MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94ba896b284005a58298806bba47f725cdcaa1816b3c79226639cb145bf16886. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BuerLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94ba896b284005a58298806bba47f725cdcaa1816b3c79226639cb145bf16886
SHA3-384 hash: e5c2c98f1c2dd4e47ccb9a06b80ee1ddcc66e8cf247b31363e47977d1f3311a5b5fcce2e3c567b9c2ceb7843766077c0
SHA1 hash: 3509a916a873351ab23bc671cce5ca9aa3299e62
MD5 hash: 96878fda61a76395aafa16a6150b0fe1
humanhash: alpha-thirteen-comet-shade
File name:Docum_nt_Pr_view.exe
Download: download sample
Signature BuerLoader
Create hunting rule
File size:726'200 bytes
First seen:2020-09-18 13:41:03 UTC
Last seen:2020-09-19 10:23:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e8deb7d6f88abe87a4e9cda42a5bc6a (1 x BuerLoader)
ssdeep 12288:skkB0IBUT4cicLtJAXqL2+uiN9mTqFcsTmjuHQdCgfRm:hkB0IB64cicLtJAXqL6qFrooQ+
Threatray 1 similar samples on MalwareBazaar
TLSH 4BF42829FB8B25F5E60367728A5FE23B9B207A194022FF7FFF4A1A0994721173C11591
Reporter James_inthe_box
Tags:BuerLoader exe

Code Signing Certificate

Organisation:DigiCert High Assurance EV Root CA
Issuer:DigiCert High Assurance EV Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Nov 10 00:00:00 2006 GMT
Valid to:Nov 10 00:00:00 2031 GMT
Serial number: 02AC5C266A0B409B8F0B79F2AE462577
Intelligence: 204 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34544315.18277.18367.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Deleting of the original file
Enabling autorun
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/469993
Signature
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 287425 Sample: Docum_nt_Pr_view.exe Startdate: 18/09/2020 Architecture: WINDOWS Score: 64 28 Multi AV Scanner detection for submitted file 2->28 8 Docum_nt_Pr_view.exe 7 2->8         started        11 gennt.exe 8 2->11         started        process3 file4 26 C:\ProgramData\...\gennt.exe, PE32 8->26 dropped 13 gennt.exe 7 8->13         started        16 conhost.exe 8->16         started        18 conhost.exe 11->18         started        process5 signatures6 30 Multi AV Scanner detection for dropped file 13->30 32 Creates an undocumented autostart registry key 13->32 34 Contains functionality to inject code into remote processes 13->34 20 powershell.exe 13->20         started        22 conhost.exe 13->22         started        process7 process8 24 conhost.exe 20->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94ba896b284005a58298806bba47f725cdcaa1816b3c79226639cb145bf16886/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-09-18 08:43:53 UTC
File Type:
PE (Exe)
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ss5is2ziiac2lauyqbv3ur7xexg4vimbnm6hsitghhfriw7rncda._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
e9b68e43d01d092285e1d109241939a85473ec285448074d0ad0098bc1975550
BuerLoader
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/200918-qehb59ykze/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Deletes itself
Executes dropped EXE
Modifies WinLogon for persistence
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/94ba896b284005a58298806bba47f725cdcaa1816b3c79226639cb145bf16886

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/63438/
  
URLhaus
https://urlhaus.abuse.ch/url/555783/

Comments