rustybuer | 5ac6766680c8c06a4b0b4e6a929ec4f5404fca75aa774f3eb986f81b1b30622b

General

Target

Zybeolaby Service.exe
Size

4.7MB
MD5

17b27ab5c49676aab24454868ca2adf7
SHA1

47028b12aa1257421b096f55d9d1fc68f6b8f72b
SHA256

5ac6766680c8c06a4b0b4e6a929ec4f5404fca75aa774f3eb986f81b1b30622b
SHA512

2938b181c8b17a9cab48168439a89aa1b4f6f67634d9faeb80946795db31d84ceca3c550e9feae9c0f391cccce5c30195e87bf633a0a8e2309544f23cc55866c

Score

10^/10

rustybuer loader

Malware Config

Extracted

Family

rustybuer

C2

https://bostauherde.com/

Signatures

RustyBuer
RustyBuer is a new variant of Buer loader written in Rust.
loader rustybuer

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

secinit.exe

description	ioc	process
File opened (read-only)	\??\U:	secinit.exe
File opened (read-only)	\??\D:	secinit.exe
File opened (read-only)	\??\e:	secinit.exe
File opened (read-only)	\??\G:	secinit.exe
File opened (read-only)	\??\J:	secinit.exe
File opened (read-only)	\??\o:	secinit.exe
File opened (read-only)	\??\R:	secinit.exe
File opened (read-only)	\??\T:	secinit.exe
File opened (read-only)	\??\w:	secinit.exe
File opened (read-only)	\??\y:	secinit.exe
File opened (read-only)	\??\B:	secinit.exe
File opened (read-only)	\??\k:	secinit.exe
File opened (read-only)	\??\O:	secinit.exe
File opened (read-only)	\??\X:	secinit.exe
File opened (read-only)	\??\s:	secinit.exe
File opened (read-only)	\??\u:	secinit.exe
File opened (read-only)	\??\W:	secinit.exe
File opened (read-only)	\??\f:	secinit.exe
File opened (read-only)	\??\i:	secinit.exe
File opened (read-only)	\??\j:	secinit.exe
File opened (read-only)	\??\M:	secinit.exe
File opened (read-only)	\??\Q:	secinit.exe
File opened (read-only)	\??\z:	secinit.exe
File opened (read-only)	\??\A:	secinit.exe
File opened (read-only)	\??\E:	secinit.exe
File opened (read-only)	\??\I:	secinit.exe
File opened (read-only)	\??\l:	secinit.exe
File opened (read-only)	\??\n:	secinit.exe
File opened (read-only)	\??\N:	secinit.exe
File opened (read-only)	\??\x:	secinit.exe
File opened (read-only)	\??\F:	secinit.exe
File opened (read-only)	\??\K:	secinit.exe
File opened (read-only)	\??\m:	secinit.exe
File opened (read-only)	\??\p:	secinit.exe
File opened (read-only)	\??\r:	secinit.exe
File opened (read-only)	\??\a:	secinit.exe
File opened (read-only)	\??\b:	secinit.exe
File opened (read-only)	\??\h:	secinit.exe
File opened (read-only)	\??\P:	secinit.exe
File opened (read-only)	\??\V:	secinit.exe
File opened (read-only)	\??\Y:	secinit.exe
File opened (read-only)	\??\g:	secinit.exe
File opened (read-only)	\??\H:	secinit.exe
File opened (read-only)	\??\L:	secinit.exe
File opened (read-only)	\??\q:	secinit.exe
File opened (read-only)	\??\S:	secinit.exe
File opened (read-only)	\??\t:	secinit.exe
File opened (read-only)	\??\v:	secinit.exe
File opened (read-only)	\??\Z:	secinit.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Zybeolaby Service.exe

description pid process target process

PID 1456 set thread context of 2256 1456 Zybeolaby Service.exe secinit.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

secinit.exe

pid process

2256 secinit.exe
2256 secinit.exe

description	pid	process	target process
PID 1456 set thread context of 2256	1456	Zybeolaby Service.exe	secinit.exe

pid	process
2256	secinit.exe
2256	secinit.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Zybeolaby Service.exe

description	pid	process	target process
PID 1456 wrote to memory of 2256	1456	Zybeolaby Service.exe	secinit.exe
PID 1456 wrote to memory of 2256	1456	Zybeolaby Service.exe	secinit.exe
PID 1456 wrote to memory of 2256	1456	Zybeolaby Service.exe	secinit.exe
PID 1456 wrote to memory of 2256	1456	Zybeolaby Service.exe	secinit.exe
PID 1456 wrote to memory of 2256	1456	Zybeolaby Service.exe	secinit.exe
PID 1456 wrote to memory of 2256	1456	Zybeolaby Service.exe	secinit.exe
PID 1456 wrote to memory of 2256	1456	Zybeolaby Service.exe	secinit.exe
PID 1456 wrote to memory of 2256	1456	Zybeolaby Service.exe	secinit.exe
PID 1456 wrote to memory of 2256	1456	Zybeolaby Service.exe	secinit.exe

C:\Users\Admin\AppData\Local\Temp\Zybeolaby Service.exe
"C:\Users\Admin\AppData\Local\Temp\Zybeolaby Service.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\SysWOW64\secinit.exe
  "C:\Windows\System32\secinit.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:2256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1456-116-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2256-114-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2256-115-0x0000000000488EE4-mapping.dmp

Download
memory/2256-119-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing