MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f829213a1f233378e8e9069adac865edfb8dd4a7e64998d273930c54ab258eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 2 Comments

SHA256 hash: 9f829213a1f233378e8e9069adac865edfb8dd4a7e64998d273930c54ab258eb
SHA3-384 hash: 6483610e2b7313e79de85e61672f429af9b02ea69d97e0a04dfded9d867e617d53150888ade03c5c772ffbdf3b4fbe9c
SHA1 hash: a4cecf005b0777ed740e4dc9671e87349e3017cc
MD5 hash: 69940b99a87df030b38ab4b04281d7ff
humanhash: snake-cardinal-zebra-nuts
File name:Customer Complaint letter NHBRC258812.PDF.exe
Download: download sample
Signature Neurevt
File size:337'408 bytes
First seen:2020-07-31 11:43:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a8bc3115bb2e332ea23c586c1402327
ssdeep 6144:ihLX8OwNJgQLq2OMwRacHL0Uy+3Czpv7z4I/fxE8NC0PG:QwOw/PGiAAY3gR4I6ay
TLSH A274F128BE80C433D7A19070A515C771A73AA9316A218D4677381F7EAF353D2EB7734A
Reporter @abuse_ch
Tags:exe Neurevt


Twitter
@abuse_ch
Malspam distributing Neurevt:

HELO: host.qualifairs.com
Sending IP: 85.25.130.41
From: NHBRC2@nhbrc.org.za
Subject: Customer Complaint letter // NHBRC258812
Attachment: Customer Complaint letter NHBRC258812.PDF.gz (contains "Customer Complaint letter NHBRC258812.PDF.exe")

Neurevt C2:
http://winqits.com/~zadmin/lk/dm/logout.php

Intelligence


File Origin
# of uploads :
1
# of downloads :
34
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.evad
Score:
100 / 100
Signature
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255338 Sample: Customer Complaint letter  ... Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 32 g.msn.com 2->32 34 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->34 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Detected unpacking (changes PE section rights) 2->46 48 Detected unpacking (overwrites its own PE header) 2->48 50 6 other signatures 2->50 8 Customer Complaint letter  NHBRC258812.PDF.exe 12 25 2->8         started        11 ws71e3u15k3swk.exe 23 2->11         started        13 ws71e3u15k3swk.exe 2->13         started        15 3 other processes 2->15 signatures3 process4 signatures5 56 Creates an undocumented autostart registry key 8->56 58 Maps a DLL or memory area into another process 8->58 60 Sample uses process hollowing technique 8->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->62 17 explorer.exe 18 51 8->17         started        64 Hides threads from debuggers 11->64 process6 dnsIp7 30 winqits.com 5.53.124.16, 49739, 49744, 49747 SELECTELRU Russian Federation 17->30 36 System process connects to network (likely due to code injection or exploit) 17->36 38 Overwrites Windows DLL code with PUSH RET codes 17->38 40 Modifies Internet Explorer zone settings 17->40 42 4 other signatures 17->42 21 glXLWOPzHHYSdEb.exe 1 23 17->21 injected 24 glXLWOPzHHYSdEb.exe 1 23 17->24 injected 26 glXLWOPzHHYSdEb.exe 1 23 17->26 injected 28 11 other processes 17->28 signatures8 process9 signatures10 52 Hides threads from debuggers 21->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->54
Threat name:
Win32.Trojan.Glubpteba
Status:
Malicious
First seen:
2020-07-31 11:44:07 UTC
AV detection:
24 of 31 (77.42%)
Threat level
  5/5
Result
Malware family:
betabot
Score:
  10/10
Tags:
evasion trojan backdoor botnet family:betabot
Behaviour
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
BetaBot
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:win_betabot_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_betabot_w0
Author:Venom23
Description:Neurevt Malware Sig

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neurevt

Executable exe 9f829213a1f233378e8e9069adac865edfb8dd4a7e64998d273930c54ab258eb

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments