{"id":7965,"date":"2024-06-13T07:27:11","date_gmt":"2024-06-13T07:27:11","guid":{"rendered":"\/cybersecurity-blog\/?p=7965"},"modified":"2024-06-13T07:27:12","modified_gmt":"2024-06-13T07:27:12","slug":"mutex-search-in-ti-lookup","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/","title":{"rendered":"Search for Malware Mutexes in ANY.RUN Threat Intelligence Lookup\u00a0"},"content":{"rendered":"\n<p>Malware often uses custom mutexes. We&#8217;ve released an update that allows you to search for these mutexes in TI Lookup and add them to your IOCs. &nbsp;<\/p>\n\n\n\n<p>What&#8217;s more, the tasks in the search results make it easier to distinguish between malicious and legitimate mutexes, which can significantly speed up your threat investigations.&nbsp;<\/p>\n\n\n\n<p>Let&#8217;s explore this new functionality with an example to better understand how it works.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Example: DCRat\u00a0<\/h2>\n\n\n\n<p>To find mutexes used by DCRat, you can use this query in ANY.RUN:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-102\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"102\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22SyncObjectName:%5C%22dcrat%5C%22%22,%22dateRange%22:180}\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22SyncObjectName:%5C%22dcrat%5C%22%22,%22dateRange%22:180}\" data-link-text=\"SyncObjectName:&quot;dcrat&quot; \" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\" style='color: #009cff; text-decoration: underline;'>SyncObjectName:&quot;dcrat&quot; <\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-102'>\ntable#wpdtSimpleTable-102{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-102 td, table.wpdtSimpleTable102 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"562\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-3-1024x562.png\" alt=\"\" class=\"wp-image-7966\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-3-1024x562.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-3-300x165.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-3-768x422.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-3-1536x844.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-3-2048x1125.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-3-370x203.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-3-270x148.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image2-3-740x406.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">List of DCRat mutexes<\/figcaption><\/figure><\/div>\n\n\n<p>Go to the &#8216;Synchronizations&#8217; tab to isolate the list of mutexes. \u00a0<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nLearn more about ANY.RUN <span class=\"highlight\">Threat Intelligence Products<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=mutexes_in_malware&#038;utm_term=130624&#038;utm_content=linktotiplans\" rel=\"noopener\" target=\"_blank\">\nInquire about ANY.RUN TI\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>ANY.RUN&#8217;s TI Lookup makes it easy to go from an overview of search results to a deeper investigation of a malware sample.&nbsp;<\/p>\n\n\n\n<p>We can switch to the <strong>Tasks<\/strong> tab to see a list of analysis sessions where that sample was recorded.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"565\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image3-3-1024x565.png\" alt=\"\" class=\"wp-image-7967\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image3-3-1024x565.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image3-3-300x165.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image3-3-768x423.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image3-3-1536x847.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image3-3-2048x1129.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image3-3-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image3-3-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image3-3-740x408.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Analysis sessions where DCRat mutexes were recorded<\/figcaption><\/figure><\/div>\n\n\n<p>But the result shows lots of AsyncRAT instances. What&#8217;s going on?&nbsp;<\/p>\n\n\n\n<p>That&#8217;s because DCRat and AsyncRAT share a lot of the same codebase, which can trick antivirus software and malware sandboxes into confusing them with each other. &nbsp;<\/p>\n\n\n\n<p>We will identify DCRat by doing a little bit of research in the sandbox:\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"565\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image4-2-1024x565.png\" alt=\"\" class=\"wp-image-7968\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image4-2-1024x565.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image4-2-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image4-2-768x424.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image4-2-1536x848.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image4-2-2048x1131.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image4-2-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image4-2-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image4-2-740x408.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Follow the arrow to open Advanced process details<\/figcaption><\/figure><\/div>\n\n\n<p>Open <a href=\"https:\/\/app.any.run\/tasks\/afb4139a-34fb-4079-90ca-e83873e69ef5\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=mutexes_in_malware&amp;utm_term=130624&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">one of the analysis sessions from the resuts<\/a>, and then go to <strong>Advanced process details, <\/strong>as shown above<strong>.<\/strong>\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"562\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image5-1-1024x562.png\" alt=\"\" class=\"wp-image-7969\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image5-1-1024x562.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image5-1-300x165.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image5-1-768x422.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image5-1-1536x844.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image5-1-2048x1125.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image5-1-370x203.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image5-1-270x148.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image5-1-740x406.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Note the DcRatMutex_qwqdanchun mutex<\/figcaption><\/figure><\/div>\n\n\n<p>One way we can identify DCRat is to look at the PBKDF2 salt value using a tool like <a href=\"https:\/\/cyberwarzone.com\/top-25-open-source-cyber-security-tools\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">dnSpy<\/a>, check the decrypted configuration where the mutex contains something like <strong>DCstringRatMutexqwqdan3chun<\/strong>, or analyze the X509Certificate.\u00a0<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nRequest a free trial of <span class=\"highlight\">ANY.RUN TI Lookup<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=mutexes_in_malware&#038;utm_term=130624&#038;utm_content=linktotiplans\" rel=\"noopener\" target=\"_blank\">\nInquire now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">More examples&nbsp;<\/h2>\n\n\n\n<p>We can find mutexes used by Remcos with this query:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-103\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"103\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22SyncObjectName:%5C%22Rmc%5C%22%22,%22dateRange%22:180}\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22SyncObjectName:%5C%22Rmc%5C%22%22,%22dateRange%22:180}\" data-link-text=\"SyncObjectName:&quot;Rmc&quot; \" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline;\">SyncObjectName:&quot;Rmc&quot; <\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-103'>\ntable#wpdtSimpleTable-103{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-103 td, table.wpdtSimpleTable103 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>And here are the results of running that search in the TI Lookup:\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image6-1024x568.png\" alt=\"\" class=\"wp-image-7970\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image6-1024x568.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image6-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image6-768x426.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image6-1536x852.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image6-2048x1136.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image6-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image6-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image6-740x410.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Find Remcos mutexes in ANY.RUN TI Lookup<\/figcaption><\/figure><\/div>\n\n\n<p>To find DarkGate mutexes, we can use this query:\u00a0<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-104\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"104\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22SyncObjectName:%5C%22m0yv%5C%22%22,%22dateRange%22:180}\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22SyncObjectName:%5C%22m0yv%5C%22%22,%22dateRange%22:180}\" data-link-text=\"SyncObjectName:&quot;m0yv&quot; \" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline;\">SyncObjectName:&quot;m0yv&quot; <\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-104'>\ntable#wpdtSimpleTable-104{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-104 td, table.wpdtSimpleTable104 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>And the screenshot below shows the search result:\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"565\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image7-1024x565.png\" alt=\"\" class=\"wp-image-7971\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image7-1024x565.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image7-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image7-768x424.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image7-1536x848.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image7-2048x1130.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image7-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image7-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image7-740x408.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Find DarkGate mutexes in ANY.RUN TI Lookup<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">What are mutexes and why should you investigate them?&nbsp;<\/h2>\n\n\n\n<p>Mutexes (short for mutual exclusion objects) are kernel objects that allow only one process or thread at a time to access a shared resource or critical section of code.&nbsp; &nbsp;<\/p>\n\n\n\n<p>Malware often uses custom mutexes to ensure that only a single instance is running and to communicate between components.&nbsp; &nbsp;<\/p>\n\n\n\n<p>Mutexes can tell you how a piece of malware interacts with the system, help you identify the specific threat family, or you can use them as IOCs to detect malware.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=mutexes_in_malware&amp;utm_term=130624&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.\u00a0\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Advantages of ANY.RUN&nbsp;&nbsp;<\/h3>\n\n\n\n<p>ANY.RUN helps you analyze threats faster while improving detection rates. The platform detects common malware families with YARA and Suricata rules and identifies malware behavior with signatures when detection by family is not possible.&nbsp;<\/p>\n\n\n\n<p><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in under 40s.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Interact with samples in real time.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Save time and money on sandbox setup and maintenance&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Record and study all aspects of malware behavior.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Collaborate with your team&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scale as you need.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Try the full power of ANY.RUN for free&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=mutexes_in_malware&amp;utm_term=130624&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request free trial \u2192<\/a>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Malware often uses custom mutexes. We&#8217;ve released an update that allows you to search for these mutexes in TI Lookup and add them to your IOCs. &nbsp; What&#8217;s more, the tasks in the search results make it easier to distinguish between malicious and legitimate mutexes, which can significantly speed up your threat investigations.&nbsp; Let&#8217;s explore [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":7976,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[57,10,34],"class_list":["post-7965","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-service-updates","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Search for Malware Mutexes in Threat Intelligence Lookup<\/title>\n<meta name=\"description\" content=\"See how you can use ANY.RUN Threat Intelligence Lookup to search for mutexes in malware and easily identify malicious ones.\u00a0\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Search for Malware Mutexes in ANY.RUN Threat Intelligence Lookup\u00a0\",\"datePublished\":\"2024-06-13T07:27:11+00:00\",\"dateModified\":\"2024-06-13T07:27:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/\"},\"wordCount\":630,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Service Updates\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/\",\"name\":\"Search for Malware Mutexes in Threat Intelligence Lookup\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-06-13T07:27:11+00:00\",\"dateModified\":\"2024-06-13T07:27:12+00:00\",\"description\":\"See how you can use ANY.RUN Threat Intelligence Lookup to search for mutexes in malware and easily identify malicious ones.\u00a0\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Service Updates\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Search for Malware Mutexes in ANY.RUN Threat Intelligence Lookup\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Search for Malware Mutexes in Threat Intelligence Lookup","description":"See how you can use ANY.RUN Threat Intelligence Lookup to search for mutexes in malware and easily identify malicious ones.\u00a0","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Search for Malware Mutexes in ANY.RUN Threat Intelligence Lookup\u00a0","datePublished":"2024-06-13T07:27:11+00:00","dateModified":"2024-06-13T07:27:12+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/"},"wordCount":630,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Service Updates"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/","url":"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/","name":"Search for Malware Mutexes in Threat Intelligence Lookup","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-06-13T07:27:11+00:00","dateModified":"2024-06-13T07:27:12+00:00","description":"See how you can use ANY.RUN Threat Intelligence Lookup to search for mutexes in malware and easily identify malicious ones.\u00a0","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Service Updates","item":"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/"},{"@type":"ListItem","position":3,"name":"Search for Malware Mutexes in ANY.RUN Threat Intelligence Lookup\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7965"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7965"}],"version-history":[{"count":2,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7965\/revisions"}],"predecessor-version":[{"id":7980,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7965\/revisions\/7980"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7976"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}