Lummac Stealer Activity - Execution Of More.com And Vbc.exe

    Friday, December 20, 2024 In: Threat Research Print

    Date: 12/20/2024

    Severity: High 

    Summary

    Detects the execution of more.com and vbc.exe within the process tree, a behavior linked to samples associated with Lummac Stealer. The Lummac payload is injected into the vbc.exe process.

    Indicators of Compromise (IOC) List

    ParentImage : 

    '\more.com'

    Image : 

    '\vbc.exe'

    OriginalFileName :

    'vbc.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query : 

    (resourcename = "Windows Security"  AND eventtype = "4688"  ) AND parentprocessname like "\more.com"  AND processname like "\vbc.exe"

    Detection Query : 

    (technologygroup = "EDR"  ) AND parentprocessname like "\more.com"  AND processname like "\vbc.exe"

    Reference:   

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml 


    Tags

    MalwareSigmaMalwareLummac

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.