buer

Sharing

Copy URL

Twitter E-mail

General

Target

Local Virus Copies.zip
Size

20.7MB
Sample

210104-j848d7tsej
MD5

1a2083f9f4353b3d9d2d8f5a98513f0c
SHA1

220b333dc1620434e104bdf070aef23aa6821569
SHA256

044c16cdbc6ec18f58bfecaacf4d4e21150a19d8d10c694c4a4c3085697499a2
SHA512

7a20d71a1e41f36b91e3c84aa3a3b249f4b4a092e6ab4d8c6c10915c1ba9d1e5dc40fb8d3040156422f85905d47930f2334ee1f2e9e848b5d3d7ae9d3e9c7b0f

Score

10^/10

Malware Config

Extracted

Family

buer

softwareconsbank.com

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

httPs://paste.ee/r/xPuht

ps1.dropper

httPs://paste.ee/r/ju7HN

Extracted

Family

smokeloader

Version

2018

http://perkyplay.com/z/

rc4.i32

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://45.82.79.89:80/update

Targets

- Target
  
  146bcd0d720f43d289c66d3a3cdc77e5e5a3d924174ee1993ac6db2cb0ca8026
- Size
  
  83KB
- MD5
  
  3f28f4aebf8fa5fc27f5e3b72dac993f
- SHA1
  
  9c03a13ec3c2baa597ae1c759baea9d57ace4599
- SHA256
  
  146bcd0d720f43d289c66d3a3cdc77e5e5a3d924174ee1993ac6db2cb0ca8026
- SHA512
  
  13c7007f3918350be0f201ebca153f6967302ac1136ea9cd08b8f6d6b12772c8fc1dab05a1458db059db197fd5b04875e315064b6029dc68d558074a7648b595
Score

10^/10

buer loader
- Buer
  Buer is a new modular loader first seen in August 2019.
  loader buer
- Buer Loader
  Detects Buer loader in memory or disk.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  21c3fb175492561c6527cdefc46fde66ba2bc11ca4b50edf887423654ab8b259
- Size
  
  378KB
- MD5
  
  3343636c7e0ee8afbf6d669806734083
- SHA1
  
  2cd107463eaac613077486d00db5b32230e73c42
- SHA256
  
  21c3fb175492561c6527cdefc46fde66ba2bc11ca4b50edf887423654ab8b259
- SHA512
  
  e25e55d1d0e793988d4046dd2ef6397f6e06636dfbe976fccd9da7eeae572d20732711309d4162316434541f0fe9f56e7897823f9851f8fd6716c769a01e640e
Score

10^/10

smokeloader backdoor trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Blocklisted process makes network request
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  2a800cff4584740ee43108e122f4797c455e5b6097774aeb33ebe666170b4968
- Size
  
  74KB
- MD5
  
  296bd64169afe1f782b343909b3ae036
- SHA1
  
  38fb1501a992c224160b8b87cc04f099a4d6dcbf
- SHA256
  
  2a800cff4584740ee43108e122f4797c455e5b6097774aeb33ebe666170b4968
- SHA512
  
  ab4e21ae798d7ccf9098d5d100287f702dd88c5a5345ee2ac3cc38f8860101ef391c56c00ea338082f8085b5c900aeaee8568d2141dae70add3a6b240c044e7e
Score

7^/10
- Loads dropped DLL
behavioral5 behavioral6
- Target
  
  332d5c33b76318e30c94601d5fcca3dfe49c0a4a7c9f444681785e80d7c882d0
- Size
  
  1.5MB
- MD5
  
  c30cbbdf9269c00eafcdb97ac4356965
- SHA1
  
  42b7c9de3ed89d5d12a6e624ea9cacb351152cb9
- SHA256
  
  332d5c33b76318e30c94601d5fcca3dfe49c0a4a7c9f444681785e80d7c882d0
- SHA512
  
  ee43d34f04ae59327bd6a0ac9d733fd3687ecd390b955bbbc9889caccf13875864c09936146df5b28a2bd38d0b868174672222a1bc7a4c003058fee7c9d067d5
Score

1^/10
behavioral7 behavioral8
- Target
  
  3571d9db0064c7e2ec8d856e9b9bd80f30ea45a3dabd811176c80863a85205bb
- Size
  
  74KB
- MD5
  
  988cecb49afda45d327cf524529bea5d
- SHA1
  
  11f167d96a291b4d25a96be1e1d677b861f90209
- SHA256
  
  3571d9db0064c7e2ec8d856e9b9bd80f30ea45a3dabd811176c80863a85205bb
- SHA512
  
  15302dcca4d39566657298b32fd2c4ec8e950506ed43a415f49433596e10bb58f87edc5882970e1b2710082cb83d8e3479f1128ca0c12d39c8843400a0b788bd
Score

7^/10
- Loads dropped DLL
behavioral9 behavioral10
- Target
  
  42fe5221797668a788756bb9995792ff47ddcb1ec9582a0f325535bcef1fa078
- Size
  
  74KB
- MD5
  
  b50b6584b4de4dad9797f844baf0604f
- SHA1
  
  d5d082a4c6418e5477a985da39bc637370e55db2
- SHA256
  
  42fe5221797668a788756bb9995792ff47ddcb1ec9582a0f325535bcef1fa078
- SHA512
  
  1ca0770258f640477eb94d4c067d06d2ce30b2131e3da25ea26eacd9a5f16f8b517c6ef552a922e0be13f118865d792b6d14c3d0212e502e45b062c451bcefd4
Score

7^/10
- Loads dropped DLL
behavioral11 behavioral12
- Target
  
  4bb0c1eec232aac63365ee4b30b1b567025b020d62fcd2c1e8321f2408b2bfaf
- Size
  
  540KB
- MD5
  
  8373651cc34b4fcab904609c31d8ed52
- SHA1
  
  32372fae82aa6f4ec8969eb3ef29cd24c5f80fc0
- SHA256
  
  4bb0c1eec232aac63365ee4b30b1b567025b020d62fcd2c1e8321f2408b2bfaf
- SHA512
  
  884064fb65160c441f857f9aa07db06d59d17e43986314e33311816b7bc000faa3e3c544492b4de4aab970f0ee97c7473ef18f40fb7d8727ad7b96c5626e4dfa
Score

1^/10
behavioral13 behavioral14
- Target
  
  9d1871a7a1315b8c535fa1b673a427640cb4e75b03f1616cdd677345e82dce26
- Size
  
  34KB
- MD5
  
  cebc712b542291932dc4d7433d7fac8e
- SHA1
  
  28e172c349eab8ba9b2cb82e6eef28791a81f9b7
- SHA256
  
  9d1871a7a1315b8c535fa1b673a427640cb4e75b03f1616cdd677345e82dce26
- SHA512
  
  0bc78877305478956d7b445513b6bfd654a3b2d4ffd5411ae48dc47462686d8d5e7a7e963cc9ca50b25878200469530f4456df337f7a039a26c360e201649c51
Score

3^/10
behavioral15 behavioral16
- Target
  
  a2d4e5d989f091cc30e88e850af43ba620c893946a891217c0322f0ff29c2926
- Size
  
  305KB
- MD5
  
  89d46a8b077666290aaffd472848a1c6
- SHA1
  
  1eeb15c847d40b1d7e4bccda92079b35c7ab84a2
- SHA256
  
  a2d4e5d989f091cc30e88e850af43ba620c893946a891217c0322f0ff29c2926
- SHA512
  
  a456f34ce9678627973de1c7cef724caba1130e8a4b6ff1d7c4310c5ab61e29446ec6d1b06ba1699f5dc9fd872ba99710a41f02619f4c15cf68f867cd2361d62
Score

10^/10
- Blocklisted process makes network request
behavioral17 behavioral18
- Target
  
  aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61
- Size
  
  8.0MB
- MD5
  
  c1507f4fd86ddefc8ac9df58e921f722
- SHA1
  
  ce2fbebce0e12610e74040d5254e816f1653dade
- SHA256
  
  aa7cce2f9f6776129e2c41c48171e597504a5354d34f7503630651a748ebee61
- SHA512
  
  23d609884ed144166d082d2614a0db912092bfb5e0fe4083f7a7c1cdb3339bc179228899271bfb808a7e30ae664b2825272bc6881e8b741749209002126a4b43
Score

8^/10

spyware
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
behavioral19 behavioral20
- Target
  
  b27ee400ddd033d6ee17b294ca0c9077c1ababe60c79ae3c7b0555179689d333
- Size
  
  74KB
- MD5
  
  0a7652393e646c8269c7aa155d8aa610
- SHA1
  
  2e1a02238f7bf8fe1f77b4d581a20a55f74cb2bd
- SHA256
  
  b27ee400ddd033d6ee17b294ca0c9077c1ababe60c79ae3c7b0555179689d333
- SHA512
  
  661c31e8bf7df1b483e2e78aad58b355bdc723def15fa2f1f2a01f434404931a76befcee9770486f5015174f0f03386d4bf7b3f1b0a18ce170088ca43f8ebaa6
Score

7^/10
- Loads dropped DLL
behavioral21 behavioral22
- Target
  
  b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399
- Size
  
  5.1MB
- MD5
  
  70dfd55fa7606447bf866df3fbbcc7b7
- SHA1
  
  a2fb8b024e0b1f4cf1f7bf6124278689fa05fb32
- SHA256
  
  b6559bb03a3a150f020cd435a9d516d1b8b39b6abd34c66da6759e71bc7d9399
- SHA512
  
  34ad6315b1a72b5c2ac773b7397b022798f30c81bd12ffbc4cb779e69877ac66a1e1737a73e4cb613193db5d82f43f2c95e147f4470daf7669c9a5721aa40742
Score

8^/10

discovery
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
behavioral23 behavioral24
- Target
  
  b6c343fd90ce107bd1e0ea2fec6b5d3a33637f0a6daa251256a533e426aa796f
- Size
  
  342KB
- MD5
  
  1a1232730f67b5056e570e0cbb3211d7
- SHA1
  
  8257870bddfeaedbb812d65d73f2c787ab55e585
- SHA256
  
  b6c343fd90ce107bd1e0ea2fec6b5d3a33637f0a6daa251256a533e426aa796f
- SHA512
  
  960522c485bceaac9800b753885c8476ba8f3582bd6ef3a46325b0df87bf875598b1c8c24133dcfc54268f3080e6fd4f1d0a3d87fd2a357f7702ad3091fb450f
Score

8^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral25 behavioral26
- Target
  
  cfc91db9240c75b636480e7dfaef4daaa754e787d2ecb32f55d74c5a20c9dfd1
- Size
  
  5.9MB
- MD5
  
  1e2a04bf502e8154cc0822dbf5af3376
- SHA1
  
  3b766ebea6a897956b95a6e4d8e0864d6efc8193
- SHA256
  
  cfc91db9240c75b636480e7dfaef4daaa754e787d2ecb32f55d74c5a20c9dfd1
- SHA512
  
  9acd8e9f442a41a4d577e4825e17b2bc28bf13fa9a5e1d94af620641d7dd2ae0374aaffc4a054c109bb0d359ed2ace0dbd474b2bb78486f746cf38bf4ffbbee1
Score

8^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral27 behavioral28
- Target
  
  e2bbb71fe65dd6ffb22fcb05e99a687711d3d429c22d512a2a49166b69ffe3c6
- Size
  
  74KB
- MD5
  
  f25da5d5a4f9c84562176addb9084762
- SHA1
  
  0e41c868554ae4c0d584acec150dd600046fd912
- SHA256
  
  e2bbb71fe65dd6ffb22fcb05e99a687711d3d429c22d512a2a49166b69ffe3c6
- SHA512
  
  42ae6eae190d45d2e5eef46d9700d552573adb7c62432d9254e4551fa97cc7b0661211e77e5b15a95e3a9578e970a3cdc790362a0cbf02f172d337f8d554c65a
Score

7^/10
- Loads dropped DLL
behavioral29 behavioral30
- Target
  
  fb812a3c965da5044860794686ce9656db3c37be16794ab7c771c32567514fed
- Size
  
  336KB
- MD5
  
  90e9de23f3cfff133ec7b0ad00a259b3
- SHA1
  
  fd5e1d298dfc5e22f3b2efb728fe766034f3d68e
- SHA256
  
  fb812a3c965da5044860794686ce9656db3c37be16794ab7c771c32567514fed
- SHA512
  
  b549a040ebe5ab4db53273e31ae019526813f2a36f4bba7104bffad04ea5ef5bc905f8c075db3ec4541269554f22861ff21edf9b8f1fd18cbbd682366107434e
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Buer Loader

Loads dropped DLL

Suspicious use of SetThreadContext

SmokeLoader

Blocklisted process makes network request

Maps connected drives based on registry

Drops file in System32 directory

Suspicious use of SetThreadContext

Loads dropped DLL

Loads dropped DLL

Loads dropped DLL

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks installed software on the system

Drops desktop.ini file(s)

Executes dropped EXE

Loads dropped DLL

Executes dropped EXE

Loads dropped DLL

Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32