MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BuerLoader

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee
SHA3-384 hash:	3930d3d6edc8c0e59f7bfe89827c16243e474ae576764a6a8b8dc76128d54998b89f947f42b919308ae612f08df198f7
SHA1 hash:	2f6d73554c05dbda6cd738a2f38d5cdae2cdd4b7
MD5 hash:	1ddd876da3731823324ffa302ddddcba
humanhash:	snake-mike-sixteen-ack
File name:	045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee
Download:	download sample
Signature	BuerLoader Create hunting rule
File size:	279'640 bytes
First seen:	2021-03-01 09:43:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep	3072:AomnzVincQDKgclXgnQiQlo4SssssIkHYBTeQCbMrJ56kkOIgZtF48:AtZZXgnQiKo4+Ye+H6kEgbr
Threatray	35 similar samples on MalwareBazaar
TLSH	E754AF3823F0A752D176423107E2D5356AE05F28DEE1D30BE2B42E15B746ED93E8998F
Reporter	JAMESWT_WT
Tags:	BuerLoader MAVE MEDIA signed

Code Signing Certificate

Organisation:	MAVE MEDIA
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-02-16T00:00:00Z
Valid to:	2022-02-16T23:59:59Z
Serial number:	8fe807310d98357a59382090634b93f0
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	610cbdea244ef6bc648437853f9d94daf2cfbfc9701a7c9ac1bc61b233eb228a
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

181

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee

Verdict:

Malicious activity

Analysis date:

2021-03-01 09:45:09 UTC

Tags:

installer loader buerloader

Link:

https://app.any.run/tasks/0e9fce25-ac8d-4e9d-8837-931c66f0ee75

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BuerLoader

Link:

https://www.capesandbox.com/analysis/120190/

Detection(s):

PUA.Win.Downloader.Soft32downloader-6691270-0

SecuriteInfo.com.Trojan.GenericKD.42220477.4087.19311.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Creating a file in the %AppData% directory

Creating a file in the %temp% subdirectories

Unauthorized injection to a recently created process

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/621957

Signature

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-02-26 02:28:19 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 48 (43.75%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=arnhggfj4lsvaiembr7j7safa2g7dh5hhar2yowkube2i3caixxa._file

Verdict:

malicious

BuerLoader

4f7ccbc55dda5ed45be0fc7dc48b18719556ac9018d5aa4eb9f9ff0470eaca95

BuerLoader

650750b450fd881501aa5a879696e9d61e8fcbbad479ce37b0a2bb081d73c209

BuerLoader

6b208bb60a779b6b4e202aa7b7593cdc0695f0534527d8d3a66c13977ef1c572

BuerLoader

7d502dec22302537441fdc43c60eed70bcde7f97bb14414e7859439d2ec7914f

BuerLoader

7f43651edf5d5bb92a5c6c66042d068d2d4e27cb9a6e45d46e03ca7cbfe4f39f

BuerLoader

9cd888fa0692f8d0ca69548532ae72171b426d0e9d8b3b46acdbbe7636d653da

BuerLoader

b0a639215a6ea4dc14ffc7fbc6f3c102605d17008a51de477cb755e35794a8c0

BuerLoader

b298ead0400aaf886dbe0a0720337e6f2efd5e2a3ac1a7e7da54fc7b6e4f4277

BuerLoader

e81d26edffa4b4570584bd1cb36211587108dfbbfc24f303a2c3e261cc3c59c1

BuerLoader

+ 25 additional samples on MalwareBazaar

Result

Malware family:

buer

Score:

10/10

Tags:

family:buer loader

Link:

https://tria.ge/reports/210301-j2zt4ynxgn/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Buer Loader

Buer

Malware Config

C2 Extraction:

tifuzmp.w2/dpn

Unpacked files

SH256 hash:

ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

MD5 hash:

0063d48afe5a0cdc02833145667b6641

SHA1 hash:

e7eb614805d183ecb1127c62decb1a6be1b4f7a8

Detections:

win_buer_auto

Link:

https://www.unpac.me/results/9813ce99-671e-409e-be32-f199f613eee6/

Parent samples :

5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee
f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283
dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
e0fb60da371912c158861c9660632d58e45cfcff12351cc9e03f497f319eb5de
904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a

SH256 hash:

ae9e20ccad12527c82d254026a98fbb5babbe534bef9d45c93e1dfef605febdc

MD5 hash:

bb80bc478373ed88294abf5838ea95b0

SHA1 hash:

10b10f31a9950d3dcc67d574300b05ebdd52f775

Detections:

win_buer_w0

Link:

https://www.unpac.me/results/9813ce99-671e-409e-be32-f199f613eee6/

SH256 hash:

045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee

MD5 hash:

1ddd876da3731823324ffa302ddddcba

SHA1 hash:

2f6d73554c05dbda6cd738a2f38d5cdae2cdd4b7

Link:

https://www.unpac.me/results/9813ce99-671e-409e-be32-f199f613eee6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	BuerLoader Create hunting rule
Author:	Brandon George
Description:	Yara rules for the updated and unpacked payload of BuerLoader

Rule name:	win_buer_unpacked_w0 Create hunting rule
Author:	Rony (@r0ny_123)
Description:	detects Buer.

Rule name:	win_buer_w0 Create hunting rule
Author:	Rony (@r0ny_123)
Description:	detects Buer.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/120190/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample