Contents
Execution Layer
Suspicious Process Execution from Temp
This rule looks for executions of houselet.exe from the Temp directory, which is highly unusual for legitimate software.
title: houselet.exe Execution from Temp
logsource:
category: process_creation
detection:
selection:
Image|contains: "\AppData\Local\Temp\houselet.exe"
condition: selection
level: high
Suspicious Self-Spawn Behavior
Malware often respawns itself to evade termination. This rule detects houselet.exe spawning itself with explorer.exe as parent.
title: Self-Spawned houselet.exe
logsource:
category: process_creation
detection:
selection:
ParentImage|endswith: "explorer.exe"
Image|endswith: "houselet.exe"
condition: selection
level: high
Persistence Layer
Registry Modification for IE ZoneMap
Houselet modifies Internet Explorer ZoneMap keys to bypass restrictions. This rule flags suspicious registry changes.
title: IE ZoneMap Registry Modification
logsource:
category: registry
detection:
selection:
TargetObject|contains: "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"
condition: selection
level: medium
Registry Modification for Proxy Settings
The malware alters proxy settings to hide traffic. This rule detects changes to proxy-related registry keys.
title: Proxy Registry Modification
logsource:
category: registry
detection:
selection:
TargetObject|contains: "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Proxy"
condition: selection
level: medium
Network Layer
Suspicious HTTP POST to PHP Endpoint
Legitimate installers rarely POST to PHP scripts. This rule detects outbound POST requests to PHP endpoints.
title: HTTP POST to PHP C2
logsource:
category: proxy
detection:
selection:
uri|endswith: ".php"
http.method: "POST"
condition: selection
level: high
Outbound Traffic to Known C2 IP
This rule directly monitors traffic to the known C2 IP 45.155.69.25.
title: Outbound Traffic to 45.155.69.25
logsource:
category: proxy
detection:
selection:
dst_ip: "45.155.69.25"
condition: selection
level: critical
Memory & Crypto Layer
RWX Memory Allocation
Houselet allocates memory with Read/Write/Execute permissions for in-memory payloads. This rule detects RWX allocations.
title: RWX Memory Allocation by Go Binary
logsource:
category: sysmon
detection:
selection:
CallTrace|contains: "VirtualAlloc"
condition: selection
level: high
Use of Cryptographic Functions
The malware uses AES, RC4, and Base64 for obfuscation. This rule detects suspicious crypto API calls.
title: Suspicious Crypto API Usage
logsource:
category: sysmon
detection:
selection:
CallTrace|contains:
- "CryptEncrypt"
- "CryptAcquireContext"
- "BCryptEncrypt"
condition: selection
level: medium
Evasion & Impersonation Layer
Fake Sony Metadata
Houselet pretends to be a Sony installer. This rule detects binaries with Sony metadata but unsigned/self-signed certificates.
title: Fake Sony Metadata
logsource:
category: file
detection:
selection:
file.description|contains: "Sony Interactive Entertainment"
signature.status: "Untrusted"
condition: selection
level: medium
Anti-VM Checks
The malware performs anti-VM checks. This rule detects suspicious registry or process queries typical of VM detection.
title: Anti-VM Behavior
logsource:
category: sysmon
detection:
selection:
Image|contains: "houselet.exe"
CommandLine|contains:
- "VBoxService"
- "vmtoolsd"
- "qemu"
condition: selection
level: medium
Summary
These detection rules cover:
- Execution from Temp and self-spawning behavior
- Registry persistence via IE ZoneMap and proxy keys
- Network beaconing to PHP endpoints and known C2 IP
- Memory allocation with RWX permissions and suspicious crypto usage
- Evasion tactics like fake Sony metadata and anti-VM checks
License
Detection rules are licensed under Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0).
Free to use in your environment, but not for commercial purposes.