buer | 6a57777ca59bc1e671ed7d78d6919e7a978eab31eb4f7ddd6d04d8d020a1fc9d | Triage

Submit
Reports

Overview

overview

Static

static

6a57777ca5...9d.exe

windows7-x64

6a57777ca5...9d.exe

windows10-2004-x64

Sharing

General

Target

6a57777ca59bc1e671ed7d78d6919e7a978eab31eb4f7ddd6d04d8d020a1fc9d
Size

2.0MB
Sample

220725-epjjqaebgk
MD5

abd4e9aad8ec61897613808a95b86a7a
SHA1

d1962d200b9d79e5e9197050e7f1134c0bd1b22b
SHA256

6a57777ca59bc1e671ed7d78d6919e7a978eab31eb4f7ddd6d04d8d020a1fc9d
SHA512

42ca936d21a3995f7ba408915d1a9d20a1a5c18e19e4154755ac9e9c8ade80b90ca0daa487247dd3749301a59279864d67d5cd3b7e6c1aa3d7507c995c7edca3

Score

10^/10

buer evasion loader persistence

Static task

static1

Behavioral task

behavioral1

Sample

6a57777ca59bc1e671ed7d78d6919e7a978eab31eb4f7ddd6d04d8d020a1fc9d.exe

Resource

win7-20220718-en

buer evasion loader persistence

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

6a57777ca59bc1e671ed7d78d6919e7a978eab31eb4f7ddd6d04d8d020a1fc9d.exe

Resource

win10v2004-20220721-en

buer evasion loader persistence

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

buer

C2

http://loy01.top/

http://loy02.top/

Targets

- Target
  
  6a57777ca59bc1e671ed7d78d6919e7a978eab31eb4f7ddd6d04d8d020a1fc9d
- Size
  
  2.0MB
- MD5
  
  abd4e9aad8ec61897613808a95b86a7a
- SHA1
  
  d1962d200b9d79e5e9197050e7f1134c0bd1b22b
- SHA256
  
  6a57777ca59bc1e671ed7d78d6919e7a978eab31eb4f7ddd6d04d8d020a1fc9d
- SHA512
  
  42ca936d21a3995f7ba408915d1a9d20a1a5c18e19e4154755ac9e9c8ade80b90ca0daa487247dd3749301a59279864d67d5cd3b7e6c1aa3d7507c995c7edca3
Score

10^/10

buer evasion loader persistence
- Buer
  Buer is a new modular loader first seen in August 2019.
  loader buer
- Modifies WinLogon for persistence
  persistence
- Buer Loader
  Detects Buer loader in memory or disk.
  loader
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

buerevasionloaderpersistence

behavioral2

buerevasionloaderpersistence

© 2018-2024

Terms | Privacy