MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ad3e9feca98bd1c94415f0319340c3c9416541f4592f7373aeeab289a03c7ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ad3e9feca98bd1c94415f0319340c3c9416541f4592f7373aeeab289a03c7ac
SHA3-384 hash: 36dcea881c76ece3190cd47663b856bd4575ebacbece19e264c8bc2143465194a1e2b3be523cbcbecf8ec5b769b0839a
SHA1 hash: 4d313c6379933dfcfc79cab04a7c83899862b0d7
MD5 hash: b9091ef41de734fdbd7c7df7b2a5ea20
humanhash: august-mountain-thirteen-orange
File name:3AD3E9FECA98BD1C94415F0319340C3C9416541F4592F.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:324'356 bytes
First seen:2021-08-06 16:35:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f67aeda01a0484282e8c59006b0b352 (51 x GuLoader, 9 x RemcosRAT, 9 x VIPKeylogger)
ssdeep 6144:E1onIw+yeYJGW5jt6IAqQXkZ52XZFF64v9VXbBkl/TEJf5:soIwZ5HQ083FPlVX6p+f5
Threatray 3'515 similar samples on MalwareBazaar
TLSH T134641386B1C1E8BAD5E752B22D33BE7A82E379590114CBA777446F339C30656CD27232
dhash icon c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter abuse_ch
Tags:exe Neurevt


Avatar
abuse_ch
Neurevt C2:
http://darrassaad.com/darrassaad/p/logout.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://darrassaad.com/darrassaad/p/logout.php https://threatfox.abuse.ch/ioc/165994/

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3AD3E9FECA98BD1C94415F0319340C3C9416541F4592F.exe
Verdict:
Malicious activity
Analysis date:
2021-08-06 16:37:03 UTC
Tags:
trojan betabot
Link:
https://app.any.run/tasks/104538d0-c1e9-4a01-9741-38a593a24ff9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177065/
Detection(s):
Win.Dropper.Nemesis-6646739-0
Create hunting rule

SecuriteInfo.com.Adware.Generic12.HOD.14374.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Creating a window
Moving of the original file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a1e1601-8d57-46b0-891d-d9b9deed756f
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828426
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Writes to foreign memory regions
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460857 Sample: 3AD3E9FECA98BD1C94415F03193... Startdate: 06/08/2021 Architecture: WINDOWS Score: 100 56 Antivirus detection for dropped file 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 7 other signatures 2->62 8 3AD3E9FECA98BD1C94415F0319340C3C9416541F4592F.exe 19 2->8         started        12 iai7319a.exe 2->12         started        15 iai7319a.exe 18 2->15         started        17 iai7319a.exe 18 2->17         started        process3 dnsIp4 44 C:\Users\user\AppData\Local\...\System.dll, PE32 8->44 dropped 74 Detected unpacking (changes PE section rights) 8->74 76 Detected unpacking (overwrites its own PE header) 8->76 78 Maps a DLL or memory area into another process 8->78 19 3AD3E9FECA98BD1C94415F0319340C3C9416541F4592F.exe 12 27 8->19         started        54 192.168.2.1 unknown unknown 12->54 46 C:\Users\user\AppData\Local\...\System.dll, PE32 12->46 dropped 23 iai7319a.exe 12->23         started        48 C:\Users\user\AppData\Local\...\System.dll, PE32 15->48 dropped 25 iai7319a.exe 15->25         started        50 C:\Users\user\AppData\Local\...\System.dll, PE32 17->50 dropped file5 signatures6 process7 file8 40 C:\ProgramData\...\iai7319a.exe, PE32 19->40 dropped 42 C:\...\iai7319a.exe:Zone.Identifier, ASCII 19->42 dropped 64 Creates an undocumented autostart registry key 19->64 66 Maps a DLL or memory area into another process 19->66 68 Sample uses process hollowing technique 19->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->70 27 explorer.exe 9 48 19->27         started        72 Hides threads from debuggers 25->72 signatures9 process10 dnsIp11 52 darrassaad.com 172.247.162.68, 49768, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK United States 27->52 80 System process connects to network (likely due to code injection or exploit) 27->80 82 Overwrites Windows DLL code with PUSH RET codes 27->82 84 Modifies Internet Explorer zone settings 27->84 86 4 other signatures 27->86 31 YYqIkWyWAkxNOaviu.exe 1 23 27->31 injected 34 YYqIkWyWAkxNOaviu.exe 1 23 27->34 injected 36 YYqIkWyWAkxNOaviu.exe 1 23 27->36 injected 38 14 other processes 27->38 signatures12 process13 signatures14 88 Hides threads from debuggers 31->88 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->90
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ad3e9feca98bd1c94415f0319340c3c9416541f4592f7373aeeab289a03c7ac/
Threat name:
Win32.Ransomware.Rapid
Create hunting rule
Status:
Malicious
First seen:
2018-04-20 19:59:00 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlj6t7wktc6rzfcbl4brsnamhskbmva7iwjponz252vsrgqdy6wa._file
Verdict:
malicious
Similar samples:
03e3837f16d46a1a0a13904fae467c105b1aae66b382e8313b20b90269e53ed6
Neurevt
144c0621ca5ecb402de01d8f10044f92a2ef917522e4b4955f3760bb17095bac
Neurevt
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0
Neurevt
273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374
Neurevt
411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3
Neurevt
4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
Neurevt
55c12cb22033e12af48c4bb80b660e4ace8ed2364e7147979e30355bab7d5469
Neurevt
86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595
Neurevt
f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
Neurevt
+ 3'505 additional samples on MalwareBazaar
Result
Malware family:
betabot
Create hunting rule
Score:
  10/10
Tags:
family:betabot backdoor botnet evasion persistence suricata trojan
Link:
https://tria.ge/reports/210806-1cteszcmzj/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Sets file execution options in registry
BetaBot
Modifies firewall policy service
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
Unpacked files
SH256 hash:
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
MD5 hash:
3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 hash:
fe582246792774c2c9dd15639ffa0aca90d6fd0b
Link:
https://www.unpac.me/results/6bb871ab-a3a7-4e1e-a9ac-b59cefa098d2/
SH256 hash:
f2c1409faf2952c1c91f4b5495158ef5c7d1a1db6eea4a18f163574bd52fcad0
MD5 hash:
b3070cf20db659fdfb3cb2ed38130e8d
SHA1 hash:
aa234b0620bebddde1414ff6b0840d883890b413
Link:
https://www.unpac.me/results/6bb871ab-a3a7-4e1e-a9ac-b59cefa098d2/
SH256 hash:
70c842f318f691d92e5829616a283aa9bf9dc18cea6f39bad028e176056b591a
MD5 hash:
b26b412d9f1050ad53f663c972fdcd9f
SHA1 hash:
7bc4ed444f3f8fd14c2c36784d828175bace8c17
Link:
https://www.unpac.me/results/6bb871ab-a3a7-4e1e-a9ac-b59cefa098d2/
SH256 hash:
d91c201ea23d58779761c6fdaa4e35739bc6cda27a68ca04f28464e1eff84280
MD5 hash:
a9d6d5c93415f31c9573e13e3b1da8f5
SHA1 hash:
542ec01df24fe29f7f04c98a0dc6fbfd1a442b5e
Link:
https://www.unpac.me/results/6bb871ab-a3a7-4e1e-a9ac-b59cefa098d2/
SH256 hash:
079bfdbac38b31f2942b07056a22113d8d8d1e94b1570d4aab7b3602dd7b6ccd
MD5 hash:
da30648198f42a297a60ee3c06f52c5a
SHA1 hash:
0d8e5492de75512252d245318ce1f99e40a5a788
Link:
https://www.unpac.me/results/6bb871ab-a3a7-4e1e-a9ac-b59cefa098d2/
SH256 hash:
3ad3e9feca98bd1c94415f0319340c3c9416541f4592f7373aeeab289a03c7ac
MD5 hash:
b9091ef41de734fdbd7c7df7b2a5ea20
SHA1 hash:
4d313c6379933dfcfc79cab04a7c83899862b0d7
Link:
https://www.unpac.me/results/6bb871ab-a3a7-4e1e-a9ac-b59cefa098d2/
Malware family:
Mal/Generic-S
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3ad3e9feca98/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/3ad3e9feca98bd1c94415f0319340c3c9416541f4592f7373aeeab289a03c7ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177065/

Comments