buer | dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597

General

Target

dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe
Size

356KB
MD5

0ada5f2eec1893ee695758b75ebe351b
SHA1

554bc863b128b83ca14f20e6b08028d8a12795a0
SHA256

dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597
SHA512

0aed5d83d07d651f62527aff20438090f143f86b98d053ad2af7a14b7166980078e8383910a4e38fabb8fa0bb60fcc23e56dbc7a5750be0b5827c1fa2bed780b

Score

10^/10

buer loader

Family

buer

C2

https://kackdelar.top/

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral1/memory/1640-5-0x0000000040000000-0x000000004000C000-memory.dmp	buer
behavioral1/memory/1640-6-0x0000000040002E38-mapping.dmp	buer
behavioral1/memory/1640-7-0x0000000040000000-0x000000004000C000-memory.dmp	buer

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1588 set thread context of 1640	1588	dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe	28

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1588	dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 1640	1588	dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe	28
PID 1588 wrote to memory of 1640	1588	dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe	28
PID 1588 wrote to memory of 1640	1588	dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe	28
PID 1588 wrote to memory of 1640	1588	dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe	28
PID 1588 wrote to memory of 1640	1588	dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe	28
PID 1588 wrote to memory of 1640	1588	dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe	28
PID 1588 wrote to memory of 1640	1588	dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe	28
PID 1588 wrote to memory of 1640	1588	dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe	28

C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe
"C:\Users\Admin\AppData\Local\Temp\dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1640

memory/1588-0-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/1588-1-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1588-3-0x0000000000960000-0x0000000000971000-memory.dmp

Filesize
68KB

Download
memory/1640-5-0x0000000040000000-0x000000004000C000-memory.dmp

Filesize
48KB

Download
memory/1640-7-0x0000000040000000-0x000000004000C000-memory.dmp

Filesize
48KB

Download