Extracted

• • Target

    fb07db551c31c17ef048f04628cb49f400cf3b5d671b90c3334326755e709afa

  • Size

    1.4MB

  • MD5

    652ab99bb0d38c2b096919ad9827cca6

  • SHA1

    9604c9fb9c777f70c4911f575180da9db090ca0e

  • SHA256

    fb07db551c31c17ef048f04628cb49f400cf3b5d671b90c3334326755e709afa

  • SHA512

    b8f7ab53ce6360665158d4a8944483bfdcf2c7baf7e03bbd5cc53944e8b3cafdf8eacf105e5851f1cf3a200fadfe52ee24230d08ffacbd9ac74be0e76d005c9d

  Score

  10^/10

  buerevasionloader

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer

  • Buer Loader

    Detects Buer loader in memory or disk.

    loader

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Executes dropped EXE

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2