buer | 0b750c8206c470821e39e5250820a8076dba4d037eb98adee00ea865b97bb8e1

Resubmissions

10-03-2021 13:13

210310-zcbmv5tsq2 10

10-03-2021 12:23

210310-g18h95pxda 10

10-03-2021 11:45

210310-wzjwq2ky3a 10

Analysis

max time kernel
1758s
max time network
1760s
platform
windows10_x64
resource
win10v20201028
submitted
10-03-2021 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

page.icore.exe
Size

152KB
MD5

3b9b37a405585d0625ab124c5a9f0eb6
SHA1

36ca288cbaa7ffd064879a2cf0e148f9419993bf
SHA256

0b750c8206c470821e39e5250820a8076dba4d037eb98adee00ea865b97bb8e1
SHA512

bb9d1ac61c37ba428a6d44911508344680c176b61cc899fb63512a68fa9e99146cb027f06474fdc0c0ed0fd9cd4ae407250c8580effaee684afa0873137475e5

Score

10^/10

buer loader

Malware Config

Extracted

Family

buer

hefuaqbanking.com

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 2 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral1/memory/504-3-0x0000000000030000-0x0000000000038000-memory.dmp	buer
behavioral1/memory/504-4-0x0000000040000000-0x000000004000A000-memory.dmp	buer

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	page.icore.exe
File opened (read-only)	\??\J:	page.icore.exe
File opened (read-only)	\??\L:	page.icore.exe
File opened (read-only)	\??\O:	page.icore.exe
File opened (read-only)	\??\P:	page.icore.exe
File opened (read-only)	\??\R:	page.icore.exe
File opened (read-only)	\??\B:	page.icore.exe
File opened (read-only)	\??\F:	page.icore.exe
File opened (read-only)	\??\X:	page.icore.exe
File opened (read-only)	\??\M:	page.icore.exe
File opened (read-only)	\??\T:	page.icore.exe
File opened (read-only)	\??\W:	page.icore.exe
File opened (read-only)	\??\A:	page.icore.exe
File opened (read-only)	\??\K:	page.icore.exe
File opened (read-only)	\??\Q:	page.icore.exe
File opened (read-only)	\??\S:	page.icore.exe
File opened (read-only)	\??\V:	page.icore.exe
File opened (read-only)	\??\G:	page.icore.exe
File opened (read-only)	\??\N:	page.icore.exe
File opened (read-only)	\??\U:	page.icore.exe
File opened (read-only)	\??\Y:	page.icore.exe
File opened (read-only)	\??\Z:	page.icore.exe
File opened (read-only)	\??\E:	page.icore.exe
File opened (read-only)	\??\I:	page.icore.exe

C:\Users\Admin\AppData\Local\Temp\page.icore.exe
"C:\Users\Admin\AppData\Local\Temp\page.icore.exe"
1⤵
- Enumerates connected drives
PID:504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/504-2-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/504-3-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/504-4-0x0000000040000000-0x000000004000A000-memory.dmp

Filesize
40KB

Download