Threat Intelligence – Buerloader Malware Latest IOCs

0

Buer is a downloader sold on underground forums and used by threat actors to deliver payload malware onto target machines. It has been observed in email campaigns and has been sold as a service since August 2019. As observed, Below are the latest indicators of compromise.


Credits : Research by ExecuteMalware

Indicators of Compromise

THREAT IDENTIFICATION: BUERLOADER

EMAIL SUBJECTS OBSERVED
order 06688 Package
order 230126 Parcel
order 23279192 Parcel
order 257502 Parcel
order 3490948 Package
order 4260217 Package
order 4342788 Package
order 4556088 Parcel
order 47433 Parcel
order 599800 Parcel
order 6123190 Parcel
order 76225024 Package
order 921751 Package
order 98927189 Parcel
order 99272 Parcel

EMAIL SENDERS OBSERVED
[email protected] [.]com
[email protected] [.]com
[email protected] [.]net
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]net
[email protected] [.]com
[email protected] [.]net
[email protected] [.]net
[email protected] [.]com
[email protected] [.]net
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com

BUERLOADER MALDOC FILE HASHES
invoice [.]jnlp
67e9e29dde633fc31d03a9075c53788d

2021invoice [.]jnlp
e38e0a050e1d1e47b5b9e30c65c6593e

invoice [.]jar
cee1f62d1cf8c508faf263d61e6cf27f

BUERLOADER PAYLOAD DOWNLOAD
http://invoicesecure [.]net/documents/invoice [.]jar
http://pdfsecure [.]net/docs/2021invoice [.]jar
http://invoicesecure [.]net/img/footer [.]jpg

BUERLOADER PAYLOAD FILE HASHES
footer [.]jpg
19ca9bf5eebc9e2f0bd3230f262348fd

drvr32 [.]exe
19ca9bf5eebc9e2f0bd3230f262348fd

BUERLOADER C2
http://verstudiosan [.]com/

SUPPORTING EVIDENCE
https://app [.]any [.]run/tasks/1e73e6b5-1f70-4a00-a131-a5d34561c4df/


Previous articleTrickbot IOC list -2021
Next articleThreat Intelligence – HANCITOR Malware Latest IOCs
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here