HH.exe LOLBA executing .chm files
Detecting the execution of hh.exe and the follow up activity for downloading or executing second stage payloads. This is based malspam activity delivering Remote Access Trojans via initial .chm payloads.
Sigma rule (View on GitHub)
1title: HH.exe LOLBA executing .chm files
2description: Detecting the execution of hh.exe and the follow up activity for downloading or executing
3 second stage payloads. This is based malspam activity delivering Remote Access Trojans via initial .chm
4 payloads.
5status: experimental
6references:
7 - https://www.virustotal.com/gui/file/f0c20d4ea2e2cc1d3c9df58b1a4854f9e3b761b7cd0c26860559289c74a8d50f/behavior/C2AE
8 - https://tria.ge/220520-cbrbasebb7/behavioral2
9 - https://www.socinvestigation.com/threat-actors-abuse-microsofts-html-help-file-to-deliver-malware/
10author: '@Kostastsale'
11date: 2022/05/24
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection1:
17 ParentImage|endswith:
18 - '\hh.exe'
19 ParentCommandLine|endswith:
20 - '.chm'
21 selection2:
22 Image|endswith:
23 - '\cmd.exe'
24 CommandLine|contains:
25 - ' /c '
26 selection3:
27 Image|endswith:
28 - '\pwsh.exe'
29 - '\powershell.exe'
30 condition: selection1 and (selection2 or selection3)
31falsepositives:
32 - Uknown
33level: high
34tags:
35 - attack.Compiled.HTML.File
36 - attack.T1218.001
References
-
-
Check this report malware sample f0c20d4ea2e2cc1d3c9df58b1a4854f9e3b761b7cd0c26860559289c74a8d50f, with a score of 10 out of 10.
Read More -
Security Researchers at Malwarebytes have discovered a new campaign that plays on these concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine. The downloaded document is in fact decoy for a Remote Access Trojan (RAT) capable of stealing data and executing other malicious commands on a
Read More