Extracted

• • Target

    f73cf8983ba1581437ef86a24e97cde0929d9ee8d5224a834ab55353cb0fb5f3

  • Size

    1.7MB

  • MD5

    85851bc9cecff7ec618e498f2f52ab5a

  • SHA1

    21f4efb62167f1e9b4f82d41ba3d09b58856f201

  • SHA256

    f73cf8983ba1581437ef86a24e97cde0929d9ee8d5224a834ab55353cb0fb5f3

  • SHA512

    c6cac25fd43ff4d821f991c19ecf47a2f8dcf66fdbff1ce377611093b7db925b0587bd15db23061bd03ae1ad380c6362c644734a5f6ae0e3e723c1500c62813f

  Score

  10^/10

  buerevasionloaderpersistence

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer

  • Modifies WinLogon for persistence

    persistence

  • Buer Loader

    Detects Buer loader in memory or disk.

    loader

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Executes dropped EXE

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2