Lummac Stealer Activity - Execution Of More.com And Vbc.exe

Rule Info

Name
Lummac Stealer Activity - Execution Of More.com And Vbc.exe
Author
Joseliyo Sanchez, @Joseliyo_Jstnk
Description
Detects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. The Lummac payload is injected into the vbc.exe process.
Reference
https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files
Date
2024-12-19 00:00:00
Modified
None
Id
19b3806e-46f2-4b4c-9337-e3d8653245ea
Tags
attack.defense-evasion attack.t1055
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=19b3806e-46f2-4b4c-9337-e3d8653245ea

Rule History

Author
Title
Date
Commit
jstnk9
Merge PR #5123 from @jstnk9 - Add new sigma rules related to lummac and RATs behaviors observed ITW
2024-12-19
a9423d69c
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022