MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41a882c91afa2a845ca6a72b2508d910a12e6371fd853bbd136298cdf40e643b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 11


Intelligence 11 IOCs 3 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41a882c91afa2a845ca6a72b2508d910a12e6371fd853bbd136298cdf40e643b
SHA3-384 hash: 9263587451952166cd15592e38c22ebcdb93fe307cfcbc7d0951e0c3068d38702e4f18b6b7439470414c1c0a044072dc
SHA1 hash: 1493a65f2264e498bf8401141c192fc32afc9a4a
MD5 hash: 2717ee99c8d55f10db1eff0239cc5cf9
humanhash: vermont-montana-india-maine
File name:41A882C91AFA2A845CA6A72B2508D910A12E6371FD853.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:422'400 bytes
First seen:2021-06-20 17:30:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 635a1b24f29ac20618e895d965cb4114 (1 x Neurevt)
ssdeep 6144:kR75N4aH4S+6PpXyIaqBxgjQL5Q9/YnuZQQiRTJyyxLg:01aaH4S+6PRyzq7aQm9/YnGitJysE
Threatray 1'974 similar samples on MalwareBazaar
TLSH AF948D14F540C258D1B34A307CD5EA602C62BEB15A267EC73360736B993126EBE3B767
Reporter abuse_ch
Tags:exe Neurevt


Avatar
abuse_ch
Neurevt C2:
http://b.7thegamejuststarted11k7.com/direct/mail/order.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://b.7thegamejuststarted11k7.com/direct/mail/order.php https://threatfox.abuse.ch/ioc/137754/
http://b.12thegamejuststarted10k12.com/direct/mail/order.php https://threatfox.abuse.ch/ioc/137755/
http://b.9thegamejuststarted14k9.com/direct/mail/order.php https://threatfox.abuse.ch/ioc/137756/

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
41A882C91AFA2A845CA6A72B2508D910A12E6371FD853.exe
Verdict:
Malicious activity
Analysis date:
2021-06-20 17:35:33 UTC
Tags:
trojan betabot
Link:
https://app.any.run/tasks/e81b8958-eea7-4506-a389-d5ebc7534711

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167212/
Detection(s):
Win.Dropper.Cerber-9253570-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neurevt
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83d65b16-991f-4fb7-835b-5f04c4716c83
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804959
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to check if Internet connection is working
Contains functionality to check if the process is started with administrator privileges
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Performs DNS queries with encoded ASCII data (may be used to data exfiltration)
Potentially malicious time measurement code found
Queries the IP of a very long domain name
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal ftp login credentials
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 437370 Sample: 41A882C91AFA2A845CA6A72B250... Startdate: 20/06/2021 Architecture: WINDOWS Score: 100 35 sink2.doombringer.pw 2->35 37 e25a29cd63f4851ed2aa772e1531351c.b8f5a3b8cbfea0e54cba7545e16f657c.sink1.doombringer.pw 2->37 39 5 other IPs or domains 2->39 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 6 other signatures 2->61 9 41A882C91AFA2A845CA6A72B2508D910A12E6371FD853.exe 2->9         started        12 tanepicbd.exe 2->12         started        14 OIEGegZycHOtiaAvWnzouEvjp.exe 1 12 2->14         started        16 17 other processes 2->16 signatures3 process4 signatures5 63 Detected unpacking (changes PE section rights) 9->63 65 Detected unpacking (overwrites its own PE header) 9->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 9->67 77 5 other signatures 9->77 18 41A882C91AFA2A845CA6A72B2508D910A12E6371FD853.exe 4 21 9->18         started        69 Contains functionality to inject code into remote processes 12->69 71 Injects a PE file into a foreign processes 12->71 21 tanepicbd.exe 12 12->21         started        73 Hides threads from debuggers 14->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->75 23 tanepicbd.exe 12 16->23         started        25 tanepicbd.exe 1 12 16->25         started        process6 signatures7 47 Creates an undocumented autostart registry key 18->47 49 Maps a DLL or memory area into another process 18->49 51 Sample uses process hollowing technique 18->51 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->53 27 WerFault.exe 7 12 18->27         started        31 schtasks.exe 1 18->31         started        process8 dnsIp9 41 b.5dietmydartk5.com 27->41 43 b.4pixartzonek4.com 27->43 45 3 other IPs or domains 27->45 79 Contains functionality to check if Internet connection is working 27->79 81 Overwrites Windows DLL code with PUSH RET codes 27->81 83 Modifies Internet Explorer zone settings 27->83 85 5 other signatures 27->85 33 conhost.exe 31->33         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41a882c91afa2a845ca6a72b2508d910a12e6371fd853bbd136298cdf40e643b/
Threat name:
Win32.Trojan.Neurevt
Create hunting rule
Status:
Malicious
First seen:
2014-09-24 04:16:57 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iguifsi27iviixfgu4vskcgzccqs4y3r7wctxpitmkmm35aomq5q._file
Verdict:
malicious
Similar samples:
03e3837f16d46a1a0a13904fae467c105b1aae66b382e8313b20b90269e53ed6
Neurevt
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0
Neurevt
273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374
Neurevt
3149cdb07c535db9316160f19a32b73a31cdd4d5fd6e971518b88d45db52af7d
Neurevt
3e9827bdc12c88624681007f776b331d7968b7321e6f47f790b181e416631943
Neurevt
4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
Neurevt
55c12cb22033e12af48c4bb80b660e4ace8ed2364e7147979e30355bab7d5469
Neurevt
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
Neurevt
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
Neurevt
f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
Neurevt
+ 1'964 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat evasion infostealer persistence rat
Link:
https://tria.ge/reports/210620-sbcmzqem9n/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies Internet Explorer Protected Mode
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks for any installed AV software in registry
Drops desktop.ini file(s)
Sets file execution options in registry
DcRat
Modifies firewall policy service
Unpacked files
SH256 hash:
2dbb5ab0a90e75168d5a041c36c774717acbc2f152b9409b6451caa2cd94b775
MD5 hash:
f16c5339faf32f1f600f1e52e1ca7541
SHA1 hash:
48da110350faae03871ff8ddd0af086347770c65
Link:
https://www.unpac.me/results/a9d966a2-d48a-40e9-9c3f-284564cc07eb/
SH256 hash:
a099f3df8a2601d83f1b7a3d3a83bbb96c7c561d87693e28137e23a3583d5519
MD5 hash:
210b93f89f7bf400492ee11aee02cb84
SHA1 hash:
bdfac12484c96865692183b560e16bf9bb7417c2
Detections:
win_betabot_w0
Create hunting rule
win_betabot_g0
Create hunting rule
win_betabot_auto
Create hunting rule
Link:
https://www.unpac.me/results/a9d966a2-d48a-40e9-9c3f-284564cc07eb/
SH256 hash:
41a882c91afa2a845ca6a72b2508d910a12e6371fd853bbd136298cdf40e643b
MD5 hash:
2717ee99c8d55f10db1eff0239cc5cf9
SHA1 hash:
1493a65f2264e498bf8401141c192fc32afc9a4a
Link:
https://www.unpac.me/results/a9d966a2-d48a-40e9-9c3f-284564cc07eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41a882c91afa2a845ca6a72b2508d910a12e6371fd853bbd136298cdf40e643b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167212/

Comments