2021-02-01 Buerloader IOCs

1. THREAT ATTRIBUTION: BUERLOADER
2.  
3. ANALYST NOTES
4. Upon opening the .xls file, I got a "circular reference" warning alert box.
5. The spreadsheet has an image that says "GlobalSign PKI Secure".
6. Enabling macros in the spreadsheet creates a folder named "BlockSt" on the root of the C: drive.
7. One of the payload download urls that I had was down but the second one was still available.
8. After downloading the file, it's renamed to "Winword.exe" and launched.
9. I saw C2 traffic in the form of POST data and with a user agent of "aaaa".
10. The data are mostly POSTed as key/value pairs.
11. The C2 traffic that I saw was just sent over port 80 (http).
12.  
13. SUBJECTS OBSERVED
14. order 15973702 Parcel
15. order 26753235 Package
16. order 53960152 Parcel
17. order 7051954 Package
18. order 8596082 Package
19.  
20. SENDERS OBSERVED
21. [email protected]
22. [email protected]
23. [email protected]
24. [email protected]
25. [email protected]
26.  
27. BUERLOADER MALDOC FILE HASHES
28. Invoice626914.xls
29. 7ec855b49f5bfe392d1443476d5fc8c2
30.  
31. Invoice144009.xls
32. 8916813eb4de23e8f1fb0df11ca89837
33.  
34. INV856686.xls
35. e859858784ac3dea61a08492f439f16d
36.  
37. INV854614.xls
38. 92d9e69157d22f81252d89cffeb8861e
39.  
40. BUERLOADER PAYLOAD FILE HASHES
41. private.png
42. f7fc343cbf86f08c7b529ab451677752
43.  
44. c:\BlockSt\winword.exe
45. f7fc343cbf86f08c7b529ab451677752
46.  
47. BUERLOADER PAYLOAD
48. http://213.252.244.176/dw.pm
49. https://eshop.hydrotech.com.gr/wp-admin/images/private.png
50.  
51. hydrotech.com.gr
52.  
53. BUERLOADER C2
54. http://tokacpebanking.com
55.  
56. SUPPORTING EVIDENCE
57. https://urlhaus.abuse.ch/url/986773/