MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1a1988e6f043d0e73c9555ccaad2adb3683c22b0569fc0f6be24c3e4f8c82ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BuerLoader

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	c1a1988e6f043d0e73c9555ccaad2adb3683c22b0569fc0f6be24c3e4f8c82ff
SHA3-384 hash:	22288b8cf6ed4754f88213c3dbf7a8d955a5d98af703cccf23fe89d099330b3bfe81821f3ce2b142bc4e119a56262b44
SHA1 hash:	0c93576aeee786b1ef8818a56653d4c0e41a67df
MD5 hash:	cc0631f2ca59175c237e7fba06a7d533
humanhash:	cup-charlie-seventeen-finch
File name:	font.tiff.exe
Download:	download sample
Signature	BuerLoader Create hunting rule
File size:	241'152 bytes
First seen:	2021-01-26 18:37:38 UTC
Last seen:	2021-01-26 20:54:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	119a35f7068fc0ecc3a6bb69039ac25d (2 x BuerLoader)
ssdeep	3072:SPcPQfYjmvXTFC1cNkaw+VyUTg+7oJiHGLNHhqw5BSxZUSjR5/o+Qh3yQ:kcPQQj4RC1cNk3uZzwhjSxugTR
Threatray	946 similar samples on MalwareBazaar
TLSH	F034391236F1C032E2F359754A36C2B15E7BB8776979988EABC806790F267C1DE12317
Reporter	James_inthe_box
Tags:	BuerLoader exe

Intelligence

File Origin

# of uploads :

2

# of downloads :

167

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

font.tiff.exe

Verdict:

No threats detected

Analysis date:

2021-01-26 18:40:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/eb579446-8de2-42d9-9c66-7feffb087614

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/113985/

Detection(s):

SecuriteInfo.com.Generic.mg.cc0631f2ca59175c.25900.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/591126

Signature

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c1a1988e6f043d0e73c9555ccaad2adb3683c22b0569fc0f6be24c3e4f8c82ff/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2021-01-26 18:37:28 UTC

File Type:

PE (Exe)

Extracted files:

5

AV detection:

14 of 29 (48.28%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ygqzrdtpaq6q446jkvomvljk3m3ihqrlavu7yd3l4jgd4t4mql7q._file

Verdict:

malicious

Similar samples:

110832d77e7e042955d0bee350f739c3348b3c67ca6f690f02a487d28aefaff4

146bcd0d720f43d289c66d3a3cdc77e5e5a3d924174ee1993ac6db2cb0ca8026

1c8260f2d597cfc1922ca72162e1eb3f8272c2d18fa41d77b145d32256c0063d

2824d4b0e5a502416696b189bd840870a19dfd555b53535f20b0c87c95f4c232

593cf2c6d3140a5bf6bb6378aeadbc15abfa17691250e6ef1804d40534fd8a2e

6eb872c05e3839b491fc9515065fcb0eeb209b3981a1ee3e3140495f907db37c

b0a639215a6ea4dc14ffc7fbc6f3c102605d17008a51de477cb755e35794a8c0

b298ead0400aaf886dbe0a0720337e6f2efd5e2a3ac1a7e7da54fc7b6e4f4277

cc74c4b40c376a9aa78d6ebab83b9542fd1abd4d4800c4a0adfee13c9c58d4ed

eb9ed562ea848b9b3901a0d9cb2f9793115ba6dad9b2bf3929f75f9358ed2c23

+ 936 additional samples on MalwareBazaar

Result

Malware family:

buer

Score:

10/10

Tags:

family:buer loader

Link:

https://tria.ge/reports/210126-wq8yb2fmb2/

Behaviour

Buer Loader

Buer

Unpacked files

SH256 hash:

94410f71ed9b4c340f8b745ef6908588c0bc7524d504d471ac72cceb2cc7d1b2

MD5 hash:

0e72fbaff5477d76db39779e32ab31e8

SHA1 hash:

d60c7c1ddf6d628ae63aa836aad6c41212413d3c

Link:

https://www.unpac.me/results/7932e745-dc66-4577-8095-93320675d705/

SH256 hash:

c1a1988e6f043d0e73c9555ccaad2adb3683c22b0569fc0f6be24c3e4f8c82ff

MD5 hash:

cc0631f2ca59175c237e7fba06a7d533

SHA1 hash:

0c93576aeee786b1ef8818a56653d4c0e41a67df

Link:

https://www.unpac.me/results/7932e745-dc66-4577-8095-93320675d705/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c1a1988e6f043d0e73c9555ccaad2adb3683c22b0569fc0f6be24c3e4f8c82ff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/113985/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample