HH.exe LOLBA executing .chm files
Detecting the execution of hh.exe and the follow up activity for downloading or executing second stage payloads. This is based malspam activity delivering Remote Access Trojans via initial .chm payloads.
Sigma rule (View on GitHub)
1title: HH.exe LOLBA executing .chm files
2id: 4dd98986-86b3-44d3-9618-c58e86b5674d
3description: Detecting the execution of hh.exe and the follow up activity for downloading or executing
4 second stage payloads. This is based malspam activity delivering Remote Access Trojans via initial .chm
5 payloads.
6status: experimental
7references:
8 - https://www.virustotal.com/gui/file/f0c20d4ea2e2cc1d3c9df58b1a4854f9e3b761b7cd0c26860559289c74a8d50f/behavior/C2AE
9 - https://tria.ge/220520-cbrbasebb7/behavioral2
10 - https://www.socinvestigation.com/threat-actors-abuse-microsofts-html-help-file-to-deliver-malware/
11author: '@Kostastsale'
12date: 2022/05/24
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection1:
18 ParentImage|endswith:
19 - '\hh.exe'
20 ParentCommandLine|endswith:
21 - '.chm'
22 selection2:
23 Image|endswith:
24 - '\cmd.exe'
25 CommandLine|contains:
26 - ' /c '
27 selection3:
28 Image|endswith:
29 - '\pwsh.exe'
30 - '\powershell.exe'
31 condition: selection1 and (selection2 or selection3)
32falsepositives:
33 - Uknown
34level: high
35tags:
36 - attack.Compiled.HTML.File
37 - attack.T1218.001
References
-
-
Check this report malware sample f0c20d4ea2e2cc1d3c9df58b1a4854f9e3b761b7cd0c26860559289c74a8d50f, with a score of 10 out of 10.
Read More -
Security Researchers at Malwarebytes have discovered a new campaign that plays on these concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine. The downloaded document is in fact decoy for a Remote Access Trojan (RAT) capable of stealing data and executing other malicious commands on a
Read More