General

  • Target

    ec5dde3e68cf7ed672be82433da49a7c44bb2c109956b2b29161e0b3f34b025e

  • Size

    1.6MB

  • Sample

    220625-ct6tpscge5

  • MD5

    4f6928ac042fe087533e8d7f4fbc4b74

  • SHA1

    59cb8e3ed172b41351ae9a8a6e15cd7efdc0250c

  • SHA256

    ec5dde3e68cf7ed672be82433da49a7c44bb2c109956b2b29161e0b3f34b025e

  • SHA512

    efcf031b00d16a2fd406cbdc35ca8a1bcc6679fcd72c169e56c6231074fb7e74fe21ffb586970c48ad57090412c24caa15890f7bad44654c7f2deb39772401a9

Malware Config

Extracted

Family

buer

C2

http://lodddd01.info/

http://lodddd02.info/

cook5**gj____+,)diaj*

cook5**gj____+-)diaj*

Targets

    • Target

      ec5dde3e68cf7ed672be82433da49a7c44bb2c109956b2b29161e0b3f34b025e

    • Size

      1.6MB

    • MD5

      4f6928ac042fe087533e8d7f4fbc4b74

    • SHA1

      59cb8e3ed172b41351ae9a8a6e15cd7efdc0250c

    • SHA256

      ec5dde3e68cf7ed672be82433da49a7c44bb2c109956b2b29161e0b3f34b025e

    • SHA512

      efcf031b00d16a2fd406cbdc35ca8a1bcc6679fcd72c169e56c6231074fb7e74fe21ffb586970c48ad57090412c24caa15890f7bad44654c7f2deb39772401a9

    • Buer

      Buer is a new modular loader first seen in August 2019.

    • Modifies WinLogon for persistence

    • Buer Loader

      Detects Buer loader in memory or disk.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks