MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15ae3d3602ef75eb37db3c76a7b806685cfa4690fb22c27b0c1290299d0f21b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15ae3d3602ef75eb37db3c76a7b806685cfa4690fb22c27b0c1290299d0f21b4
SHA3-384 hash: 539f2884ccf4d507206fa5a7242500010395ab5e4f42f5d0ed24d1b6ed5329267d943c1b9e3d3273e3d4a3d7bcfa41e8
SHA1 hash: b87bdd5791d482623cecc99b586b4962c4dc7814
MD5 hash: 23873f7412c1985c6b227e7b0a9f3ae5
humanhash: seventeen-sweet-bacon-nuts
File name:new order.scr
Download: download sample
Signature Neurevt
Create hunting rule
File size:567'296 bytes
First seen:2021-07-04 07:21:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 497b2c24826c3fb68ab36173cb0fad28 (1 x Neurevt)
ssdeep 12288:3150uZlq7pMFbzXdnAv8lHYZEUWU8U2e5:315XqaF/hzUzx845
TLSH E7C41291E28808B7CD2A11FA9CFFFE711B07D05D60593F5A2889AC5B7E76763581280F
Reporter abuse_ch
Tags:exe Neurevt scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
new order.scr
Verdict:
Malicious activity
Analysis date:
2021-07-04 07:25:30 UTC
Tags:
trojan betabot
Link:
https://app.any.run/tasks/c4ea39c5-00d6-4388-861b-fa189d3f9e0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169574/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Trojan.Ag-1
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TransparentTribe
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ddff3875-debf-4676-ad71-d5a667c8bc35
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811540
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to check if the process is started with administrator privileges
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Potentially malicious time measurement code found
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Schedule system process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal ftp login credentials
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443951 Sample: new order.scr Startdate: 04/07/2021 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 14 other signatures 2->67 8 new order.exe 2->8         started        11 uwjqrophc.exe 2->11         started        13 uwjqrophc.exe 2->13         started        15 uwjqrophc.exe 2->15         started        process3 signatures4 69 Injects a PE file into a foreign processes 8->69 17 new order.exe 4 21 8->17         started        71 Tries to delay execution (extensive OutputDebugStringW loop) 11->71 73 Contains functionality to detect sleep reduction / modifications 11->73 20 uwjqrophc.exe 1 12 11->20         started        22 uwjqrophc.exe 12 13->22         started        24 uwjqrophc.exe 15->24         started        process5 signatures6 53 Creates an undocumented autostart registry key 17->53 55 Maps a DLL or memory area into another process 17->55 57 Sample uses process hollowing technique 17->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->59 26 WerFault.exe 7 40 17->26         started        30 schtasks.exe 1 17->30         started        process7 dnsIp8 43 woeer.com 156.250.17.72, 49730, 49738, 80 COMING-ASABCDEGROUPCOMPANYLIMITEDHK Seychelles 26->43 45 rosnfet.com 26->45 47 qvpumps.com 26->47 75 Creates autostart registry keys with suspicious names 26->75 77 Overwrites Windows DLL code with PUSH RET codes 26->77 79 Modifies Internet Explorer zone settings 26->79 81 7 other signatures 26->81 32 pPellSRGcqrHEsoDwiSSoPX.exe 1 12 26->32 injected 35 pPellSRGcqrHEsoDwiSSoPX.exe 1 12 26->35 injected 37 pPellSRGcqrHEsoDwiSSoPX.exe 1 12 26->37 injected 41 9 other processes 26->41 39 conhost.exe 30->39         started        signatures9 process10 signatures11 49 Hides threads from debuggers 32->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15ae3d3602ef75eb37db3c76a7b806685cfa4690fb22c27b0c1290299d0f21b4/
Threat name:
Win32.Trojan.Neurevt
Create hunting rule
Status:
Malicious
First seen:
2014-03-19 17:47:00 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cwxd2nqc5526wn63hr3kpoagnbopuruq7mrme6ymckicthipeg2a._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence upx
Link:
https://tria.ge/reports/210704-8w6bvzhq1j/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies Internet Explorer Protected Mode
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks for any installed AV software in registry
Drops desktop.ini file(s)
Sets file execution options in registry
Modifies firewall policy service
Unpacked files
SH256 hash:
8695ef95ca27257e76717587e31845b417a9d6db513c016b83dca2357a392df7
MD5 hash:
e7e6226769e553f4e9406a3fa7f6bc9d
SHA1 hash:
f4ff046070607d07a0511d297b8aeb906d57b8f5
Link:
https://www.unpac.me/results/af16ea61-1ae9-4f07-867b-dce783df82af/
SH256 hash:
c249f383ee7f0e1ce60dd2d09ae12f5b088537c70ccc76f0c9f4b3af26e85467
MD5 hash:
84209feb000662d870e0ea3630c193fb
SHA1 hash:
0793024a93bb4e6185d2bd2783d35aa51d23a143
Link:
https://www.unpac.me/results/af16ea61-1ae9-4f07-867b-dce783df82af/
SH256 hash:
1b61473c965675a77c762d48ecb77163034a6e3b096a105cc5c11a837c420e0e
MD5 hash:
c0188789e301ac229cdc0c48d2717fa8
SHA1 hash:
65391c1f489f4cf75109806ecd827b18a9004315
Detections:
win_betabot_w0
Create hunting rule
win_betabot_g0
Create hunting rule
win_betabot_auto
Create hunting rule
Link:
https://www.unpac.me/results/af16ea61-1ae9-4f07-867b-dce783df82af/
SH256 hash:
15ae3d3602ef75eb37db3c76a7b806685cfa4690fb22c27b0c1290299d0f21b4
MD5 hash:
23873f7412c1985c6b227e7b0a9f3ae5
SHA1 hash:
b87bdd5791d482623cecc99b586b4962c4dc7814
Link:
https://www.unpac.me/results/af16ea61-1ae9-4f07-867b-dce783df82af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15ae3d3602ef75eb37db3c76a7b806685cfa4690fb22c27b0c1290299d0f21b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169574/

Comments