MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3149cdb07c535db9316160f19a32b73a31cdd4d5fd6e971518b88d45db52af7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3149cdb07c535db9316160f19a32b73a31cdd4d5fd6e971518b88d45db52af7d
SHA3-384 hash: 11daf238e536e1c7ee1b70fa29f8df8fad3121652eca51a6bd59a115c4893fe86af49fd51fad5d6855d945bf38fe44db
SHA1 hash: 18bb6a5fee2a894c37b17234768696481fc2817c
MD5 hash: 3214959233726f37d45c0f41ed6eb844
humanhash: solar-two-vermont-diet
File name:puchase order 24.5.2021.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:969'216 bytes
First seen:2021-05-24 16:08:15 UTC
Last seen:2021-05-24 17:05:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:z+BC7vwGO7NedGY9BnM6MY+z0Uo/e0FCyiksXz:z+BC7vwx7qj5MY+z0zeotiZX
Threatray 1'453 similar samples on MalwareBazaar
TLSH D725263CD06AA122C169F2794ED4442BE550DF33E131AE15ACC3F7B85639E80B991E7E
Reporter abuse_ch
Tags:exe Neurevt

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
puchase order 24.5.2021.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-24 23:13:03 UTC
Tags:
trojan betabot
Link:
https://app.any.run/tasks/643e9f16-5ae7-472a-b346-be97c23dbd4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/790837
Signature
.NET source code contains very large strings
Contains functionality to check if the process is started with administrator privileges
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Potentially malicious time measurement code found
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal ftp login credentials
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 423233 Sample: puchase order 24.5.2021.exe Startdate: 24/05/2021 Architecture: WINDOWS Score: 100 57 github.com 2->57 59 avatars.githubusercontent.com 2->59 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected AntiVM3 2->75 77 Yara detected Betabot 2->77 79 6 other signatures 2->79 9 puchase order 24.5.2021.exe 3 2->9         started        13 dzzblsrgx.exe 2 2->13         started        15 dzzblsrgx.exe 3 2->15         started        17 dzzblsrgx.exe 2->17         started        signatures3 process4 file5 55 C:\Users\...\puchase order 24.5.2021.exe.log, ASCII 9->55 dropped 97 Injects a PE file into a foreign processes 9->97 19 puchase order 24.5.2021.exe 4 21 9->19         started        22 puchase order 24.5.2021.exe 9->22         started        24 puchase order 24.5.2021.exe 9->24         started        26 dzzblsrgx.exe 13->26         started        28 dzzblsrgx.exe 13->28         started        30 dzzblsrgx.exe 1 12 15->30         started        32 iexplore.exe 17->32         started        signatures6 process7 signatures8 81 Creates an undocumented autostart registry key 19->81 83 Maps a DLL or memory area into another process 19->83 85 Sample uses process hollowing technique 19->85 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->87 34 WerFault.exe 11 40 19->34         started        38 schtasks.exe 1 19->38         started        40 iexplore.exe 32->40         started        42 iexplore.exe 32->42         started        process9 dnsIp10 61 k3inveentive.com 27.122.57.229, 443, 49773, 49774 IPTELECOM-AS-APIPTELECOMGlobalHK Hong Kong 34->61 89 Overwrites Windows DLL code with PUSH RET codes 34->89 91 Modifies Internet Explorer zone settings 34->91 93 Tries to harvest and steal ftp login credentials 34->93 95 7 other signatures 34->95 44 XKienpIlkwMHFMKZrCaVH.exe 1 12 34->44 injected 47 XKienpIlkwMHFMKZrCaVH.exe 1 12 34->47 injected 49 XKienpIlkwMHFMKZrCaVH.exe 1 12 34->49 injected 53 12 other processes 34->53 51 conhost.exe 38->51         started        63 github.com 140.82.121.3, 443, 49738, 49739 GITHUBUS United States 40->63 65 avatars.githubusercontent.com 185.199.110.133, 443, 49743, 49744 FASTLYUS Netherlands 40->65 71 2 other IPs or domains 40->71 67 192.168.2.1 unknown unknown 42->67 69 js.monitor.azure.com 42->69 signatures11 process12 signatures13 99 Hides threads from debuggers 44->99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3149cdb07c535db9316160f19a32b73a31cdd4d5fd6e971518b88d45db52af7d/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 16:09:10 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gfe43md4kno3smlbmdyzumvxhiy43vgv7vxjofiyxcgulw2sv56q._file
Verdict:
malicious
Similar samples:
03e3837f16d46a1a0a13904fae467c105b1aae66b382e8313b20b90269e53ed6
Neurevt
0f600e10b529dc3af8dabf5aa567598fe6a0c5a373d4f20e9fba390735257bbe
Neurevt
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0
Neurevt
273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374
Neurevt
4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
Neurevt
55c12cb22033e12af48c4bb80b660e4ace8ed2364e7147979e30355bab7d5469
Neurevt
7e595e94b08c3bbd600f3fe1c310a6eb20b85e0784d4f519e713bb6a5e53446c
Neurevt
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
Neurevt
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
Neurevt
fd616f39100a908d83e019ce7fa00f72aaa791c1f082b688cec80ae6241d5f4e
Neurevt
+ 1'443 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210524-rrd7k6z2da/
Behaviour
Modifies Internet Explorer Protected Mode
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Creates scheduled task(s)
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks for any installed AV software in registry
Drops desktop.ini file(s)
Sets file execution options in registry
Modifies firewall policy service
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3149cdb07c535db9316160f19a32b73a31cdd4d5fd6e971518b88d45db52af7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neurevt

Executable exe 3149cdb07c535db9316160f19a32b73a31cdd4d5fd6e971518b88d45db52af7d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments