MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c7f43434e5db8703c0a47dedeeab976159d8704bfbe2e4ff65405f38d508e9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BuerLoader

Vendor detections: 5

Intelligence 5 IOCs YARA 4 File information Comments

SHA256 hash:	6c7f43434e5db8703c0a47dedeeab976159d8704bfbe2e4ff65405f38d508e9d
SHA3-384 hash:	fd6b2021c4b0b941062b10ed60a30965143e9f133299158938fb6ee79c91a855e1d185158d28287c88b5dc9c961880f1
SHA1 hash:	123f9a7487cd0fdd772f0e7bb19e70d1ee3a32e7
MD5 hash:	8b44470c7ff69ae671ff6e04550ee15f
humanhash:	six-glucose-johnny-nevada
File name:	6c7f43434e5db8703c0a47dedeeab976159d8704bfbe2e4ff65405f38d508e9d
Download:	download sample
Signature	BuerLoader Create hunting rule
File size:	613'040 bytes
First seen:	2020-09-23 06:27:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	08bf4786ffac62581b203b708e0646ca (1 x BuerLoader)
ssdeep	12288:CTGH1xeTanpp9tmq7sXV6ZwnNrlnButp4aCiUOREDw:CibmqYcZwnNRH4R9
Threatray	37 similar samples on MalwareBazaar
TLSH	BED45B146990407BDDF130F981EDBB20045C68F81B22D7E7BA8877E7F6217C1A63766A
Reporter	JAMESWT_WT
Tags:	BuerLoader NEEDCODE SP Z O O signed

Code Signing Certificate

Organisation:	DigiCert High Assurance EV Root CA
Issuer:	DigiCert High Assurance EV Root CA
Algorithm:	sha1WithRSAEncryption
Valid from:	Nov 10 00:00:00 2006 GMT
Valid to:	Nov 10 00:00:00 2031 GMT
Serial number:	02AC5C266A0B409B8F0B79F2AE462577
Intelligence:	204 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/64694/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Launching a process

Creating a process with a hidden window

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/473026

Signature

Contains functionality to inject code into remote processes

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6c7f43434e5db8703c0a47dedeeab976159d8704bfbe2e4ff65405f38d508e9d/

Threat name:

Win32.Trojan.Emotet

Status:

Malicious

First seen:

2020-09-22 20:24:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

33 of 48 (68.75%)

Threat level:

5/5

Verdict:

malicious

BuerLoader

3d994a2f80a63f31bf56ddded5ed35f020c40c0324b3ab1935e08b15c25ba017

BuerLoader

5942b57d50e389ec7be01bd5b4007249e3755064fe156941dfbe310f7fa53a73

BuerLoader

67c08d2a21a3ade47ed790aa65ef7cbb117e32300b432f5be97d5ff13c745247

BuerLoader

68a83d0a3bfcd1bcebf35eeba2bd778b2b64516f73cb2932ad9e6e4667dd9781

BuerLoader

94ba896b284005a58298806bba47f725cdcaa1816b3c79226639cb145bf16886

BuerLoader

a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704

BuerLoader

a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0

BuerLoader

dee6a220c1a2a3a53361c929e903744b78a751b93c38405e629aae4c16d1e597

BuerLoader

df638bde1ffafcfb7a25fe30b631d549299f9502f23efc47fc5efaa118e96b97

BuerLoader

+ 27 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/200923-xa32lpxv26/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates connected drives

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Emotet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6c7f43434e5db8703c0a47dedeeab976159d8704bfbe2e4ff65405f38d508e9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	win_buer_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_buer_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

Rule name:	win_sisfader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/64694/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample