MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a3500c94f6cf1ef29514983f480de931dbc60d094bfac655f8ec3702809bc6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a3500c94f6cf1ef29514983f480de931dbc60d094bfac655f8ec3702809bc6f
SHA3-384 hash: f50c29a1622ef050d8a37222326f78fc8e624fdcc32b4727abea52206e0eeed199670ddd830749eead1982bdac51f0c4
SHA1 hash: a66d942694360e61e125111a1e0d1eef2f529214
MD5 hash: d5e56989ba726d84e9150e78266509df
humanhash: snake-minnesota-whiskey-mockingbird
File name:me.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:484'594 bytes
First seen:2020-09-04 09:25:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 12288:7anM6BqmA9jkKgUt0GYsfkGKAilARFetO32xVARFdM:ZQqXBkKgsIs8dRARQJxV8C
TLSH 1AA423432360E5BBCD22C6F013762E65BFBB68541522A50B67503A2F7E73D83D61EA12
Reporter abuse_ch
Tags:BetaBot exe Neurevt SendGrid


Avatar
abuse_ch
Malspam distributing Neurevt:

HELO: wrqvxfbf.outbound-mail.sendgrid.net
Sending IP: 149.72.175.191
From: Nancy fanny <ckqjuyoaj@em9595.arctictrading.com.au>
Subject: Proforma invoice needed Urgently.
Attachment: PO-1364774 Final.xlsx

Neurevt payload URL:
http://eastexs.com/~zadmin/div/me.exe

Neurevt C2:
http://eastexs.com/~zadmin/lk/zp/logout.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'843
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55697/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Adding an access-denied ACE
Moving a system file
Creating a window
Unauthorized injection to a browser process
DNS request
Changing a file
Forced shutdown of a system process
Enabling autorun for a service
Firewall traversal
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing settings of the browser security zones
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun
Sending an HTTP POST request to an infection source
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a3500c94f6cf1ef29514983f480de931dbc60d094bfac655f8ec3702809bc6f/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-09-04 09:27:06 UTC
File Type:
PE (Exe)
Extracted files:
115
AV detection:
33 of 48 (68.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bi2qbskpnty66kkrjgb7jag6smo3yygqss72yzk7r3bxakajxrxq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200904-wg6fdd286a/
Behaviour
NSIS installer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a3500c94f6cf1ef29514983f480de931dbc60d094bfac655f8ec3702809bc6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_betabot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_betabot_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_betabot_w0
Create hunting rule
Author:Venom23
Description:Neurevt Malware Sig
Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neurevt

Excel file xlsx 66b8e804eda79f364e6cd2ee2fdd967f199a1fe3dd7440e8c0ff313568f74531

Neurevt

Executable exe 0a3500c94f6cf1ef29514983f480de931dbc60d094bfac655f8ec3702809bc6f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/453154/
  
Dropped by
MD5 2efbf412cd56c2203e8548512a68ef51
  
Dropped by
SHA256 66b8e804eda79f364e6cd2ee2fdd967f199a1fe3dd7440e8c0ff313568f74531
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/55697/

Comments