Extracted

• • Target

    6d969949ad751206ad4a722f8305585b88113a1abf342411fc9bbb5e79d4834f

  • Size

    1.9MB

  • MD5

    fbaf48e37d532389bc0dbb3bc48c629f

  • SHA1

    7b5d1a86826b4f947c14369acce0d27198119bec

  • SHA256

    6d969949ad751206ad4a722f8305585b88113a1abf342411fc9bbb5e79d4834f

  • SHA512

    945623b3aa28676b93b7b9d49c4dc548b6b5e76838268563abd8ba6d75027567663cb78647698ef908f89ab22de5718f94727cefddfd0a41f38bc5ca60ea61d0

  Score

  10^/10

  buerevasionloaderpersistence

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer

  • Modifies WinLogon for persistence

    persistence

  • Buer Loader

    Detects Buer loader in memory or disk.

    loader

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Executes dropped EXE

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2