Extracted

• • Target

    a6d1d66c30c7b3a9b204bc7161b96983369a4e76e6511888814a5d2397bcbe5f

  • Size

    2.0MB

  • MD5

    4fc7a093ce5048cf943b039ea39c1e60

  • SHA1

    dc5d7f205723e37e55b90e725991222b503b963a

  • SHA256

    a6d1d66c30c7b3a9b204bc7161b96983369a4e76e6511888814a5d2397bcbe5f

  • SHA512

    5d33ea3bc56f778782d8580fb82a9ae85f0029ddf6bcfbeaca92b177a92fc8b2a3681abb39c1929ab7cb60b3f9c4d5206944fa1d8f31671675fd0d8ffb936498

  Score

  10^/10

  buerevasionloaderpersistence

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer

  • Modifies WinLogon for persistence

    persistence

  • Buer Loader

    Detects Buer loader in memory or disk.

    loader

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Executes dropped EXE

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2