MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a6be94628e528a0354c71a800510ab89c442a5f3a428a49b729662d4d19529c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BuerLoader

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	0a6be94628e528a0354c71a800510ab89c442a5f3a428a49b729662d4d19529c
SHA3-384 hash:	2d9e73a37b8be2756b98e8003a088f5d4bde432a0823f568027289227ec1bb79e4c70f439758ba6d7e7c69026a8b14ba
SHA1 hash:	ce0c63d9c1dd967d68158156e1c88e731fa25447
MD5 hash:	801b2019d58f05ea3667603d3f2ff822
humanhash:	minnesota-fifteen-black-freddie
File name:	DocumentPreview.exe
Download:	download sample
Signature	BuerLoader Create hunting rule
File size:	233'552 bytes
First seen:	2020-07-14 18:23:36 UTC
Last seen:	2020-07-14 18:54:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	88211731c5b23109456ded73b6cfbc32 (1 x BuerLoader)
ssdeep	3072:ub+SF7uMkpgUoD6CKxN+MgB46UnVsV1HvVtFoKJNZZhqB7xWe7AFewtoSraX:ubfMitqNYiSXHvVoO8NNAYbX
Threatray	119 similar samples on MalwareBazaar
TLSH	FC345B20B2D290B0E4AA167059F1C7FF993DF8325FF7F54B26A7162E19705E04D287A2
Reporter	James_inthe_box
Tags:	BuerLoader exe

Code Signing Certificate

Organisation:	GlobalSign
Issuer:	GlobalSign
Algorithm:	sha256WithRSAEncryption
Valid from:	Mar 18 10:00:00 2009 GMT
Valid to:	Mar 18 10:00:00 2029 GMT
Serial number:	04000000000121585308A2
Intelligence:	16 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/25796/

Detection(s):

SecuriteInfo.com.BScope.Malware-Cryptor.Bicololo.2513.11923.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Launching cmd.exe command interpreter

Deleting of the original file

Enabling autorun

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0a6be94628e528a0354c71a800510ab89c442a5f3a428a49b729662d4d19529c/

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-14 18:23:25 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bjv6srri4uukankmoguaauikxcoeiks7hjbiusnxfftc2tizkkoa._file

Verdict:

malicious

Label(s):

emotet

trickbot

BuerLoader

082a9fe0d0d8dbde7944b9ce08b89e7dd1f0bd0d48d4bb11c92b5dbbc50a12b8

BuerLoader

2a8b84761200ff05a63ccc2f2f8d2d95e55bacbf3dfa425b6d0a1d0228fb8078

BuerLoader

44c7ef261a066790a4ce332afc634fb5f89f3273c0c908ec02ab666088b27757

BuerLoader

63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2

BuerLoader

67a402b5426a99f38e38a45bb44edebcf44032ff39ca38178b7d42b6934fefa4

BuerLoader

a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704

BuerLoader

a459ec02bedc31bb265ba6e61e8a0cb1529e935215dfcc038c9450e142329931

BuerLoader

b22dc5d5b64b027c3912d1cf9e890b4e7c007cee2e8b46cbbd4676758142d0fe

BuerLoader

e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1

BuerLoader

+ 109 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/200714-1wz6vgzdy2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Enumerates connected drives

Loads dropped DLL

Deletes itself

Executes dropped EXE

Modifies WinLogon for persistence

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	win_buer_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/25796/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample