General

  • Target

    3c1a487926e726fda53c8d5e2a6f455fb6a7a5de3758925d9250c95c17b19203

  • Size

    1.8MB

  • Sample

    220625-ne6e6saahl

  • MD5

    28623b3264e04f4b160425d0c10f4a54

  • SHA1

    d8d8b1f79204ec37e62a8cda2778808c91de8d98

  • SHA256

    3c1a487926e726fda53c8d5e2a6f455fb6a7a5de3758925d9250c95c17b19203

  • SHA512

    0047420a38ab935eae6781e1e07d6f558841cb940cd1b337d30da20b9b1b620ef54218d564d2eb23de6d6b37b5ba4db8d63cacf5b52916cf96867da9da8a3d82

Malware Config

Extracted

Family

buer

C2

http://loy01.top/

http://loy02.top/

cook5**gjt+,)ojk*

cook5**gjt+-)ojk*

Targets

    • Target

      3c1a487926e726fda53c8d5e2a6f455fb6a7a5de3758925d9250c95c17b19203

    • Size

      1.8MB

    • MD5

      28623b3264e04f4b160425d0c10f4a54

    • SHA1

      d8d8b1f79204ec37e62a8cda2778808c91de8d98

    • SHA256

      3c1a487926e726fda53c8d5e2a6f455fb6a7a5de3758925d9250c95c17b19203

    • SHA512

      0047420a38ab935eae6781e1e07d6f558841cb940cd1b337d30da20b9b1b620ef54218d564d2eb23de6d6b37b5ba4db8d63cacf5b52916cf96867da9da8a3d82

    • Buer

      Buer is a new modular loader first seen in August 2019.

    • Modifies WinLogon for persistence

    • Buer Loader

      Detects Buer loader in memory or disk.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

1
T1082

Tasks