MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03e3837f16d46a1a0a13904fae467c105b1aae66b382e8313b20b90269e53ed6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03e3837f16d46a1a0a13904fae467c105b1aae66b382e8313b20b90269e53ed6
SHA3-384 hash: 08925e1aa9a832f8c425909973eae7deec58f02a2621e79bc73631ec6dff13d04a9122659bfc4d868c95bcfa5b26efe8
SHA1 hash: da208bfa51ed091056f03dff8f1ba540472210d8
MD5 hash: 6ec77929d5f70f9bc4724d23ddbc2653
humanhash: pennsylvania-fanta-idaho-shade
File name:6EC77929D5F70F9BC4724D23DDBC2653.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:858'274 bytes
First seen:2021-04-18 05:50:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 24576:t20gPgFKB1IVZQLvA4QxAVBbIcXuGiRsHQrL2z7q+:EKg1IVZQTCxAjIEc0Quze+
Threatray 1'009 similar samples on MalwareBazaar
TLSH 4505F1422680C17DDC632DB1D959A9F2A670BC35C616A44FB3E23F1977B5F93C202B62
Reporter abuse_ch
Tags:exe Neurevt


Avatar
abuse_ch
Neurevt C2:
http://russk17.icu/forum8/logout.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://russk17.icu/forum8/logout.php https://threatfox.abuse.ch/ioc/8852/

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6EC77929D5F70F9BC4724D23DDBC2653.exe
Verdict:
Malicious activity
Analysis date:
2021-04-18 05:54:08 UTC
Tags:
trojan betabot
Link:
https://app.any.run/tasks/4889a77c-a42a-4e92-863b-fc47f64ef696

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/137462/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.24943.1502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a recently created file
Sending a UDP request
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for recently created files
Launching a service
Unauthorized injection to a browser process
DNS request
Sending an HTTP POST request
Changing a file
Deleting a recently created file
Creating a file in the %temp% directory
Sending an HTTP GET request
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Enabling autorun for a service
Firewall traversal
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing settings of the browser security zones
Unauthorized injection to a system process
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/684472
Signature
Antivirus detection for dropped file
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops batch files with force delete cmd (self deletion)
Early bird code injection technique detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 391185 Sample: 8xiF0lExRy.exe Startdate: 18/04/2021 Architecture: WINDOWS Score: 100 82 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->82 84 Antivirus detection for dropped file 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 6 other signatures 2->88 13 8xiF0lExRy.exe 3 8 2->13         started        17 w95g1cgea7.exe 2->17         started        process3 file4 68 C:\booking\data\start1.bat, ASCII 13->68 dropped 70 C:\booking\data\K480101741BH.exe, PE32 13->70 dropped 120 Drops batch files with force delete cmd (self deletion) 13->120 19 wscript.exe 1 13->19         started        122 Sample uses process hollowing technique 17->122 124 Injects a PE file into a foreign processes 17->124 signatures5 process6 process7 21 cmd.exe 2 19->21         started        signatures8 106 Uses cmd line tools excessively to alter registry or file data 21->106 24 wscript.exe 1 21->24         started        26 K480101741BH.exe 5 21->26         started        29 conhost.exe 21->29         started        31 3 other processes 21->31 process9 file10 33 cmd.exe 1 24->33         started        66 C:\booking\data\modylsid.exe, PE32 26->66 dropped process11 signatures12 78 Early bird code injection technique detected 33->78 80 Uses cmd line tools excessively to alter registry or file data 33->80 36 modylsid.exe 33->36         started        39 taskkill.exe 1 33->39         started        41 taskkill.exe 1 33->41         started        43 5 other processes 33->43 process13 signatures14 98 Multi AV Scanner detection for dropped file 36->98 100 Detected unpacking (changes PE section rights) 36->100 102 Detected unpacking (overwrites its own PE header) 36->102 104 2 other signatures 36->104 45 modylsid.exe 12 25 36->45         started        process15 signatures16 112 Creates an undocumented autostart registry key 45->112 114 Maps a DLL or memory area into another process 45->114 116 Sample uses process hollowing technique 45->116 118 2 other signatures 45->118 48 explorer.exe 20 54 45->48         started        process17 dnsIp18 72 amityestatelagos.com 198.54.126.145, 443, 49718, 49719 NAMECHEAP-NETUS United States 48->72 74 russk17.icu 172.241.27.185, 49717, 49722, 49725 LEASEWEB-USA-DAL-10US United States 48->74 76 192.168.2.1 unknown unknown 48->76 62 C:\Users\user\AppData\...\w95g1cgea7_1.exe, PE32 48->62 dropped 64 C:\Users\user\AppData\...\1aw9ak1w5sc5.exe, PE32 48->64 dropped 90 System process connects to network (likely due to code injection or exploit) 48->90 92 Creates files in alternative data streams (ADS) 48->92 94 Overwrites Windows DLL code with PUSH RET codes 48->94 96 5 other signatures 48->96 53 rOxLIucLdeuueRbIJ.exe 48->53 injected 56 rOxLIucLdeuueRbIJ.exe 48->56 injected 58 rOxLIucLdeuueRbIJ.exe 48->58 injected 60 2 other processes 48->60 file19 signatures20 process21 signatures22 108 Hides threads from debuggers 53->108 110 Hides that the sample has been downloaded from the Internet (zone.identifier) 53->110
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03e3837f16d46a1a0a13904fae467c105b1aae66b382e8313b20b90269e53ed6/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=apryg7yw2rvbucqtsbh24rt4cbnrvltgwoboqmj3ec4qe2pfh3la._file
Verdict:
malicious
Similar samples:
273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374
Neurevt
29f2ebfc9928fcb053f9c6fb9e2bdd9db39d8a17cb7859502e8e4aa66de00526
Neurevt
3d15e2909a2cbedba57a1718b220b187465396969ebaf8f9021847c0b953153c
Neurevt
4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
Neurevt
6c8d9b097832fec5088306fabfeb26cf5aa0c67153134f4c5e356cee935f871e
Neurevt
80b056a8c2fee08fd3361a8a271dea407425ca335275d49f81a1c50a06d9ed98
Neurevt
92737036f323b1c72064c1e8038a942266435048a3ce4847f7e5b29558376c1c
Neurevt
ab95bc3c40647b2b700cdb9aba76b6de220fd528fd194e6071c1747df6cb78ce
Neurevt
e091222f766082c33c0606405115206cb2d915929dfe2ac899b1945d6442c512
Neurevt
e9f37a053f32c4f4732ba0ff24dba4d0a57a4e2dc8e8f1698e5601385371ce8e
Neurevt
+ 999 additional samples on MalwareBazaar
Result
Malware family:
betabot
Create hunting rule
Score:
  10/10
Tags:
family:betabot backdoor botnet evasion persistence trojan
Link:
https://tria.ge/reports/210418-62cq4d9by2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Modifies registry class
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Sets file execution options in registry
Sets file to hidden
BetaBot
Modifies firewall policy service
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox product IDs
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:VMware_detection_bin_mem
Create hunting rule
Author:James_inthe_box
Description:VMWare detection
Rule name:win_betabot_w0
Create hunting rule
Author:Venom23
Description:Neurevt Malware Sig

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/137462/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-18 06:21:42 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [C0029.002] Cryptography Micro-objective::SHA1::Cryptographic Hash
2) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
3) [C0031.001] Cryptography Micro-objective::AES::Decrypt Data
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0032.001] Data Micro-objective::CRC32::Checksum
7) [C0026.002] Data Micro-objective::XOR::Encode Data
8) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash
10) [C0046] File System Micro-objective::Create Directory
11) [C0048] File System Micro-objective::Delete Directory
12) [C0047] File System Micro-objective::Delete File
13) [C0049] File System Micro-objective::Get File Attributes
14) [C0051] File System Micro-objective::Read File
15) [C0050] File System Micro-objective::Set File Attributes
16) [C0052] File System Micro-objective::Writes File
17) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
18) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
19) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0040] Process Micro-objective::Allocate Thread Local Storage
23) [C0017] Process Micro-objective::Create Process
24) [C0038] Process Micro-objective::Create Thread
25) [C0041] Process Micro-objective::Set Thread Local Storage Value
26) [C0018] Process Micro-objective::Terminate Process