MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b750c8206c470821e39e5250820a8076dba4d037eb98adee00ea865b97bb8e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BuerLoader

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	0b750c8206c470821e39e5250820a8076dba4d037eb98adee00ea865b97bb8e1
SHA3-384 hash:	6d5f3bed6bed25d4db6bd2ab786846ed282c855cd2737fd85f1f020a48b78f4f42a8ab02498ecf13e39e9f99ad1c749c
SHA1 hash:	36ca288cbaa7ffd064879a2cf0e148f9419993bf
MD5 hash:	3b9b37a405585d0625ab124c5a9f0eb6
humanhash:	saturn-hydrogen-artist-red
File name:	page.icore
Download:	download sample
Signature	BuerLoader Create hunting rule
File size:	156'160 bytes
First seen:	2021-03-10 11:44:36 UTC
Last seen:	2021-03-10 13:45:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61bb488cd8cd04f152febd73f15d8ba3 (3 x RaccoonStealer, 1 x BuerLoader)
ssdeep	3072:HgmCbVKjw5B6Xz+AVqOuQ9HLMOsP+I5wu7DZc52tX9:UbKqOuQ9owup/tX9
Threatray	61 similar samples on MalwareBazaar
TLSH	4AE38C0275C1D872D5861A310829C6A91B37FCB19B3497CB7B843B6A5F313E29FB6742
Reporter	abuse_ch
Tags:	Buer BuerLoader

abuse_ch

BuerLoader C2:
miyfandecompany.com

Intelligence

File Origin

# of uploads :

# of downloads :

246

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

page.icore

Verdict:

No threats detected

Analysis date:

2021-03-10 11:44:56 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fa80d37d-d249-4f86-8de5-d543eb0cacc5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BuerLoader

Link:

https://www.capesandbox.com/analysis/123595/

Detection(s):

SecuriteInfo.com.Variant.Bulz.388027.21981.9064.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Buer Loader

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/634264

Signature

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected Buer Loader

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Infostealer.Recealer

Status:

Malicious

First seen:

2021-03-10 11:45:06 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bn2qzaqgyryiehrz4usqqifia5w3utidp24yvxxab2uglol3xdqq._file

Verdict:

malicious

BuerLoader

1889d0da16fd4ff66844c822a8a92e07a1702f1b5b97bfe6bb1a943d22d662c8

BuerLoader

41a4ee153b3c61cc8ed50de571e5b8f884de1c8c07332b7b31f238360832988c

BuerLoader

4f7ccbc55dda5ed45be0fc7dc48b18719556ac9018d5aa4eb9f9ff0470eaca95

BuerLoader

650750b450fd881501aa5a879696e9d61e8fcbbad479ce37b0a2bb081d73c209

BuerLoader

6b208bb60a779b6b4e202aa7b7593cdc0695f0534527d8d3a66c13977ef1c572

BuerLoader

9cd888fa0692f8d0ca69548532ae72171b426d0e9d8b3b46acdbbe7636d653da

BuerLoader

c1a1988e6f043d0e73c9555ccaad2adb3683c22b0569fc0f6be24c3e4f8c82ff

BuerLoader

c1dde6f1868423ec25b5d3640840ce4372426bef5ea6f3e59d0f732f4b7222d2

BuerLoader

f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283

BuerLoader

+ 51 additional samples on MalwareBazaar

Result

Malware family:

buer

Score:

10/10

Tags:

family:buer loader

Link:

https://tria.ge/reports/210310-wzjwq2ky3a/

Behaviour

Buer Loader

Buer

Malware Config

C2 Extraction:

hefuaqbanking.com

Unpacked files

SH256 hash:

526434e3e38014677d24badd42f0123f614e4e20ad7fdeacc8de0e014d852572

MD5 hash:

cf773954deed411221753a55ef1ca5a0

SHA1 hash:

d98edad7c5d785b99c9e645dc7bf0b6d86403293

Detections:

win_buer_w0

Link:

https://www.unpac.me/results/19aae77d-1606-4fd3-ba80-8e7046e7511f/

SH256 hash:

0b750c8206c470821e39e5250820a8076dba4d037eb98adee00ea865b97bb8e1

MD5 hash:

3b9b37a405585d0625ab124c5a9f0eb6

SHA1 hash:

36ca288cbaa7ffd064879a2cf0e148f9419993bf

Link:

https://www.unpac.me/results/19aae77d-1606-4fd3-ba80-8e7046e7511f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0b750c8206c470821e39e5250820a8076dba4d037eb98adee00ea865b97bb8e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BuerLoader Create hunting rule
Author:	Brandon George
Description:	Yara rules for the updated and unpacked payload of BuerLoader

Rule name:	win_buer_unpacked_w0 Create hunting rule
Author:	Rony (@r0ny_123)
Description:	detects Buer.

Rule name:	win_buer_w0 Create hunting rule
Author:	Rony (@r0ny_123)
Description:	detects Buer.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BuerLoader

xlsx 4eb3c8532bba0b5a1700272ea15e97b7779820e439983da3148f18ef2c160979

BuerLoader

exe 0b750c8206c470821e39e5250820a8076dba4d037eb98adee00ea865b97bb8e1

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1058882/

Link

https://threatfox.abuse.ch/ioc/3084/

Dropped by

SHA256 4eb3c8532bba0b5a1700272ea15e97b7779820e439983da3148f18ef2c160979

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/123595/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample