buer | 9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7

General

Target

9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
Size

6.6MB
MD5

b18acf64909d55d9919fd796fc65a5f3
SHA1

2bbea10af479a63c39f2ffda1337042941375248
SHA256

9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7
SHA512

a24f39d9f6ee3d4f2e65f28da1446084cf8cda4df3bf6364d4da235c19c4601d60541f2bc665855346be7a920260dae5e550980f8521392b829184e534f2a8f4

Score

10^/10

buer loader

Malware Config

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral1/memory/1296-55-0x0000000000AA0000-0x0000000000AAC000-memory.dmp	buer
behavioral1/memory/1296-59-0x0000000040000000-0x0000000040009000-memory.dmp	buer
behavioral1/memory/1296-62-0x00000000003F0000-0x00000000003F9000-memory.dmp	buer

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\A:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\F:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\G:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\K:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\Q:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\T:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\U:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\V:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\H:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\J:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\M:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\O:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\Y:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\I:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\P:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\W:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\Z:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\S:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\X:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\B:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\E:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\L:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
File opened (read-only)	\??\N:	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1296	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
1296	9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe

C:\Users\Admin\AppData\Local\Temp\9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe
"C:\Users\Admin\AppData\Local\Temp\9678bf2faa844be6d7919e0f4dd9b31366d63dc9bc17c88642e33b6ab3b20ce7.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1296-54-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1296-55-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/1296-59-0x0000000040000000-0x0000000040009000-memory.dmp

Filesize
36KB

Download
memory/1296-62-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing