Lummac Stealer Activity - Execution Of More.com And Vbc.exe
Detects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. The Lummac payload is injected into the vbc.exe process.
Sigma rule (View on GitHub)
1title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe
2id: 19b3806e-46f2-4b4c-9337-e3d8653245ea
3status: experimental
4description: |
5 Detects the execution of more.com and vbc.exe in the process tree.
6 This behavior was observed by a set of samples related to Lummac Stealer.
7 The Lummac payload is injected into the vbc.exe process.
8references:
9 - https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files
10 - https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef
11 - https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html
12 - https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html
13author: Joseliyo Sanchez, @Joseliyo_Jstnk
14date: 2024-12-19
15tags:
16 - attack.defense-evasion
17 - attack.t1055
18 - detection.emerging-threats
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 # VT Query: behaviour_processes:"C:\\Windows\\SysWOW64\\more.com" behaviour_processes:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"
24 selection_parent:
25 ParentImage|endswith: '\more.com'
26 selection_child:
27 - Image|endswith: '\vbc.exe'
28 - OriginalFileName: 'vbc.exe'
29 condition: all of selection_*
30falsepositives:
31 - Unknown
32level: high
yaml
References
Related rules
- Injected Browser Process Spawning Rundll32 - GuLoader Activity
- APT PRIVATELOG Image Load Pattern
- Malware Shellcode in Verclsid Target Process
- Potential Dridex Activity
- DLL Names Used By SVR For GraphicalProton Backdoor