MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4f02f78b8d89ed5063773985d4ad7b4c9205417b34787fb945f739134a85a8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BuerLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4f02f78b8d89ed5063773985d4ad7b4c9205417b34787fb945f739134a85a8b
SHA3-384 hash: 14c102b7dab3fcbaaca90c8dbd190e39edf2835f7e38e5eb2e312f568070effa9ca867a7f20df70327e6d7e93987444e
SHA1 hash: 9d0ee3d8896911c2743ff89c72c30639f0851f52
MD5 hash: e23246d5a16fd344dfd2fc7177d43890
humanhash: leopard-pennsylvania-carpet-indigo
File name:v.dll
Download: download sample
Signature BuerLoader
Create hunting rule
File size:3'329'024 bytes
First seen:2021-02-16 22:41:53 UTC
Last seen:2021-02-17 20:47:23 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 7df22f0d37eecce615162afa855d2604 (1 x BuerLoader)
ssdeep 49152:GYRxMUVRngWxp5Czu06spJDJXv2Suyic6346LE3Vtj2RwA+M:GuS0RnNYss5XvMy0346g3emA
Threatray 16 similar samples on MalwareBazaar
TLSH 2BF512B35A74120AD1E5CC39453BBDB5B1F546A38E82EDB86EDD5DC528328E4A303C87
Reporter James_inthe_box
Tags:BuerLoader dll

Intelligence

File Origin
# of uploads :
3
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117448/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Dropper.wc.2634.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a UDP request
Creating a file in the %temp% directory
Deleting a recently created file
Changing a file
DHCP request
Modifying a system file
DNS request
Sending an HTTP GET request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Buer Loader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/609611
Signature
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Detected VMProtect packer
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected Buer Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4f02f78b8d89ed5063773985d4ad7b4c9205417b34787fb945f739134a85a8b/
Threat name:
Win32.Trojan.Mansabo
Create hunting rule
Status:
Malicious
First seen:
2021-02-16 22:37:50 UTC
File Type:
PE (Dll)
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6tyc66fy3cpnkbrxoomf2swxwtesavaxwndyp64ul5zzcnfilkfq._file
Verdict:
suspicious
Similar samples:
1e04c1e4eefe23f454553364e757209462f2561d8455628b296b1dbe83fc6ec2
BuerLoader
22a49fd2468178e5b33cad08985adde50f0530a33260affc58bee6b2401005a9
BuerLoader
2858b9c680f3285fad75031739a45e0c267cce2a3070c34e770d7c164eaf9845
BuerLoader
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
BuerLoader
45d473eb0961855e45ba3bc0afb395aed0f772e7c8a477d40d4f43e5494ca9f7
BuerLoader
586308277bf0f934777f113da1b684233d2cdfbf6b746eebc35d2f8dc8d1c585
BuerLoader
5eb285443b7b9ab49c8b73112f66813eacc811d752e294fd2ca8db89da49589d
BuerLoader
a488990c82230074fdf4f22a014a8f05dbb2bdc055c096c4d4a28b3a8055a648
BuerLoader
ac839669e7e0d6b42bf9517cc6f4db88c9eacc678df15c1c45be1771309cb020
BuerLoader
fc0eee220cef0c364edb4cb6ff45e12b2d3c035b2be1072c627e40c4a298ea72
BuerLoader
+ 6 additional samples on MalwareBazaar
Unpacked files
SH256 hash:
56e68459238d8d322421ca78a2b811955ac515d80983e362bb837602014fc6de
MD5 hash:
e8ade9242da7fe20e36342d30dc19677
SHA1 hash:
b0d2df3e709b7ac0c404779f13bca85cb46a04ed
Link:
https://www.unpac.me/results/66bb60c5-5b74-46e4-835c-321e14f7b56b/
SH256 hash:
f4f02f78b8d89ed5063773985d4ad7b4c9205417b34787fb945f739134a85a8b
MD5 hash:
e23246d5a16fd344dfd2fc7177d43890
SHA1 hash:
9d0ee3d8896911c2743ff89c72c30639f0851f52
Link:
https://www.unpac.me/results/66bb60c5-5b74-46e4-835c-321e14f7b56b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/f4f02f78b8d89ed5063773985d4ad7b4c9205417b34787fb945f739134a85a8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/117448/

Comments