rustybuer | afb5cbe324865253c7a9dcadbe66c66746ea360f0cd184a2f4e1bbf104533ccd

General

Target

SignerLib.exe
Size

6.8MB
MD5

796b3e4674b68b33c906ce32c3275d83
SHA1

af8dc103b73c194816743ee22023a3cee934ac54
SHA256

afb5cbe324865253c7a9dcadbe66c66746ea360f0cd184a2f4e1bbf104533ccd
SHA512

1c47a540582e4030a5e4ffd91df559936f3e585d8e679eb4cf65a03740c35ac2f27126b21af107b08c33b301d6626ff8296be1789ee7638077fcd4ae451cd50c

Score

10^/10

rustybuer loader

Malware Config

Extracted

Family

rustybuer

C2

https://usergtarca.com/

Signatures

RustyBuer
RustyBuer is a new variant of Buer loader written in Rust.
loader rustybuer

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

secinit.exe

description	ioc	process
File opened (read-only)	\??\w:	secinit.exe
File opened (read-only)	\??\y:	secinit.exe
File opened (read-only)	\??\O:	secinit.exe
File opened (read-only)	\??\p:	secinit.exe
File opened (read-only)	\??\S:	secinit.exe
File opened (read-only)	\??\T:	secinit.exe
File opened (read-only)	\??\R:	secinit.exe
File opened (read-only)	\??\t:	secinit.exe
File opened (read-only)	\??\Z:	secinit.exe
File opened (read-only)	\??\h:	secinit.exe
File opened (read-only)	\??\I:	secinit.exe
File opened (read-only)	\??\l:	secinit.exe
File opened (read-only)	\??\r:	secinit.exe
File opened (read-only)	\??\a:	secinit.exe
File opened (read-only)	\??\A:	secinit.exe
File opened (read-only)	\??\g:	secinit.exe
File opened (read-only)	\??\M:	secinit.exe
File opened (read-only)	\??\L:	secinit.exe
File opened (read-only)	\??\n:	secinit.exe
File opened (read-only)	\??\o:	secinit.exe
File opened (read-only)	\??\s:	secinit.exe
File opened (read-only)	\??\b:	secinit.exe
File opened (read-only)	\??\D:	secinit.exe
File opened (read-only)	\??\E:	secinit.exe
File opened (read-only)	\??\j:	secinit.exe
File opened (read-only)	\??\W:	secinit.exe
File opened (read-only)	\??\x:	secinit.exe
File opened (read-only)	\??\z:	secinit.exe
File opened (read-only)	\??\e:	secinit.exe
File opened (read-only)	\??\N:	secinit.exe
File opened (read-only)	\??\P:	secinit.exe
File opened (read-only)	\??\u:	secinit.exe
File opened (read-only)	\??\k:	secinit.exe
File opened (read-only)	\??\v:	secinit.exe
File opened (read-only)	\??\X:	secinit.exe
File opened (read-only)	\??\F:	secinit.exe
File opened (read-only)	\??\G:	secinit.exe
File opened (read-only)	\??\H:	secinit.exe
File opened (read-only)	\??\J:	secinit.exe
File opened (read-only)	\??\Y:	secinit.exe
File opened (read-only)	\??\f:	secinit.exe
File opened (read-only)	\??\i:	secinit.exe
File opened (read-only)	\??\U:	secinit.exe
File opened (read-only)	\??\V:	secinit.exe
File opened (read-only)	\??\Q:	secinit.exe
File opened (read-only)	\??\B:	secinit.exe
File opened (read-only)	\??\K:	secinit.exe
File opened (read-only)	\??\m:	secinit.exe
File opened (read-only)	\??\q:	secinit.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SignerLib.exe

description pid process target process

PID 1776 set thread context of 736 1776 SignerLib.exe secinit.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

secinit.exe

pid process

736 secinit.exe

description	pid	process	target process
PID 1776 set thread context of 736	1776	SignerLib.exe	secinit.exe

pid	process
736	secinit.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

SignerLib.exe

description	pid	process	target process
PID 1776 wrote to memory of 736	1776	SignerLib.exe	secinit.exe
PID 1776 wrote to memory of 736	1776	SignerLib.exe	secinit.exe
PID 1776 wrote to memory of 736	1776	SignerLib.exe	secinit.exe
PID 1776 wrote to memory of 736	1776	SignerLib.exe	secinit.exe
PID 1776 wrote to memory of 736	1776	SignerLib.exe	secinit.exe
PID 1776 wrote to memory of 736	1776	SignerLib.exe	secinit.exe
PID 1776 wrote to memory of 736	1776	SignerLib.exe	secinit.exe
PID 1776 wrote to memory of 736	1776	SignerLib.exe	secinit.exe
PID 1776 wrote to memory of 736	1776	SignerLib.exe	secinit.exe
PID 1776 wrote to memory of 736	1776	SignerLib.exe	secinit.exe

C:\Users\Admin\AppData\Local\Temp\SignerLib.exe
"C:\Users\Admin\AppData\Local\Temp\SignerLib.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\secinit.exe
  "C:\Windows\System32\secinit.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/736-60-0x00000000004CB45E-mapping.dmp

Download
memory/736-59-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/736-62-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/1776-61-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing