Overview

overview

10

Static

static

Private doc.docm

windows7_x64

1

Private doc.docm

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Private doc.docm

  • Size

    3.4MB

  • Sample

    210407-xh8k1hylqx

  • MD5

    00865fba20ef7d34ed136b9533401755

  • SHA1

    49d83871e2fdf8ca5f05c7eb67a580943cb930ed

  • SHA256

    c036d1c05516a8df5ea47b37cf51676e02f06ddc69532b600e3a9e1e50da3de2

  • SHA512

    7c3507805b52164df804c3bd43520467773bb53a930de0a2ad8275a8747a3a11f4330e955b7b7f7b972a80ef0279cae3a77d4f71ab11adb3eac31c34f9bece80

Score
10/10
rustybuerloader

Malware Config

Extracted

Family

rustybuer

C2

https://bankdocuments-api.com/

Targets

    • Target

      Private doc.docm

    • Size

      3.4MB

    • MD5

      00865fba20ef7d34ed136b9533401755

    • SHA1

      49d83871e2fdf8ca5f05c7eb67a580943cb930ed

    • SHA256

      c036d1c05516a8df5ea47b37cf51676e02f06ddc69532b600e3a9e1e50da3de2

    • SHA512

      7c3507805b52164df804c3bd43520467773bb53a930de0a2ad8275a8747a3a11f4330e955b7b7f7b972a80ef0279cae3a77d4f71ab11adb3eac31c34f9bece80

    Score
    10/10
    rustybuerloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RustyBuer

      RustyBuer is a new variant of Buer loader written in Rust.

      loaderrustybuer

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks