buer | d1d93897a3378eb32b943ef3010f9af53246cb90e125668d080a28ec676b332f | Triage

Submit
Reports

Overview

overview

Static

static

d1d93897a3...2f.exe

windows7-x64

d1d93897a3...2f.exe

windows10-2004-x64

Sharing

General

Target

d1d93897a3378eb32b943ef3010f9af53246cb90e125668d080a28ec676b332f
Size

2.0MB
Sample

220724-vw2a4sccf2
MD5

e841f039dd3583e617ffe376df63b87c
SHA1

d8d998f26b3b73a0631824d1336a25f6f14b7e84
SHA256

d1d93897a3378eb32b943ef3010f9af53246cb90e125668d080a28ec676b332f
SHA512

7b9e80d8d0c614476f81a1cdfa4a341e39e25dc75708a6c18c695e27afe965eb931055e9cd66d730d53e5a9d0665c5d0f2ed0e438f6c1b03190608a6de2f6380

Score

10^/10

buer evasion loader persistence

Static task

static1

Behavioral task

behavioral1

Sample

d1d93897a3378eb32b943ef3010f9af53246cb90e125668d080a28ec676b332f.exe

Resource

win7-20220718-en

buer evasion loader persistence

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

d1d93897a3378eb32b943ef3010f9af53246cb90e125668d080a28ec676b332f.exe

Resource

win10v2004-20220721-en

buer evasion loader persistence

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

buer

C2

http://loy01.top/

http://loy02.top/

Targets

- Target
  
  d1d93897a3378eb32b943ef3010f9af53246cb90e125668d080a28ec676b332f
- Size
  
  2.0MB
- MD5
  
  e841f039dd3583e617ffe376df63b87c
- SHA1
  
  d8d998f26b3b73a0631824d1336a25f6f14b7e84
- SHA256
  
  d1d93897a3378eb32b943ef3010f9af53246cb90e125668d080a28ec676b332f
- SHA512
  
  7b9e80d8d0c614476f81a1cdfa4a341e39e25dc75708a6c18c695e27afe965eb931055e9cd66d730d53e5a9d0665c5d0f2ed0e438f6c1b03190608a6de2f6380
Score

10^/10

buer evasion loader persistence
- Buer
  Buer is a new modular loader first seen in August 2019.
  loader buer
- Modifies WinLogon for persistence
  persistence
- Buer Loader
  Detects Buer loader in memory or disk.
  loader
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

buerevasionloaderpersistence

behavioral2

buerevasionloaderpersistence

© 2018-2024

Terms | Privacy