   ffd0                 | mov                 edx, eax
            //   b800000000           | dec                 eax

        $sequence_9 = { 48898d00020000 48899508020000 4c898510020000 4883bd0002000000 740a }
            // n = 5, score = 100
            //   48898d00020000       | dec                 eax
            //   48899508020000       | mov                 ecx, eax
            //   4c898510020000       | jmp                 0x2e4
            //   4883bd0002000000     | mov                 edx, 0x3a
            //   740a                 | dec                 eax

    condition:
        7 of them and filesize < 744448
}
Download all Yara Rules
EDRSilencer Propose Change

References

Yara Rules

EDRSilencer
