MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85d4e3e3b7b8a330e04fe4a3a568f909b795e1c10fa824c49178462bead48d17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BuerLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85d4e3e3b7b8a330e04fe4a3a568f909b795e1c10fa824c49178462bead48d17
SHA3-384 hash: ac6781307247eb5c62f00d9644d56f4a266cec976df97273adda82223bf9cfaf25bad82d221ee7148fa403771135a46e
SHA1 hash: 5fcf7c5bedb99fcc7edd7625c4b53eb1aa3c0267
MD5 hash: 3b814512f5c7b9618f9f6b9016f6b47e
humanhash: sodium-stream-finch-cardinal
File name:ZYDWv529R2h4111guEc.xlsm
Download: download sample
Signature BuerLoader
Create hunting rule
File size:489'551 bytes
First seen:2020-12-01 09:14:19 UTC
Last seen:2020-12-01 11:07:04 UTC
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 6144:kdia7pURj7WvC9s7gQIdF/20bwbSvG4WSIUKy7CNtRX7gDNwI3DfFKgQ7JlZ:kneDbwbSvG4L7otRX7gDNwIzfFKg4Jz
TLSH E3A4BFAB738BB34BDB6938790A8A494335F57F10346A2BF5E93BAA44D3E6117010D74C
Reporter ffforward
Tags:Buer xlsm

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
Base647_6N182
Base64C_6Q182
Base64G_6R182
Base64K_6S182
Base64O_6T182
Base64S_6U182
Base64W_6V182
Base64__6X182
Base643_7M183
Base647_7N183
Base64C_7Q183
Base64G_7R183
Base64K_7S183
Base64O_7T183
Base64S_7U183
Base64W_7V183
Base64__7X183
Base643_8M184
Base647_8N184
Base64C_8Q184
Base64G_8R184
Base64K_8S184
Base64O_8T184
Base64S_8U184
Base64W_8V184
Base64__8X184
Base643_9M185
Base647_9N185
Base64C_9Q185
Base64G_9R185
Base64K_9S185
Base64O_9T185
Base64S_9U185
Base64W_9V185
Base64__9X185
Base643_tM190
Base647_tN190
Base64C_tQ190
Base64G_tR190
Base64K_tS190
Base64O_tT190
Base64S_tU190
Base64W_tV190
Base64__tX190
Base643_uM191
Base647_uN191
Base64C_uQ191
Base64G_uR191
Base64K_uS191
Base64O_uT191
Base64S_uU191
Base64W_uV191
Base64__uX191
Base643_vM192
Base647_vN192
Base64C_vQ192
Base64G_vR192
Base64K_vS192
Base64O_vT192
Base64S_vU192
Base64W_vV192
Base64__vX192
Base643_wM193
Base647_wN193
Base64C_wQ193
Base64G_wR193
Base64K_wS193
Base64O_wT193
Base64S_wU193
Base64W_wV193
Base64__wX193
Base643_xM194
Base647_xN194
Base64C_xQ194
Base64G_xR194
Base64K_xS194
Base64O_xT194
Base64S_xU194
Base64W_xV194
Base64__xX194
Base643_yM195
Base647_yN195
Base64C_yQ195
Base64G_yR195
Base64K_yS195
Base64O_yT195
Base64S_yU195
Base64W_yV195
Base64__yX195
Base643_zM196
Base647_zN196
Base64C_zQ196
Base64G_zR196
Base64K_zS196
Base64O_zT196
Base64S_zU196
Base64W_zV196
Base64__zX196
Base643m4M200
Base647m4N200
Base64Cm4Q200
Base64Gm4R200
Base64Km4S200
Base64Om4T200
Base64Sm4U200
Base64Wm4V200
Base64_m4X200
Base643m5M201
Base647m5N201
Base64Cm5Q201
Base64Gm5R201
Base64Km5S201
Base64Om5T201
Base64Sm5U201
Base64Wm5V201
Base64_m5X201
Base643m6M202
Base647m6N202
Base64Cm6Q202
Base64Gm6R202
Base64Km6S202
Base64Om6T202
Base64Sm6U202
Base64Wm6V202
Base64_m6X202
Base643m7M203
Base647m7N203
Base64Cm7Q203
Base64Gm7R203
Base64Km7S203
Base64Om7T203
Base64Sm7U203
Base64Wm7V203
Base64_m7X203
Base643m8M204
Base647m8N204
Base64Cm8Q204
Base64Gm8R204
Base64Km8S204
Base64Om8T204
Base64Sm8U204
Base64Wm8V204
Base64_m8X204
Base643m9M205
Base647m9N205
Base64Cm9Q205
Base64Gm9R205
Base64Km9S205
Base64Om9T205
Base64Sm9U205
Base64Wm9V205
Base64_m9X205
Base643mtM210
Base647mtN210
Base64CmtQ210
Base64GmtR210
Base64KmtS210
Base64OmtT210
Base64SmtU210
Base64WmtV210
Base64_mtX210
Base643muM211
Base647muN211
Base64CmuQ211
Base64GmuR211
Base64KmuS211
Base64OmuT211
Base64SmuU211
Base64WmuV211
Base64_muX211
Base643mvM212
Base647mvN212
Base64CmvQ212
Base64GmvR212
Base64KmvS212
Base64OmvT212
Base64SmvU212
Base64WmvV212
Base64_mvX212
Base643mwM213
Base647mwN213
Base64CmwQ213
Base64GmwR213
Base64KmwS213
Base64OmwT213
Base64SmwU213
Base64WmwV213
Base64_mwX213
Base643mxM214
Base647mxN214
Base64CmxQ214
Base64GmxR214
Base64KmxS214
Base64OmxT214
Base64SmxU214
Base64WmxV214
Base64_mxX214
Base643myM215
Base647myN215
Base64CmyQ215
Base64GmyR215
Base64KmyS215
Base64OmyT215
Base64SmyU215
Base64WmyV215
Base64_myX215
Base643mzM216
Base647mzN216
Base64CmzQ216
Base64GmzR216
Base64KmzS216
Base64OmzT216
Base64SmzU216
Base64WmzV216
Base64_mzX216
Base643n4M240
Base647n4N240
Base64Cn4Q240
Base64Gn4R240
Base64Kn4S240
Base64On4T240
Base64Sn4U240
Base64Wn4V240
Base643_4M180
Base647_4N180
Base64C_4Q180
Base64G_4R180
Base64K_4S180
Base64O_4T180
Base64S_4U180
Base64W_4V180
Base64__4X180
Base643_5M181
Base647_5N181
Base64C_5Q181
Base64G_5R181
Base64K_5S181
Base64O_5T181
Base64S_5U181
Base64W_5V181
Base64__5X181
Base643_6M182
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilDoc.QakisWackWannaDanceWithSomebody.20201119.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.QakisWackWannaDanceWithSomebody.M2.20201119.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Excel4Macro
Link:
https://app.docguard.net/85d4e3e3b7b8a330e04fe4a3a568f909b795e1c10fa824c49178462bead48d17/results/dashboard
Payload URLs
URL
File name
http://149.3.170.235/qw-fad/host.exe
sharedStrings.xml
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Details
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Autostarting Excel Macro Sheet
Excel contains Macrosheet logic that will trigger automatically upon document open.
Document With No Content
Document contains little or no semantic information.
Result
Threat name:
Hidden Macro 4.0
Create hunting rule
Detection:
malicious
Classification:
expl.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/551955
Signature
Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Found abnormal large hidden Excel 4.0 Macro sheet
Maps a DLL or memory area into another process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85d4e3e3b7b8a330e04fe4a3a568f909b795e1c10fa824c49178462bead48d17/
Threat name:
Document-Office.Downloader.SLoad
Create hunting rule
Status:
Malicious
First seen:
2020-12-01 09:15:09 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxkohy5xxcrtbycp4sr2k2hzbg3zlyobb6ucjrerpbdcx2wurulq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201201-rvx851wwas/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
NSIS installer
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/85d4e3e3b7b8a330e04fe4a3a568f909b795e1c10fa824c49178462bead48d17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Microsoft_XLSX_with_Macrosheet
Create hunting rule
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BuerLoader

Excel file xlsm 85d4e3e3b7b8a330e04fe4a3a568f909b795e1c10fa824c49178462bead48d17

(this sample)

Joe
Joe Sandbox
https://www.joesandbox.com/analysis/325082/1/html
  
Delivery method
Distributed via e-mail attachment

Comments