MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BuerLoader

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283
SHA3-384 hash:	51b875d0371cf8be08d5599a075a551a6b1f24ef7e38913193aedd144c459662c3e987a4721047d51fdad488f7da2f21
SHA1 hash:	e8157d7e277ccf04de3476c1845cd597c112786e
MD5 hash:	19ca9bf5eebc9e2f0bd3230f262348fd
humanhash:	fifteen-montana-leopard-eight
File name:	ServApi.exe
Download:	download sample
Signature	BuerLoader Create hunting rule
File size:	287'953 bytes
First seen:	2021-03-02 20:22:46 UTC
Last seen:	2021-03-03 00:16:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep	3072:pomnzVincQDKgcxXgnQiQlo4SssssIkHY/a4ojbNUvP7HSun:ptZtXgnQiKo4+YQKrSM
TLSH	7F54A13863F0A752D075423147E2C5346AE15F28DEE1C30BE2B42E19BB56ED93D8A64F
Reporter	Scoobs_McGee
Tags:	BuerLoader exe

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

order 693921 Parcel.msg

Verdict:

Malicious activity

Analysis date:

2021-03-02 19:10:25 UTC

Tags:

loader buerloader

Link:

https://app.any.run/tasks/338a603f-523b-4379-a4df-c4531c94eafd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

BuerLoader

Link:

https://www.capesandbox.com/analysis/121159/

Detection(s):

PUA.Win.Downloader.Soft32downloader-6691270-0

SecuriteInfo.com.Trojan.GenericKD.42220477.4087.19311.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %AppData% subdirectories

Creating a file in the %AppData% directory

Creating a file in the %temp% subdirectories

Sending a UDP request

Unauthorized injection to a recently created process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Buer Loader

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/624817

Signature

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected Buer Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283/

Threat name:

Win32.Trojan.BazarLoader

Status:

Malicious

First seen:

2021-03-02 20:23:14 UTC

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6kuihihewaohfmhqmpptxznacaxfzd525xbzzdjvyyzleaczskbq._file

Result

Malware family:

buer

Score:

10/10

Tags:

family:buer loader

Link:

https://tria.ge/reports/210302-mgpzzr767e/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Buer Loader

Buer

Malware Config

C2 Extraction:

wfstuvejptbo/dpn

Unpacked files

SH256 hash:

ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

MD5 hash:

0063d48afe5a0cdc02833145667b6641

SHA1 hash:

e7eb614805d183ecb1127c62decb1a6be1b4f7a8

Detections:

win_buer_auto

Link:

https://www.unpac.me/results/89612d3f-46af-4f16-82a5-84a8e555e045/

Parent samples :

5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee
f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283
dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
e0fb60da371912c158861c9660632d58e45cfcff12351cc9e03f497f319eb5de
904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a

SH256 hash:

cd831954ce6fc85d669dd7d64f38213dd1574117da59ef8412c17ce928010078

MD5 hash:

df3a680a134f421e7042b12ac937d8fc

SHA1 hash:

be27c18d314044c0b5d3e58f84b0096515bc8a6b

Detections:

win_buer_w0

Link:

https://www.unpac.me/results/89612d3f-46af-4f16-82a5-84a8e555e045/

SH256 hash:

f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283

MD5 hash:

19ca9bf5eebc9e2f0bd3230f262348fd

SHA1 hash:

e8157d7e277ccf04de3476c1845cd597c112786e

Link:

https://www.unpac.me/results/89612d3f-46af-4f16-82a5-84a8e555e045/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	BuerLoader Create hunting rule
Author:	Brandon George
Description:	Yara rules for the updated and unpacked payload of BuerLoader

Rule name:	SUSP_NullSoftInst_Combo_Oct20_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious NullSoft Installer combination with common Copyright strings
Reference:	https://twitter.com/malwrhunterteam/status/1313023627177193472