Lummac Stealer Activity - Execution Of More.com And Vbc.exe

calendar Dec 19, 2024 · attack.defense-evasion attack.t1055  ·
Share on: linkedin copy

Detects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. The Lummac payload is injected into the vbc.exe process.

Sigma rule (View on GitHub)

 1title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe
 2id: 19b3806e-46f2-4b4c-9337-e3d8653245ea
 3status: experimental
 4description: |
 5    Detects the execution of more.com and vbc.exe in the process tree.
 6    This behavior was observed by a set of samples related to Lummac Stealer.
 7    The Lummac payload is injected into the vbc.exe process.    
 8references:
 9    - https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files
10    - https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef
11    - https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html
12    - https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html
13author: Joseliyo Sanchez, @Joseliyo_Jstnk
14date: 2024-12-19
15tags:
16    - attack.defense-evasion
17    - attack.t1055
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    # VT Query: behaviour_processes:"C:\\Windows\\SysWOW64\\more.com" behaviour_processes:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"
23    selection_parent:
24        ParentImage|endswith: '\more.com'
25    selection_child:
26        - Image|endswith: '\vbc.exe'
27        - OriginalFileName: 'vbc.exe'
28    condition: all of selection_*
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top