MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BuerLoader

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894
SHA3-384 hash:	6f31e71313acf4ccfdf259d3fd8a73e954c708607d6b82a0b302287b11d08245862b76ec97fa9ea1e81a4b7dec12e20e
SHA1 hash:	ddc6f577463ff140e525cf7f4a4f083406acd1f4
MD5 hash:	a81d104e7bb627a4d3a0f0b823e17581
humanhash:	asparagus-hydrogen-early-emma
File name:	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894
Download:	download sample
Signature	BuerLoader Create hunting rule
File size:	393'216 bytes
First seen:	2020-09-16 16:42:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:ad+I/yqyVBiwIbAVWxWGHGJEFMi9B3FPVNM+zZDGJBq6TIKVxUg4MlEs2dfYp:0yqyRIEVwWGHGJEii9B3p8+zBGJBpDVS
Threatray	67 similar samples on MalwareBazaar
TLSH	238423277BCC8758C5E5C7F82C3DB14447717A9988A9EB658E8260E712C7B04CA71F1B
Reporter	JAMESWT_WT
Tags:	BuerLoader

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/62322/

Detection(s):

SecuriteInfo.com.W32.Trojan-7.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/468182

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-29 09:40:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c4khx67xsnwia5cjgqhtzpfpjhyw5ec5r53iwfxyyltcrp2jvcka._file

Verdict:

malicious

BuerLoader

1bf67b967c8397bfab22e326bce6efa64c647206102d4753569ba1abb538d685

BuerLoader

444338fed0f0499fb9d5a4862b64386472c22329aa75f6c544c6d37b8b5a629f

BuerLoader

5c48cd3f4eba017d3a0aea873a3ca3bc61bcdc3aa6a52727ee1236ddb885604d

BuerLoader

a2938e6462b02115d0579cb8a4294626eb792a781b68175844a5fb26ae6de0b6

BuerLoader

bd6650220b7fa539c937c4008df96914a86b1cbaa0098588a9b4ec0175f0c679

BuerLoader

cb26b474b4f7be86dc5bf39c595a93d1e3353bd25312d83249dc4e1097df2f3e

BuerLoader

dfe001ed1950d612ea59a75c6367629ff0e031853e9f7a12b7f0381a4f20660f

BuerLoader

fafa7913ac9ff3330896a63b8db3d8e8f88e35a10de8a96dafa570ed29b537d6

BuerLoader

fb80c2113b1bf08db1c5f3997c9787f5b819418473975c4a370e4c5cebfa3b7f

BuerLoader

+ 57 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/200916-69x7jsswgj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Enumerates connected drives

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	win_buer_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_sisfader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/62322/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample