MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce8c56d52e1f156e13071b65cc73794b143f3f3714a26166e6600023b81ee2fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BuerLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce8c56d52e1f156e13071b65cc73794b143f3f3714a26166e6600023b81ee2fd
SHA3-384 hash: d6c011917580f8dc42edc37fb7f74c6d8fde7b67d2ccd53cd23568a6f5cd8c19747d52348e2bede73beb2386da569523
SHA1 hash: 8fb58404332ae956307e8ba5ec88e71000386bc2
MD5 hash: 7e061f92fd4e38ecaaea9335597d0379
humanhash: minnesota-uniform-montana-burger
File name:mal.bin
Download: download sample
Signature BuerLoader
Create hunting rule
File size:25'600 bytes
First seen:2021-01-28 16:03:15 UTC
Last seen:2021-01-28 18:02:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 64e57244a933449e63dd920fc286cd90 (1 x BuerLoader)
ssdeep 384:tMllEcTN/B7CVJOI8LsunKGK+Ep7sFNPP+Ceqz8Tqty+RJmHtOkAgnZ97SWJTa:+lNTNpC+ICL7aMNuCeMbtyiYf97tJT
Threatray 16 similar samples on MalwareBazaar
TLSH 58B28E82749AC4B7C2202B705FC9B912D3EC5F106577F2E6BB1C0CC86CB4B9A971A752
Reporter j_dubp
Tags:Buer BuerLoader


Avatar
j_dubp
XLS attachment (?i)[a-z]+\.[0-9]+\.xls with macro downloading 88.119.175.189/document.ssl

Intelligence

File Origin
# of uploads :
3
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mal.bin
Verdict:
No threats detected
Analysis date:
2021-01-28 16:00:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f4226a13-e747-48d8-a164-2e723084e8d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114257/
Detection(s):
SecuriteInfo.com.Trojan.BuerLoader.1.16046.10414.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/593082
Signature
Antivirus / Scanner detection for submitted sample
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce8c56d52e1f156e13071b65cc73794b143f3f3714a26166e6600023b81ee2fd/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2021-01-28 16:04:06 UTC
File Type:
PE (Exe)
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z2gfnvjod4kw4eyhdns4y43zjmkd6pzxcsrgczxgmaachoa64l6q._file
Verdict:
malicious
Similar samples:
146bcd0d720f43d289c66d3a3cdc77e5e5a3d924174ee1993ac6db2cb0ca8026
BuerLoader
2824d4b0e5a502416696b189bd840870a19dfd555b53535f20b0c87c95f4c232
BuerLoader
31c57541340693e7d17b176c8efef365db760bc80cc8a15fa0359cbd0fa3efa2
BuerLoader
6eb872c05e3839b491fc9515065fcb0eeb209b3981a1ee3e3140495f907db37c
BuerLoader
a98abbce5e84c4c3b67b7af3f9b4dc9704b5af33b6183fb3c192e26b1e0ca005
BuerLoader
ae3ac27e8303519cf04a053a424a0939ecc3905a9a62f33bae3a29f069251b1f
BuerLoader
b0a639215a6ea4dc14ffc7fbc6f3c102605d17008a51de477cb755e35794a8c0
BuerLoader
b298ead0400aaf886dbe0a0720337e6f2efd5e2a3ac1a7e7da54fc7b6e4f4277
BuerLoader
c1a1988e6f043d0e73c9555ccaad2adb3683c22b0569fc0f6be24c3e4f8c82ff
BuerLoader
cc74c4b40c376a9aa78d6ebab83b9542fd1abd4d4800c4a0adfee13c9c58d4ed
BuerLoader
+ 6 additional samples on MalwareBazaar
Result
Malware family:
buer
Create hunting rule
Score:
  10/10
Tags:
family:buer
Link:
https://tria.ge/reports/210128-hz4z2hzf6a/
Unpacked files
SH256 hash:
ce8c56d52e1f156e13071b65cc73794b143f3f3714a26166e6600023b81ee2fd
MD5 hash:
7e061f92fd4e38ecaaea9335597d0379
SHA1 hash:
8fb58404332ae956307e8ba5ec88e71000386bc2
Link:
https://www.unpac.me/results/4342509c-24dd-4746-b563-912542ac0e27/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.62
Link:
https://yomi.yoroi.company/submissions/ce8c56d52e1f156e13071b65cc73794b143f3f3714a26166e6600023b81ee2fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BuerLoader
Create hunting rule
Author:Brandon George
Description:Yara rules for the updated and unpacked payload of BuerLoader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BuerLoader

Executable exe ce8c56d52e1f156e13071b65cc73794b143f3f3714a26166e6600023b81ee2fd

(this sample)

anyrun
any.run
https://app.any.run/tasks/f4226a13-e747-48d8-a164-2e723084e8d1
Cape
Cape
https://www.capesandbox.com/analysis/114257/
  
URLhaus
https://urlhaus.abuse.ch/url/981952/
  
Delivery method
Distributed via web download

Comments