Overview

overview

10

Static

static

26944aed6d...af.exe

windows7_x64

10

26944aed6d...af.exe

windows7_x64

10

26944aed6d...af.exe

windows10_x64

10

26944aed6d...af.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    26944aed6dfc2c25f96bbca49925fcaf.zip

  • Size

    1.9MB

  • Sample

    210910-cgfrracbel

  • MD5

    c63bbb525e23b96cb765c37442c7b784

  • SHA1

    c5340593fb02349585a91bac2f4a7e40f53922ed

  • SHA256

    e81ccda9157a84d16d15cef0418c8ffc0839cea2cfd669bccf08198d5929ff25

  • SHA512

    e8b277b13cfb13923be5639492ef8869319fb059bd50fb5a14fd4f9b762d872a18952bd1a5cb6bf6206c48758f99bb56ee7ce8402062f73497e79ceab6781529

Score
10/10
rustybuerloaderpersistence

Malware Config

Extracted

Family

rustybuer

C2

https://awmelisers.com/

Targets

    • Target

      26944aed6dfc2c25f96bbca49925fcaf

    • Size

      3.9MB

    • MD5

      26944aed6dfc2c25f96bbca49925fcaf

    • SHA1

      b2b7a7a659abf7fd2c5596c119478363e0b7f360

    • SHA256

      64dd547546394e1d431a25a671892c7aca9cf57ed0733a7435028792ad42f4a7

    • SHA512

      ea0a599107acfbca4cc20987d003bd27a3168adea1df56378d4b6a934d1429d543bec91a7216c485ec0167b1d34ed510299e030944c4b8f6c3922b4699a4eabf

    Score
    10/10
    rustybuerloaderpersistence

    • Modifies system executable filetype association

      persistence

    • Registers COM server for autorun

      persistence

    • RustyBuer

      RustyBuer is a new variant of Buer loader written in Rust.

      loaderrustybuer

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks