rustybuer | 64dd547546394e1d431a25a671892c7aca9cf57ed0733a7435028792ad42f4a7

General

Target

britannic.db_infected.exe
Size

3.9MB
MD5

26944aed6dfc2c25f96bbca49925fcaf
SHA1

b2b7a7a659abf7fd2c5596c119478363e0b7f360
SHA256

64dd547546394e1d431a25a671892c7aca9cf57ed0733a7435028792ad42f4a7
SHA512

ea0a599107acfbca4cc20987d003bd27a3168adea1df56378d4b6a934d1429d543bec91a7216c485ec0167b1d34ed510299e030944c4b8f6c3922b4699a4eabf

Score

10^/10

rustybuer loader

Malware Config

Extracted

Family

rustybuer

C2

https://awmelisers.com/

Signatures

RustyBuer
RustyBuer is a new variant of Buer loader written in Rust.
loader rustybuer

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

secinit.exe

description	ioc	process
File opened (read-only)	\??\a:	secinit.exe
File opened (read-only)	\??\b:	secinit.exe
File opened (read-only)	\??\Y:	secinit.exe
File opened (read-only)	\??\y:	secinit.exe
File opened (read-only)	\??\z:	secinit.exe
File opened (read-only)	\??\H:	secinit.exe
File opened (read-only)	\??\i:	secinit.exe
File opened (read-only)	\??\p:	secinit.exe
File opened (read-only)	\??\R:	secinit.exe
File opened (read-only)	\??\W:	secinit.exe
File opened (read-only)	\??\x:	secinit.exe
File opened (read-only)	\??\s:	secinit.exe
File opened (read-only)	\??\U:	secinit.exe
File opened (read-only)	\??\B:	secinit.exe
File opened (read-only)	\??\I:	secinit.exe
File opened (read-only)	\??\j:	secinit.exe
File opened (read-only)	\??\l:	secinit.exe
File opened (read-only)	\??\P:	secinit.exe
File opened (read-only)	\??\Q:	secinit.exe
File opened (read-only)	\??\A:	secinit.exe
File opened (read-only)	\??\h:	secinit.exe
File opened (read-only)	\??\J:	secinit.exe
File opened (read-only)	\??\L:	secinit.exe
File opened (read-only)	\??\O:	secinit.exe
File opened (read-only)	\??\u:	secinit.exe
File opened (read-only)	\??\V:	secinit.exe
File opened (read-only)	\??\w:	secinit.exe
File opened (read-only)	\??\e:	secinit.exe
File opened (read-only)	\??\f:	secinit.exe
File opened (read-only)	\??\M:	secinit.exe
File opened (read-only)	\??\N:	secinit.exe
File opened (read-only)	\??\o:	secinit.exe
File opened (read-only)	\??\v:	secinit.exe
File opened (read-only)	\??\Z:	secinit.exe
File opened (read-only)	\??\D:	secinit.exe
File opened (read-only)	\??\F:	secinit.exe
File opened (read-only)	\??\k:	secinit.exe
File opened (read-only)	\??\q:	secinit.exe
File opened (read-only)	\??\E:	secinit.exe
File opened (read-only)	\??\n:	secinit.exe
File opened (read-only)	\??\T:	secinit.exe
File opened (read-only)	\??\t:	secinit.exe
File opened (read-only)	\??\X:	secinit.exe
File opened (read-only)	\??\g:	secinit.exe
File opened (read-only)	\??\G:	secinit.exe
File opened (read-only)	\??\K:	secinit.exe
File opened (read-only)	\??\m:	secinit.exe
File opened (read-only)	\??\r:	secinit.exe
File opened (read-only)	\??\S:	secinit.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

britannic.db_infected.exe

description pid process target process

PID 652 set thread context of 2208 652 britannic.db_infected.exe secinit.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

secinit.exe

pid process

2208 secinit.exe
2208 secinit.exe
2208 secinit.exe
2208 secinit.exe

description	pid	process	target process
PID 652 set thread context of 2208	652	britannic.db_infected.exe	secinit.exe

pid	process
2208	secinit.exe
2208	secinit.exe
2208	secinit.exe
2208	secinit.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

britannic.db_infected.exe

description	pid	process	target process
PID 652 wrote to memory of 2208	652	britannic.db_infected.exe	secinit.exe
PID 652 wrote to memory of 2208	652	britannic.db_infected.exe	secinit.exe
PID 652 wrote to memory of 2208	652	britannic.db_infected.exe	secinit.exe
PID 652 wrote to memory of 2208	652	britannic.db_infected.exe	secinit.exe
PID 652 wrote to memory of 2208	652	britannic.db_infected.exe	secinit.exe
PID 652 wrote to memory of 2208	652	britannic.db_infected.exe	secinit.exe
PID 652 wrote to memory of 2208	652	britannic.db_infected.exe	secinit.exe
PID 652 wrote to memory of 2208	652	britannic.db_infected.exe	secinit.exe
PID 652 wrote to memory of 2208	652	britannic.db_infected.exe	secinit.exe

C:\Users\Admin\AppData\Local\Temp\britannic.db_infected.exe
"C:\Users\Admin\AppData\Local\Temp\britannic.db_infected.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\SysWOW64\secinit.exe
  "C:\Windows\System32\secinit.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:2208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-118-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2208-114-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/2208-115-0x00000000004893A7-mapping.dmp

Download
memory/2208-119-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing