buer | d333192a262ceaec75b68c0e6082cf868eb77a0e81010f590451814770b6ce31

Target

zrmbk.exe
Size

97KB
MD5

9168378e6849f1547829afc3f0357f6a
SHA1

097d64d174b8243434f026f2fd24e536cc3686bc
SHA256

d333192a262ceaec75b68c0e6082cf868eb77a0e81010f590451814770b6ce31
SHA512

4c69f85af810334506dd1b8d2e409e30ce8c8471073b56bece6312dcda109705720c41255d49e1d7976b847f4ca586113208fdec805aac2398fc890fc230754b

Score

10^/10

buer raccoon fbb3ff62285b6085836cfe3d032d817936c927a9 loader stealer

Malware Config

Extracted

Family

buer

officewestunionbank.com

bankcreditsign.com

Extracted

Family

raccoon

Botnet

fbb3ff62285b6085836cfe3d032d817936c927a9

Attributes

url4cnc
https://telete.in/jvadikkamushkin

rc4.plain

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Buer Loader 2 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral2/memory/3812-3-0x0000000000030000-0x0000000000037000-memory.dmp	buer
behavioral2/memory/3812-4-0x0000000040000000-0x0000000040009000-memory.dmp	buer

Loads dropped DLL 1 IoCs

pid	Process
1940	svchost.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	zrmbk.exe
File opened (read-only)	\??\H:	zrmbk.exe
File opened (read-only)	\??\I:	zrmbk.exe
File opened (read-only)	\??\M:	zrmbk.exe
File opened (read-only)	\??\N:	zrmbk.exe
File opened (read-only)	\??\Q:	zrmbk.exe
File opened (read-only)	\??\W:	zrmbk.exe
File opened (read-only)	\??\F:	zrmbk.exe
File opened (read-only)	\??\Z:	zrmbk.exe
File opened (read-only)	\??\Y:	zrmbk.exe
File opened (read-only)	\??\O:	zrmbk.exe
File opened (read-only)	\??\T:	zrmbk.exe
File opened (read-only)	\??\V:	zrmbk.exe
File opened (read-only)	\??\X:	zrmbk.exe
File opened (read-only)	\??\E:	zrmbk.exe
File opened (read-only)	\??\U:	zrmbk.exe
File opened (read-only)	\??\A:	zrmbk.exe
File opened (read-only)	\??\J:	zrmbk.exe
File opened (read-only)	\??\K:	zrmbk.exe
File opened (read-only)	\??\L:	zrmbk.exe
File opened (read-only)	\??\P:	zrmbk.exe
File opened (read-only)	\??\R:	zrmbk.exe
File opened (read-only)	\??\S:	zrmbk.exe
File opened (read-only)	\??\B:	zrmbk.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3812 set thread context of 1940	3812	zrmbk.exe	78
PID 3812 set thread context of 3592	3812	zrmbk.exe	81
PID 3812 set thread context of 3916	3812	zrmbk.exe	82
PID 3812 set thread context of 2244	3812	zrmbk.exe	83
PID 3812 set thread context of 3972	3812	zrmbk.exe	84
PID 3812 set thread context of 3732	3812	zrmbk.exe	85

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1572	1940	WerFault.exe	78
804	3732	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1572	WerFault.exe
Token: SeBackupPrivilege	1572	WerFault.exe
Token: SeDebugPrivilege	1572	WerFault.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 1940	3812	zrmbk.exe	78
PID 3812 wrote to memory of 1940	3812	zrmbk.exe	78
PID 3812 wrote to memory of 1940	3812	zrmbk.exe	78
PID 3812 wrote to memory of 1940	3812	zrmbk.exe	78
PID 3812 wrote to memory of 1940	3812	zrmbk.exe	78
PID 3812 wrote to memory of 1940	3812	zrmbk.exe	78
PID 3812 wrote to memory of 1940	3812	zrmbk.exe	78
PID 3812 wrote to memory of 1940	3812	zrmbk.exe	78
PID 3812 wrote to memory of 1940	3812	zrmbk.exe	78
PID 3812 wrote to memory of 3592	3812	zrmbk.exe	81
PID 3812 wrote to memory of 3592	3812	zrmbk.exe	81
PID 3812 wrote to memory of 3592	3812	zrmbk.exe	81
PID 3812 wrote to memory of 3592	3812	zrmbk.exe	81
PID 3812 wrote to memory of 3592	3812	zrmbk.exe	81
PID 3812 wrote to memory of 3592	3812	zrmbk.exe	81
PID 3812 wrote to memory of 3592	3812	zrmbk.exe	81
PID 3812 wrote to memory of 3592	3812	zrmbk.exe	81
PID 3812 wrote to memory of 3592	3812	zrmbk.exe	81
PID 3812 wrote to memory of 3916	3812	zrmbk.exe	82
PID 3812 wrote to memory of 3916	3812	zrmbk.exe	82
PID 3812 wrote to memory of 3916	3812	zrmbk.exe	82
PID 3812 wrote to memory of 3916	3812	zrmbk.exe	82
PID 3812 wrote to memory of 3916	3812	zrmbk.exe	82
PID 3812 wrote to memory of 3916	3812	zrmbk.exe	82
PID 3812 wrote to memory of 3916	3812	zrmbk.exe	82
PID 3812 wrote to memory of 3916	3812	zrmbk.exe	82
PID 3812 wrote to memory of 3916	3812	zrmbk.exe	82
PID 3812 wrote to memory of 2244	3812	zrmbk.exe	83
PID 3812 wrote to memory of 2244	3812	zrmbk.exe	83
PID 3812 wrote to memory of 2244	3812	zrmbk.exe	83
PID 3812 wrote to memory of 2244	3812	zrmbk.exe	83
PID 3812 wrote to memory of 2244	3812	zrmbk.exe	83
PID 3812 wrote to memory of 2244	3812	zrmbk.exe	83
PID 3812 wrote to memory of 2244	3812	zrmbk.exe	83
PID 3812 wrote to memory of 2244	3812	zrmbk.exe	83
PID 3812 wrote to memory of 2244	3812	zrmbk.exe	83
PID 3812 wrote to memory of 3972	3812	zrmbk.exe	84
PID 3812 wrote to memory of 3972	3812	zrmbk.exe	84
PID 3812 wrote to memory of 3972	3812	zrmbk.exe	84
PID 3812 wrote to memory of 3972	3812	zrmbk.exe	84
PID 3812 wrote to memory of 3972	3812	zrmbk.exe	84
PID 3812 wrote to memory of 3972	3812	zrmbk.exe	84
PID 3812 wrote to memory of 3972	3812	zrmbk.exe	84
PID 3812 wrote to memory of 3972	3812	zrmbk.exe	84
PID 3812 wrote to memory of 3972	3812	zrmbk.exe	84
PID 3812 wrote to memory of 3732	3812	zrmbk.exe	85
PID 3812 wrote to memory of 3732	3812	zrmbk.exe	85
PID 3812 wrote to memory of 3732	3812	zrmbk.exe	85
PID 3812 wrote to memory of 3732	3812	zrmbk.exe	85

C:\Users\Admin\AppData\Local\Temp\zrmbk.exe
"C:\Users\Admin\AppData\Local\Temp\zrmbk.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - Loads dropped DLL
  PID:1940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1520
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3592
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3916
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2244
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3972
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 92
    3⤵
    - Program crash
    PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-23-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/1572-9-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/1940-5-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1940-7-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2244-18-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3592-12-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3812-4-0x0000000040000000-0x0000000040009000-memory.dmp

Filesize
36KB

Download
memory/3812-2-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3812-3-0x0000000000030000-0x0000000000037000-memory.dmp

Filesize
28KB

Download
memory/3916-15-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3972-21-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download