Extracted

• • Target

    95273409959433f7b80f387eec09692291e7795c30ed659c1b1228a5ad72a5cc

  • Size

    1.6MB

  • MD5

    d84fc8f135bbf515b8f99412b58fe5b1

  • SHA1

    5707a9ab80925f288f0fcbf0b211d0f2801c595e

  • SHA256

    95273409959433f7b80f387eec09692291e7795c30ed659c1b1228a5ad72a5cc

  • SHA512

    8f2173c34e7db6700e8c4c4683789a5658a9d27ca3bb921872454d75b6c360f89b5b593d4d258d97fd1b7fc00c99587ebf67235b32e30a58010d1ca7b70d92c6

  Score

  10^/10

  buerevasionloaderpersistence

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer

  • Modifies WinLogon for persistence

    persistence

  • Buer Loader

    Detects Buer loader in memory or disk.

    loader

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Executes dropped EXE

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2