MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 144c0621ca5ecb402de01d8f10044f92a2ef917522e4b4955f3760bb17095bac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 144c0621ca5ecb402de01d8f10044f92a2ef917522e4b4955f3760bb17095bac
SHA3-384 hash: 7e6f6438eeb627b17c40abf66cfbf775f270581c5c7d3f48fd449d4365ccf8c1b5e2c07a74f9887df8628a107f341469
SHA1 hash: 25449ec8c765f94ffc284022374a9139dc46ebef
MD5 hash: c46f1a56503f218c2977b4b42f5aa84b
humanhash: hydrogen-music-foxtrot-harry
File name:144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:570'880 bytes
First seen:2021-08-01 11:00:42 UTC
Last seen:2021-08-01 11:34:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b2756717223a193efc4a129f78f966e (1 x Neurevt)
ssdeep 6144:fx3+m6HONThlgxVlAwiGURZKgLaXEBXON3dTmwsXYXjxPkQv4RYj8yqrK2BhG0Oh:f8UPgKIgL0eOnTHscPmvOOp1beWNGxdF
Threatray 3'236 similar samples on MalwareBazaar
TLSH T170C46CA063597E8AF4556D3A12E56627C4E07D326B0FD0166F832FABC27DDE0CA15B03
dhash icon 31b4d8d4ccf4d629 (1 x Neurevt)
Reporter abuse_ch
Tags:exe Neurevt


Avatar
abuse_ch
Neurevt C2:
http://firecrackers.ru/kin/logout.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://firecrackers.ru/kin/logout.php https://threatfox.abuse.ch/ioc/165375/

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'101
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe
Verdict:
Malicious activity
Analysis date:
2021-08-01 11:02:45 UTC
Tags:
installer trojan betabot
Link:
https://app.any.run/tasks/04ed3549-358d-4f6a-a6f8-60e3b877eb59

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175562/
Detection(s):
SecuriteInfo.com.Variant.Strictor.109182.16038.13460.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Moving of the original file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50a9bb4d-4408-4f1a-8e3d-d0d05859a51e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825081
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457488 Sample: 144C0621CA5ECB402DE01D8F100... Startdate: 01/08/2021 Architecture: WINDOWS Score: 100 36 xircus.ws 2->36 38 xircus.one 2->38 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 8 other signatures 2->54 8 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe 12 25 2->8         started        11 935aa375omok5c.exe 23 2->11         started        13 935aa375omok5c.exe 23 2->13         started        15 2 other processes 2->15 signatures3 process4 signatures5 60 Detected unpacking (changes PE section rights) 8->60 62 Detected unpacking (overwrites its own PE header) 8->62 64 Creates an undocumented autostart registry key 8->64 68 4 other signatures 8->68 17 explorer.exe 9 63 8->17         started        66 Hides threads from debuggers 11->66 process6 dnsIp7 30 firecrackers.ru 91.234.34.80, 443, 49752, 49753 THEHOST-ASUA Ukraine 17->30 32 xircus.ws 64.70.19.203, 49768, 49770, 49771 CENTURYLINK-LEGACY-SAVVISUS United States 17->32 34 7 other IPs or domains 17->34 40 System process connects to network (likely due to code injection or exploit) 17->40 42 Overwrites Windows DLL code with PUSH RET codes 17->42 44 Modifies Internet Explorer zone settings 17->44 46 4 other signatures 17->46 21 gGRiqYglIOLbY.exe 1 23 17->21 injected 24 gGRiqYglIOLbY.exe 1 23 17->24 injected 26 gGRiqYglIOLbY.exe 1 23 17->26 injected 28 8 other processes 17->28 signatures8 process9 signatures10 56 Hides threads from debuggers 21->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/144c0621ca5ecb402de01d8f10044f92a2ef917522e4b4955f3760bb17095bac/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 23:14:10 UTC
AV detection:
31 of 46 (67.39%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=crgamiokl3fualpadwhrabcpskro7elvelsljfk7g5qlwfyjlowa._file
Verdict:
malicious
Similar samples:
03e3837f16d46a1a0a13904fae467c105b1aae66b382e8313b20b90269e53ed6
Neurevt
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0
Neurevt
273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374
Neurevt
411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3
Neurevt
4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
Neurevt
55c12cb22033e12af48c4bb80b660e4ace8ed2364e7147979e30355bab7d5469
Neurevt
86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595
Neurevt
b38c11ce5d7c368dd1b51d1b5d8df3e09abff40390f68a1f81dacccfe3f01725
Neurevt
d8de6668573d3ceb90b6794ad11ce332f7d7ece1d4cc1c40b2279ebcdc71b5dd
Neurevt
f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
Neurevt
+ 3'226 additional samples on MalwareBazaar
Result
Malware family:
betabot
Create hunting rule
Score:
  10/10
Tags:
family:betabot backdoor botnet evasion persistence suricata trojan
Link:
https://tria.ge/reports/210801-8ah5yvz9ke/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Sets file execution options in registry
BetaBot
Modifies firewall policy service
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
Unpacked files
SH256 hash:
5bc9db95fd252133e490bc2fd2904225163cb9d98243acd2ebbf612840573f0b
MD5 hash:
cebaa6e65d77043e29d4be7cd88aa13b
SHA1 hash:
76b0bedc1f928a17725bbba703af125adc656030
Link:
https://www.unpac.me/results/754fc470-cb27-4147-b1bd-a3d3c7a17a10/
SH256 hash:
144c0621ca5ecb402de01d8f10044f92a2ef917522e4b4955f3760bb17095bac
MD5 hash:
c46f1a56503f218c2977b4b42f5aa84b
SHA1 hash:
25449ec8c765f94ffc284022374a9139dc46ebef
Link:
https://www.unpac.me/results/754fc470-cb27-4147-b1bd-a3d3c7a17a10/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/144c0621ca5ecb402de01d8f10044f92a2ef917522e4b4955f3760bb17095bac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox product IDs
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_betabot_w0
Create hunting rule
Author:Venom23
Description:Neurevt Malware Sig

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175562/

Comments