Extracted

• • Target

    ba9226a0aca438b5d53eac4025127cb5b8efd81a1b13104447491eba11078105

  • Size

    1.7MB

  • MD5

    e24c03961d09e9ee6c218981e054af2a

  • SHA1

    fcb86a0766159acffb08a785239a1af16010d9ff

  • SHA256

    ba9226a0aca438b5d53eac4025127cb5b8efd81a1b13104447491eba11078105

  • SHA512

    0d724d370d46357d0041ed7646bc053ca49b8fb4efea7be8c965b79acc733b88eb61052b1dd4b58eb0221aef34d00aff10f292d69a4347ef8a0d41c91bf63ee1

  Score

  10^/10

  buerevasionloaderpersistence

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer

  • Modifies WinLogon for persistence

    persistence

  • Buer Loader

    Detects Buer loader in memory or disk.

    loader

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Executes dropped EXE

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2