MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 400f732da4566105d2b058753d07be7dce75b7cd25e043e3e6f1a188c7efa657. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 400f732da4566105d2b058753d07be7dce75b7cd25e043e3e6f1a188c7efa657
SHA3-384 hash: 7fd740fa8d92a609e9d5ce8d20fae3ab022427c5274b0bcfcc29bdb5601a7a75dfcb9da62ebaf4f874de29232bf3c198
SHA1 hash: 1997f6d1f0d0fe287a097b64c75b7f0eab2e22e1
MD5 hash: 05dc82d56a7ce3082b4a09e00aa5b428
humanhash: may-queen-one-uniform
File name:file.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:307'200 bytes
First seen:2020-10-13 12:30:31 UTC
Last seen:2020-10-13 14:20:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f743ce0c78f71fda5cc340579f681f9c (2 x Neurevt)
ssdeep 6144:hLYLp9K1eef1Dsf80Ee2wJxvE1a7aRrFizZOVh8puu2pIiBSH:5Yt9AdDcBT7aRt8EfpaH
Threatray 210 similar samples on MalwareBazaar
TLSH 2A64E01176929432E69275310971EBA1EA7FB8B2A77041CB37D83A2E6F736C10736707
Reporter abuse_ch
Tags:exe Neurevt

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70447/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.37124.3564.5991.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Adding an access-denied ACE
Launching a process
Creating a window
Unauthorized injection to a browser process
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending an HTTP POST request
Changing a file
Setting browser functions hooks
Moving of the original file
Enabling autorun for a service
Firewall traversal
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing settings of the browser security zones
Unauthorized injection to a system process
Enabling autorun
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489665
Signature
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Writes to foreign memory regions
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297275 Sample: file.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Detected unpacking (changes PE section rights) 2->45 47 6 other signatures 2->47 7 file.exe 12 25 2->7         started        10 o99wqk19113.exe 23 2->10         started        12 o99wqk19113.exe 23 2->12         started        14 3 other processes 2->14 process3 signatures4 53 Detected unpacking (changes PE section rights) 7->53 55 Detected unpacking (overwrites its own PE header) 7->55 57 Creates an undocumented autostart registry key 7->57 61 3 other signatures 7->61 16 explorer.exe 18 51 7->16         started        59 Hides threads from debuggers 10->59 process5 dnsIp6 29 cwjamaica.us 45.153.203.141, 49772, 80 NETLABFR Netherlands 16->29 31 192.168.2.1 unknown unknown 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 35 Overwrites Windows DLL code with PUSH RET codes 16->35 37 Modifies Internet Explorer zone settings 16->37 39 4 other signatures 16->39 20 fqFsseGsMdTagNyn.exe 1 23 16->20 injected 23 fqFsseGsMdTagNyn.exe 1 23 16->23 injected 25 fqFsseGsMdTagNyn.exe 1 23 16->25 injected 27 16 other processes 16->27 signatures7 process8 signatures9 49 Hides threads from debuggers 20->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/400f732da4566105d2b058753d07be7dce75b7cd25e043e3e6f1a188c7efa657/
Threat name:
Win32.Trojan.Neurevt
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 10:56:25 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iahxglnekzqqluvqlb2t2b56pxhhln6nexqehy7g6gqyrr7puzlq._file
Verdict:
malicious
Similar samples:
15e4cb0935bbbe01c87cd16904ee225c1e52e417a16ee4dd9bd3337453332a42
Neurevt
1da069d39e2e88c624698760567c4019ca2de990b05c429be843355a0531b51a
Neurevt
2962eba90f4c76463186e170ae32e1ad8ed50b589a83bee7016dc942b80cd0df
Neurevt
46387625361cd440a23520b7bda25f402b586d00a44229754ab776e5e1bf34f7
Neurevt
7ef7ff0660d406b237fd3253738d60a294c0273ca1436cf9ba87d5b2ea8d62d8
Neurevt
9ea8141b737b1dd5d56c800d4f84048014d83489f0fb3a78e42076a81186e30d
Neurevt
aef47ea6290bbdfa6ca5994e556ba1d3a09200a525ab0aa11eb9fca8f324dfdf
Neurevt
b092a330b736b90c25196d0784455f5d605aae83dca16f8569451236204d0976
Neurevt
c1ebfaa5144a986271298dd044a82bc3e27362debe5475b028a916dbbfb97bbd
Neurevt
e63df6a7f5c2a30456c884959644745ee0174df416492324c5ee31635958f855
Neurevt
+ 200 additional samples on MalwareBazaar
Result
Malware family:
betabot
Create hunting rule
Score:
  10/10
Tags:
persistence trojan backdoor botnet family:betabot evasion
Link:
https://tria.ge/reports/201013-ezxkwazdg6/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Checks BIOS information in registry
Sets file execution options in registry
BetaBot
Modifies firewall policy service
Unpacked files
SH256 hash:
f64f0e1b8f2953b848d9faa9422307caa66872fb80e53b68f8a66156ae4b97d6
MD5 hash:
0a21372830da7640ceb48acf52e2830c
SHA1 hash:
8640a3ed8d65dec36d421435d5edf03e33521246
Link:
https://www.unpac.me/results/126dcf3f-4f1e-4a02-a440-ae07c309d0e4/
SH256 hash:
400f732da4566105d2b058753d07be7dce75b7cd25e043e3e6f1a188c7efa657
MD5 hash:
05dc82d56a7ce3082b4a09e00aa5b428
SHA1 hash:
1997f6d1f0d0fe287a097b64c75b7f0eab2e22e1
Link:
https://www.unpac.me/results/126dcf3f-4f1e-4a02-a440-ae07c309d0e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/400f732da4566105d2b058753d07be7dce75b7cd25e043e3e6f1a188c7efa657

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:VMware_detection_bin_mem
Create hunting rule
Author:James_inthe_box
Description:VMWare detection
Rule name:win_betabot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_betabot_w0
Create hunting rule
Author:Venom23
Description:Neurevt Malware Sig

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/70447/

Comments