rule: meta: name: check for sandbox username namespace: anti-analysis/anti-vm/vm-detection author: "@_re_fox" scope: function mbc: - Anti-Behavioral Analysis::Virtual Machine Detection [B0009] examples: - ccbf7cba35bab56563c0fbe4237fdc41:0x402B90 references: - https://github.com/LloydLabs/wsb-detect features: - and: - api: GetUserName - or: - string: /MALTEST/i description: Betabot Username Check - string: /TEQUILABOOMBOOM/i description: VirusTotal Sandbox - string: /SANDBOX/i description: Gookit Username Check - string: /^VIRUS/i description: Satan Username Check - string: /MALWARE/i description: Betabot Username Check - string: /SAND\sBOX/i description: Betabot Username Check - string: /Test\sUser/i description: Betabot Username Check - string: /CurrentUser/i description: Gookit Username Check - string: /7SILVIA/i description: Gookit Username Check - string: /FORTINET/i description: Shifu Username Check - string: /John\sDoe/i description: Emotet Username Check - string: /Emily/i description: Trickbot Downloader Username Check - string: /HANSPETER\-PC/i description: Trickbot Downloader Username Check - string: /HAPUBWS/i description: Trickbot Downloader Username Check - string: /Hong\sLee/i description: Trickbot Downloader Username Check - string: /IT\-ADMIN/i description: Trickbot Downloader Username Check - string: /JOHN\-PC/i description: Trickbot Downloader Username Check - string: /Johnson/i description: Trickbot Downloader Username Check - string: /Miller/i description: Trickbot Downloader Username Check - string: /MUELLER\-PC/i description: Trickbot Downloader Username Check - string: /Peter\sWilson/i description: Trickbot Downloader Username Check - string: /SystemIT/i description: Trickbot Downloader Username Check - string: /Timmy/i description: Trickbot Downloader Username Check - string: /WIN7\-TRAPS/i description: Trickbot Downloader Username Check - string: /WDAGUtilityAccount/i description: Windows Defender Application Guard