MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 757112683c4f6e6d8e0091606b7587acdb71946003b2a803052d3fb1d1686336. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 757112683c4f6e6d8e0091606b7587acdb71946003b2a803052d3fb1d1686336
SHA3-384 hash: 4fd0086c4efcc99e6197fcafe9e4a7af4e38fffce47a6a247c7ec6c6f35c9082bf2da680558cc5d3381719fe9821f416
SHA1 hash: b07b04c23c922d7bcca37e4e9d141c4ab92b99e9
MD5 hash: f3157002f5636d7d4170d458ac9e15cf
humanhash: autumn-florida-fillet-florida
File name:Payment Advice - Advice RefGLVA05109502 .PDF.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:315'392 bytes
First seen:2020-10-09 06:35:54 UTC
Last seen:2020-10-09 08:02:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8f671fc2d92f0d4b8a728da18d4995e0 (1 x Neurevt)
ssdeep 6144:QtkmgRL7k8DbFJlJnw2CaDt0/DQ3lgHhku2CJ6Qumv:y3Cvk8hJnRCkS/DumicDuU
Threatray 204 similar samples on MalwareBazaar
TLSH 0264E00176C4C432E2A6197A4B75C6B5163EFCA56F219BCB76803A6A5F322C1FE34743
Reporter abuse_ch
Tags:exe HSBC Neurevt


Avatar
abuse_ch
Malspam distributing Neurevt:

HELO: saxamarketing.com
Sending IP: 199.217.115.34
From: HSBC Advising Service <advising.service.311886538.904852.3096018124@mail.hsbcnet.hsbc.com>
Subject: Payment Advice - Advice Ref:[GLVA05109502] / Priority payment / Customer Ref:[2000010939]
Attachment: Payment Advice - Advice RefGLVA05109502 .PDF.gz (contains "Payment Advice - Advice RefGLVA05109502 .PDF.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69465/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Adding an access-denied ACE
Launching a process
Creating a window
Unauthorized injection to a browser process
DNS request
Searching for analyzing tools
Searching for the window
Connection attempt
Sending an HTTP POST request
Changing a file
Setting browser functions hooks
Moving of the original file
Enabling autorun for a service
Firewall traversal
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing settings of the browser security zones
Unauthorized injection to a system process
Enabling autorun
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486402
Signature
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295661 Sample: Payment Advice - Advice Ref... Startdate: 09/10/2020 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 10 other signatures 2->47 7 Payment Advice - Advice RefGLVA05109502 .PDF.exe 12 25 2->7         started        10 acm11u73mu31.exe 23 2->10         started        12 acm11u73mu31.exe 23 2->12         started        14 3 other processes 2->14 process3 signatures4 53 Creates an undocumented autostart registry key 7->53 55 Maps a DLL or memory area into another process 7->55 57 Sample uses process hollowing technique 7->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->59 16 explorer.exe 18 51 7->16         started        61 Hides threads from debuggers 10->61 process5 dnsIp6 29 cwjamaica.us 45.153.203.141, 49759, 80 NETLABFR Netherlands 16->29 31 192.168.2.1 unknown unknown 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 35 Overwrites Windows DLL code with PUSH RET codes 16->35 37 Modifies Internet Explorer zone settings 16->37 39 4 other signatures 16->39 20 MeOCCWovqEeHNXqbpBHfsmTuaRH.exe 1 23 16->20 injected 23 MeOCCWovqEeHNXqbpBHfsmTuaRH.exe 1 23 16->23 injected 25 MeOCCWovqEeHNXqbpBHfsmTuaRH.exe 1 23 16->25 injected 27 16 other processes 16->27 signatures7 process8 signatures9 49 Hides threads from debuggers 20->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/757112683c4f6e6d8e0091606b7587acdb71946003b2a803052d3fb1d1686336/
Threat name:
Win32.Trojan.Neurevt
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 16:30:40 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovyre2b4j5xg3dqasfqgw5mhvtnxdfdaaozkqayffu73dulimm3a._file
Verdict:
malicious
Similar samples:
1da069d39e2e88c624698760567c4019ca2de990b05c429be843355a0531b51a
Neurevt
2962eba90f4c76463186e170ae32e1ad8ed50b589a83bee7016dc942b80cd0df
Neurevt
46387625361cd440a23520b7bda25f402b586d00a44229754ab776e5e1bf34f7
Neurevt
468f9abc380cedf17528958eb0ccd8e42e100e05ecb250f31a11d3f946765990
Neurevt
79f15bc55fcc0e2f863a81accfb76b601531a909ebf009d57176dd18edf46d7d
Neurevt
973b3d66cf3f04d5be0e10dfa5ab24fbc8c5d2b58cc5728d81a448dbe079f4e6
Neurevt
b092a330b736b90c25196d0784455f5d605aae83dca16f8569451236204d0976
Neurevt
b4e68cc1125476baac15e128b8e5daacbe857a05c525da252348ba0844ecca83
Neurevt
e63df6a7f5c2a30456c884959644745ee0174df416492324c5ee31635958f855
Neurevt
efaa9091d5aa1f64ae3b3c1258e90d5bb346e25e75ae3c4530ea9346380e2158
Neurevt
+ 194 additional samples on MalwareBazaar
Result
Malware family:
betabot
Create hunting rule
Score:
  10/10
Tags:
trojan backdoor botnet family:betabot persistence evasion
Link:
https://tria.ge/reports/201009-y37qvfch3s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Checks BIOS information in registry
Sets file execution options in registry
BetaBot
Modifies firewall policy service
Unpacked files
SH256 hash:
757112683c4f6e6d8e0091606b7587acdb71946003b2a803052d3fb1d1686336
MD5 hash:
f3157002f5636d7d4170d458ac9e15cf
SHA1 hash:
b07b04c23c922d7bcca37e4e9d141c4ab92b99e9
Link:
https://www.unpac.me/results/7ec91c32-5582-4171-81a2-ba56092f83a8/
SH256 hash:
f64f0e1b8f2953b848d9faa9422307caa66872fb80e53b68f8a66156ae4b97d6
MD5 hash:
0a21372830da7640ceb48acf52e2830c
SHA1 hash:
8640a3ed8d65dec36d421435d5edf03e33521246
Link:
https://www.unpac.me/results/7ec91c32-5582-4171-81a2-ba56092f83a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/757112683c4f6e6d8e0091606b7587acdb71946003b2a803052d3fb1d1686336

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:VMware_detection_bin_mem
Create hunting rule
Author:James_inthe_box
Description:VMWare detection
Rule name:win_betabot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_betabot_w0
Create hunting rule
Author:Venom23
Description:Neurevt Malware Sig

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neurevt

gz 0490f437c30c350245f65bef1492eb0f4a2c62b40d426b0dbaeb8ec1a1b54f4f

Neurevt

Executable exe 757112683c4f6e6d8e0091606b7587acdb71946003b2a803052d3fb1d1686336

(this sample)

  
Dropped by
MD5 b8ffc0225483dbb732ba8a5322cfbdaf
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69465/
  
Dropped by
SHA256 0490f437c30c350245f65bef1492eb0f4a2c62b40d426b0dbaeb8ec1a1b54f4f

Comments