SYMBOLCOMMON_NAMEaka. SYNONYMS
win.buer (Back to overview)

Buer

aka: Buerloader

Buer is a downloader sold on underground forums and used by threat actors to deliver payload malware onto target machines. It has been observed in email campaigns and has been sold as a service since August 2019.

References
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{RANSOMWARE UNCOVERED 2020—2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-04-16} } RANSOMWARE UNCOVERED 2020—2021
RansomEXX BazarBackdoor Buer Clop Conti Ransomware DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-25ANSSICERT-FR
@techreport{certfr:20210225:ryuk:7895e12, author = {CERT-FR}, title = {{Ryuk Ransomware}}, date = {2021-02-25}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf}, language = {English}, urldate = {2021-03-02} } Ryuk Ransomware
BazarBackdoor Buer Conti Ransomware Emotet Ryuk TrickBot
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-18Minerva LabsEddy Bobritsky
@online{bobritsky:20201118:stopping:e5c486b, author = {Eddy Bobritsky}, title = {{Stopping BuerLoader With Minerva Lab's Hostile Environment Simulation module}}, date = {2020-11-18}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/stopping-buerloader}, language = {English}, urldate = {2020-11-19} } Stopping BuerLoader With Minerva Lab's Hostile Environment Simulation module
Buer
2020-11-09Area 1Threat Research Team
@online{team:20201109:phishing:a25a567, author = {Threat Research Team}, title = {{Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware}}, date = {2020-11-09}, organization = {Area 1}, url = {https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/}, language = {English}, urldate = {2020-11-18} } Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware
BazarBackdoor Buer
2020-10-29Twitter (@SophosLabs)SophosLabs
@online{sophoslabs:20201029:similarities:408a640, author = {SophosLabs}, title = {{Tweet on similarities between BUER in-memory loader & RYUK in-memory loader}}, date = {2020-10-29}, organization = {Twitter (@SophosLabs)}, url = {https://twitter.com/SophosLabs/status/1321844306970251265}, language = {English}, urldate = {2020-11-02} } Tweet on similarities between BUER in-memory loader & RYUK in-memory loader
Buer Ryuk
2020-10-28SophosLabs UncutSean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearny, Anand Ajjan, Brett Cove, Gabor Szappanos
@online{gallagher:20201028:hacks:8e1d051, author = {Sean Gallagher and Peter Mackenzie and Elida Leite and Syed Shahram and Bill Kearny and Anand Ajjan and Brett Cove and Gabor Szappanos}, title = {{Hacks for sale: inside the Buer Loader malware-as-a-service}}, date = {2020-10-28}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/}, language = {English}, urldate = {2020-11-02} } Hacks for sale: inside the Buer Loader malware-as-a-service
Buer Ryuk Zloader
2020-09-29ZscalerMohd Sadique, Atinderpal Singh
@online{sadique:20200929:spear:de79be6, author = {Mohd Sadique and Atinderpal Singh}, title = {{Spear Phishing Campaign Delivers Buer and Bazar Malware}}, date = {2020-09-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware}, language = {English}, urldate = {2020-10-15} } Spear Phishing Campaign Delivers Buer and Bazar Malware
BazarBackdoor Buer
2020-03-05Kaspersky LabsAMR
@online{amr:20200305:mokes:698295f, author = {AMR}, title = {{Mokes and Buerak distributed under the guise of security certificates}}, date = {2020-03-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/}, language = {English}, urldate = {2020-03-09} } Mokes and Buerak distributed under the guise of security certificates
Buer Mokes
2019-12-05KrabsOnSecurityMr. Krabs
@online{krabs:20191205:buer:9c3cf72, author = {Mr. Krabs}, title = {{Buer Loader, new Russian loader on the market with interesting persistence}}, date = {2019-12-05}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/}, language = {English}, urldate = {2020-01-08} } Buer Loader, new Russian loader on the market with interesting persistence
Buer
2019-12-04ProofpointKelsey Merriman, Dennis Schwarz, Kafeine, Axel F
@online{merriman:20191204:buer:6c413aa, author = {Kelsey Merriman and Dennis Schwarz and Kafeine and Axel F}, title = {{Buer, a new loader emerges in the underground marketplace}}, date = {2019-12-04}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace}, language = {English}, urldate = {2020-01-06} } Buer, a new loader emerges in the underground marketplace
Buer
2019-10-10Twitter (@StopMalvertisin)Kimberly
@online{kimberly:20191010:malware:032ed3c, author = {Kimberly}, title = {{Tweet on Malware Sample}}, date = {2019-10-10}, organization = {Twitter (@StopMalvertisin)}, url = {https://twitter.com/StopMalvertisin/status/1182505434231398401}, language = {English}, urldate = {2020-01-10} } Tweet on Malware Sample
Buer
Yara Rules
[TLP:WHITE] win_buer_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_buer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.buer"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8955fc 6a0a 8bd9 668945f8 8d7df8 }
            // n = 5, score = 600
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   6a0a                 | push                0xa
            //   8bd9                 | mov                 ebx, ecx
            //   668945f8             | mov                 word ptr [ebp - 8], ax
            //   8d7df8               | lea                 edi, [ebp - 8]

        $sequence_1 = { 33db 897df8 8955fc 8945d8 894de4 eb03 }
            // n = 6, score = 600
            //   33db                 | xor                 ebx, ebx
            //   897df8               | mov                 dword ptr [ebp - 8], edi
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   eb03                 | jmp                 5

        $sequence_2 = { 8b45fc 5f 85c0 7905 }
            // n = 4, score = 600
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   85c0                 | test                eax, eax
            //   7905                 | jns                 7

        $sequence_3 = { 51 8bfa ff15???????? 8bf0 59 59 }
            // n = 6, score = 600
            //   51                   | push                ecx
            //   8bfa                 | mov                 edi, edx
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_4 = { 40 eb0d 8935???????? e9???????? }
            // n = 4, score = 600
            //   40                   | inc                 eax
            //   eb0d                 | jmp                 0xf
            //   8935????????         |                     
            //   e9????????           |                     

        $sequence_5 = { e8???????? 8bc8 85c9 740b 57 8bd6 e8???????? }
            // n = 7, score = 600
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   85c9                 | test                ecx, ecx
            //   740b                 | je                  0xd
            //   57                   | push                edi
            //   8bd6                 | mov                 edx, esi
            //   e8????????           |                     

        $sequence_6 = { 750f ff15???????? 83f803 7504 33c0 eb2a 6800800000 }
            // n = 7, score = 600
            //   750f                 | jne                 0x11
            //   ff15????????         |                     
            //   83f803               | cmp                 eax, 3
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb2a                 | jmp                 0x2c
            //   6800800000           | push                0x8000

        $sequence_7 = { 894150 8b45ec 0345d4 01515c }
            // n = 4, score = 600
            //   894150               | mov                 dword ptr [ecx + 0x50], eax
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   0345d4               | add                 eax, dword ptr [ebp - 0x2c]
            //   01515c               | add                 dword ptr [ecx + 0x5c], edx

        $sequence_8 = { c745e403000000 c745fc01000000 eb69 395dd8 0f855a010000 c745e402000000 895dfc }
            // n = 7, score = 100
            //   c745e403000000       | mov                 dword ptr [ebp - 0x1c], 3
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   eb69                 | jmp                 0x6b
            //   395dd8               | cmp                 dword ptr [ebp - 0x28], ebx
            //   0f855a010000         | jne                 0x160
            //   c745e402000000       | mov                 dword ptr [ebp - 0x1c], 2
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx

        $sequence_9 = { 8365fc00 53 8b5d08 56 57 8b8310080000 }
            // n = 6, score = 100
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   53                   | push                ebx
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b8310080000         | mov                 eax, dword ptr [ebx + 0x810]

        $sequence_10 = { 40 6a06 59 e9???????? 8d45f8 50 e8???????? }
            // n = 7, score = 100
            //   40                   | inc                 eax
            //   6a06                 | push                6
            //   59                   | pop                 ecx
            //   e9????????           |                     
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_11 = { 7461 83e805 7434 48 7419 83e816 0f8573010000 }
            // n = 7, score = 100
            //   7461                 | je                  0x63
            //   83e805               | sub                 eax, 5
            //   7434                 | je                  0x36
            //   48                   | dec                 eax
            //   7419                 | je                  0x1b
            //   83e816               | sub                 eax, 0x16
            //   0f8573010000         | jne                 0x179

        $sequence_12 = { 33c0 5e c3 8b442404 837c240801 a3???????? 7540 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   837c240801           | cmp                 dword ptr [esp + 8], 1
            //   a3????????           |                     
            //   7540                 | jne                 0x42

        $sequence_13 = { 48 0f8518040000 83f96e 0f8fee000000 0f84e4000000 83e921 }
            // n = 6, score = 100
            //   48                   | dec                 eax
            //   0f8518040000         | jne                 0x41e
            //   83f96e               | cmp                 ecx, 0x6e
            //   0f8fee000000         | jg                  0xf4
            //   0f84e4000000         | je                  0xea
            //   83e921               | sub                 ecx, 0x21

        $sequence_14 = { 750a 50 ff15???????? 8945fc 8b830c080000 83ff01 8945f8 }
            // n = 7, score = 100
            //   750a                 | jne                 0xc
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b830c080000         | mov                 eax, dword ptr [ebx + 0x80c]
            //   83ff01               | cmp                 edi, 1
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_15 = { 6a19 5b e9???????? 8ac2 }
            // n = 4, score = 100
            //   6a19                 | push                0x19
            //   5b                   | pop                 ebx
            //   e9????????           |                     
            //   8ac2                 | mov                 al, dl

    condition:
        7 of them and filesize < 98304
}
Download all Yara Rules