MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6327c2d28925dd4680b13585501e34181fc4beefaeb08040d1c10fc91a16f0a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6327c2d28925dd4680b13585501e34181fc4beefaeb08040d1c10fc91a16f0a3
SHA3-384 hash: 6e7acf4d2d8d899dd0b569ef1d495c63a29d922711cf77c38f3243f6e3c0815baa1b77e8c744921db8c10f329c81be71
SHA1 hash: 58e3c687b83b5fac9e5a7f65745b8171832ec7ae
MD5 hash: 055eab630948751fea12dea70af602c2
humanhash: india-twenty-glucose-michigan
File name:Customer Complaint letter NCC166289001.PDF.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:387'072 bytes
First seen:2020-08-04 11:20:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 283fdee1bd44327343be2256b7127ee5 (1 x Neurevt)
ssdeep 6144:zJ6XWp+DELgUaVTUlxZClLZhZEPFUoT3A72QN:F6XRWc4/QNbl
Threatray 72 similar samples on MalwareBazaar
TLSH 7C84F11839C1C033D51555B68426C3B69D6E3836682ABD8A7FCA5AFC0F396D2FB2530D
Reporter abuse_ch
Tags:exe Neurevt


Avatar
abuse_ch
Malspam distributing Neurevt:

HELO: host.qualifairs.com
Sending IP: 85.25.130.41
From: complaint@thencc.org.za
Subject: Customer Complaint letter // NCC166289001
Attachment: Customer Complaint letter NCC166289001.PDF.gz (contains "Customer Complaint letter NCC166289001.PDF.exe")

Neurevt C2:
http://winqits.com/~zadmin/lk/dm/logout.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38579/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Searching for analyzing tools
Searching for the window
Setting browser functions hooks
Adding an access-denied ACE
Launching a process
Creating a window
Sending a UDP request
Unauthorized injection to a browser process
DNS request
Connection attempt
Sending an HTTP POST request
Moving of the original file
Enabling autorun for a service
Firewall traversal
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing settings of the browser security zones
Unauthorized injection to a system process
Enabling autorun
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/409144
Signature
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256822 Sample: Customer Complaint letter  ... Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Detected unpacking (changes PE section rights) 2->43 45 Detected unpacking (overwrites its own PE header) 2->45 47 7 other signatures 2->47 7 Customer Complaint letter  NCC166289001.PDF.exe 12 25 2->7         started        10 wc355a993937.exe 23 2->10         started        12 wc355a993937.exe 2->12         started        14 3 other processes 2->14 process3 signatures4 53 Creates an undocumented autostart registry key 7->53 55 Maps a DLL or memory area into another process 7->55 57 Sample uses process hollowing technique 7->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->59 16 explorer.exe 18 51 7->16         started        61 Hides threads from debuggers 10->61 process5 dnsIp6 29 winqits.com 188.68.220.35, 49738, 49739, 49741 SELECTELRU Russian Federation 16->29 31 192.168.2.1 unknown unknown 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 35 Overwrites Windows DLL code with PUSH RET codes 16->35 37 Modifies Internet Explorer zone settings 16->37 39 4 other signatures 16->39 20 vauBrYSqVSZaYtGxyzssSFxUBW.exe 1 23 16->20 injected 23 vauBrYSqVSZaYtGxyzssSFxUBW.exe 1 23 16->23 injected 25 vauBrYSqVSZaYtGxyzssSFxUBW.exe 1 23 16->25 injected 27 13 other processes 16->27 signatures7 process8 signatures9 49 Hides threads from debuggers 20->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6327c2d28925dd4680b13585501e34181fc4beefaeb08040d1c10fc91a16f0a3/
Threat name:
Win32.Trojan.Neurevt
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 11:22:12 UTC
AV detection:
41 of 48 (85.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mmt4fuujexounafrgwcvahrudap4jpxpv2yiaqgryeh4sgqw6crq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
1da069d39e2e88c624698760567c4019ca2de990b05c429be843355a0531b51a
Neurevt
28dfc81c0660d22a889fa79cf30b0698e1f4c78a6693c277931868b67b29646e
Neurevt
2b44eaee1eb9f472580e06b30bc5eba6f513905abe768229ba6290bd1e4da1a5
Neurevt
50a5970afc0a5e55eb16da4d20a7f2ab4af3386d58751b276583aad18969ccac
Neurevt
b4e68cc1125476baac15e128b8e5daacbe857a05c525da252348ba0844ecca83
Neurevt
b5e4950f8979f18ad063f3df3fb483aa88273271254201dbc0e5241b7713edc2
Neurevt
bd476e4d4bb6f46ca0e62c6a2ab34f90b025d3cc6a0895be9073bd48997d1b47
Neurevt
d3aa9fd1ed4af3cc3a49e612b93a03f799ada340c1c086f7403448fe77115bb1
Neurevt
e661bc38b20992b846232fd3d6cbe914bb46ae68b39ce7e7a348be2ba5261851
Neurevt
fcaa4b93dbdb7ca43dab06e0afb63117ca21a864f7ccf6f6eb7a4581ded48464
Neurevt
+ 62 additional samples on MalwareBazaar
Result
Malware family:
betabot
Create hunting rule
Score:
  10/10
Tags:
evasion trojan backdoor botnet family:betabot
Link:
https://tria.ge/reports/200804-3zgvnesjae/
Behaviour
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
BetaBot
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6327c2d28925dd4680b13585501e34181fc4beefaeb08040d1c10fc91a16f0a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_betabot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_betabot_w0
Create hunting rule
Author:Venom23
Description:Neurevt Malware Sig

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neurevt

gz 15c4436deb5fc30241abaa1b024170bff09055a6a32cf34e5713530bfcc7d2ba

Neurevt

Executable exe 6327c2d28925dd4680b13585501e34181fc4beefaeb08040d1c10fc91a16f0a3

(this sample)

  
Dropped by
MD5 e2e7426aba2725a5f2d735810d9ba6e5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38579/
  
Dropped by
SHA256 15c4436deb5fc30241abaa1b024170bff09055a6a32cf34e5713530bfcc7d2ba

Comments