rustybuer | c28abaaad1b7b2c7a37f28e974e8214f07c88feffef986e0a60a44ab0fa575aa

Resubmissions

23-07-2021 19:26

Target

csrsc.exe
Size

2.0MB
MD5

984287b2d5eb06be3bb771f84e3b5ee8
SHA1

c75b5e359169084504a78259fd79f0d1e86a19ef
SHA256

c28abaaad1b7b2c7a37f28e974e8214f07c88feffef986e0a60a44ab0fa575aa
SHA512

412af5359691a2caea5a4e452b9ed2603d31db6306cf1c0b375c5f67400769108bc89c047b080d96e8f647b6fb6a47bfe9d6c6a123a4f27839953cd624e7ff9a

Score

10^/10

rustybuer loader

Family

rustybuer

https://shipmentofficedepot.com/

RustyBuer
RustyBuer is a new variant of Buer loader written in Rust.
loader rustybuer

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1572	1088	WerFault.exe	24

Suspicious behavior: EnumeratesProcesses 5 IoCs

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1572	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1572	1088	csrsc.exe	29
PID 1088 wrote to memory of 1572	1088	csrsc.exe	29
PID 1088 wrote to memory of 1572	1088	csrsc.exe	29
PID 1088 wrote to memory of 1572	1088	csrsc.exe	29

C:\Users\Admin\AppData\Local\Temp\csrsc.exe
"C:\Users\Admin\AppData\Local\Temp\csrsc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 396
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1572

memory/1088-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1088-61-0x0000000002200000-0x0000000002366000-memory.dmp

Filesize
1.4MB

Download
memory/1572-63-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download