General

  • Target

    80e35297452f56d53068cfaa87d95cbb9af7f5a44c9db7b0a84f4a8ff83ebdaa

  • Size

    2.5MB

  • Sample

    220625-cs49gsaear

  • MD5

    76195dea24952425594e7db7239ce0aa

  • SHA1

    b9791aef3c83751b937f2b60fda094cecb8954a8

  • SHA256

    80e35297452f56d53068cfaa87d95cbb9af7f5a44c9db7b0a84f4a8ff83ebdaa

  • SHA512

    0cdce90ccffcd69dcf5cc1ff8f0ecfc55f16227b2f6e1141f80c5dfe4dddec71db097755d47715cc59ea4f10ef5c72598eef252f87e923adbac212a27bd90727

Malware Config

Extracted

Family

buer

C2

http://burload01.top/

http://burload02.top/

|�

Targets

    • Target

      80e35297452f56d53068cfaa87d95cbb9af7f5a44c9db7b0a84f4a8ff83ebdaa

    • Size

      2.5MB

    • MD5

      76195dea24952425594e7db7239ce0aa

    • SHA1

      b9791aef3c83751b937f2b60fda094cecb8954a8

    • SHA256

      80e35297452f56d53068cfaa87d95cbb9af7f5a44c9db7b0a84f4a8ff83ebdaa

    • SHA512

      0cdce90ccffcd69dcf5cc1ff8f0ecfc55f16227b2f6e1141f80c5dfe4dddec71db097755d47715cc59ea4f10ef5c72598eef252f87e923adbac212a27bd90727

    • Buer

      Buer is a new modular loader first seen in August 2019.

    • Modifies WinLogon for persistence

    • Buer Loader

      Detects Buer loader in memory or disk.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks