Merge PR #5123 from @jstnk9 - Add new sigma rules related to lummac a…

…nd RATs behaviors observed ITW new: Lummac Stealer Activity - Execution Of More.com And Vbc.exe new : File Creation Related To RAT Clients --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
SigmaHQ · Dec 19, 2024 · a9423d6 · a9423d6
1 parent 0cb8e32
commit a9423d6
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 0 deletions.
diff --git a/...reats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml b/...reats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml
@@ -0,0 +1,34 @@
+title: File Creation Related To RAT Clients
+id: 2f3039c8-e8fe-43a9-b5cf-dcd424a2522d
+status: experimental
+description: |
+    File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
+references:
+    - https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
+    - https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2024-12-19
+tags:
+    - attack.execution
+logsource:
+    category: file_event
+    product: windows
+detection:
+    # VT Query: behaviour_files:"\\AppData\\Roaming\\DataLogs\\DataLogs.conf"
+    # VT Query: behaviour_files:"DataLogs.conf" or behaviour_files:"hvnc.conf" or behaviour_files:"dcrat.conf"
+    selection_required:
+        TargetFilename|contains: '\AppData\Roaming\'
+    selection_variants:
+        TargetFilename|contains:
+            - '\mydata\'
+            - '\datalogs\'
+            - '\hvnc\'
+            - '\dcrat\'
+        TargetFilename|endswith:
+            - '\datalogs.conf'
+            - '\hvnc.conf'
+            - '\dcrat.conf'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate software creating a file with the same name
+level: high
diff --git a/...merging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml b/...merging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml
@@ -0,0 +1,31 @@
+title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe
+id: 19b3806e-46f2-4b4c-9337-e3d8653245ea
+status: experimental
+description: |
+    Detects the execution of more.com and vbc.exe in the process tree.
+    This behavior was observed by a set of samples related to Lummac Stealer.
+    The Lummac payload is injected into the vbc.exe process.
+references:
+    - https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files
+    - https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef
+    - https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html
+    - https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html
+author: Joseliyo Sanchez, @Joseliyo_Jstnk
+date: 2024-12-19
+tags:
+    - attack.defense-evasion
+    - attack.t1055
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    # VT Query: behaviour_processes:"C:\\Windows\\SysWOW64\\more.com" behaviour_processes:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"
+    selection_parent:
+        ParentImage|endswith: '\more.com'
+    selection_child:
+        - Image|endswith: '\vbc.exe'
+        - OriginalFileName: 'vbc.exe'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high