MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595
SHA3-384 hash: 04ae1d67c042ee4d391dddf053b9be38680413abcd32cc6bf9667cfeca1dc962dd3877b68089f63edd5bd4d00b2515a6
SHA1 hash: df3f6e0f29d9d65a2afc401ab6938044f24c5506
MD5 hash: 808e34a763acd79d01eeb1f54b18a551
humanhash: ohio-fourteen-king-florida
File name:808e34a763acd79d01eeb1f54b18a551.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:3'717'214 bytes
First seen:2021-06-24 05:51:59 UTC
Last seen:2021-06-24 06:57:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1f273e55d954a3cd6ab7388915a0485 (3 x Neurevt, 3 x RedLineStealer, 2 x ArkeiStealer)
ssdeep 49152:5zOJB5ZJBK7/stk6SY6stAHzUfj7a3MTP4/cZvExkrK2m8t:5KBtKzatHa4dpGW
Threatray 2'135 similar samples on MalwareBazaar
TLSH 55068F23B389603EC46B1976853BD6689C3F7F627912CC4B7BF4594C8F355406A3A60B
Reporter abuse_ch
Tags:exe Neurevt


Avatar
abuse_ch
Neurevt C2:
http://russk18.icu/forum8/logout.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://russk18.icu/forum8/logout.php https://threatfox.abuse.ch/ioc/153078/

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aa.exe
Verdict:
Malicious activity
Analysis date:
2021-06-23 02:24:15 UTC
Tags:
installer trojan betabot
Link:
https://app.any.run/tasks/266d318b-400c-4b8c-9c17-807299c0c8cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167829/
Detection(s):
PUA.Win.Adware.Dealply-6888374-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Zeppelin Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a37eca67-38ac-4de1-9dd2-8a8799bc6c0f
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807156
Signature
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops batch files with force delete cmd (self deletion)
Early bird code injection technique detected
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 439566 Sample: mLOiGWfT2P.exe Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 68 russk18.icu 2->68 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Detected unpacking (changes PE section rights) 2->78 80 5 other signatures 2->80 13 mLOiGWfT2P.exe 3 13 2->13         started        17 cwas73k13w3e3w.exe 2->17         started        19 cwas73k13w3e3w.exe 2->19         started        21 9 other processes 2->21 signatures3 process4 file5 64 C:\LMPupdate\set\183.bat, ISO-8859 13->64 dropped 66 C:\LMPupdate\set\unpakedree.exe, PE32 13->66 dropped 104 Drops batch files with force delete cmd (self deletion) 13->104 23 wscript.exe 1 13->23         started        106 Injects a PE file into a foreign processes 17->106 25 cwas73k13w3e3w.exe 17->25         started        28 cwas73k13w3e3w.exe 19->28         started        108 Sample uses process hollowing technique 21->108 110 Hides threads from debuggers 21->110 112 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->112 30 cwas73k13w3e3w.exe 21->30         started        signatures6 process7 signatures8 32 cmd.exe 2 23->32         started        90 Hides threads from debuggers 25->90 process9 signatures10 70 Uses cmd line tools excessively to alter registry or file data 32->70 72 Uses ping.exe to check the status of other devices and networks 32->72 35 wscript.exe 1 32->35         started        37 unpakedree.exe 5 32->37         started        40 conhost.exe 32->40         started        42 4 other processes 32->42 process11 file12 44 cmd.exe 1 35->44         started        62 C:\LMPupdate\set\xc829374091FD.exe, PE32 37->62 dropped process13 signatures14 100 Early bird code injection technique detected 44->100 102 Uses cmd line tools excessively to alter registry or file data 44->102 47 xc829374091FD.exe 44->47         started        50 taskkill.exe 1 44->50         started        52 conhost.exe 44->52         started        54 5 other processes 44->54 process15 signatures16 114 Multi AV Scanner detection for dropped file 47->114 116 Detected unpacking (changes PE section rights) 47->116 118 Detected unpacking (overwrites its own PE header) 47->118 120 2 other signatures 47->120 56 xc829374091FD.exe 12 25 47->56         started        process17 signatures18 82 Creates an undocumented autostart registry key 56->82 84 Maps a DLL or memory area into another process 56->84 86 Sample uses process hollowing technique 56->86 88 2 other signatures 56->88 59 explorer.exe 9 23 56->59         started        process19 signatures20 92 Overwrites Windows DLL code with PUSH RET codes 59->92 94 Modifies Internet Explorer zone settings 59->94 96 Writes to foreign memory regions 59->96 98 3 other signatures 59->98
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595/
Threat name:
Win32.Trojan.Neurevt
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 23:55:41 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q2vlbgzhr7uokogyz3gsr4wxumx6ie3sjvpoklricwrsm6uyqwkq._file
Verdict:
malicious
Similar samples:
03e3837f16d46a1a0a13904fae467c105b1aae66b382e8313b20b90269e53ed6
Neurevt
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0
Neurevt
173240b443fdb5cc7ed97cf6eedeb0d823924df3dab6d468c9da2898443f3ac6
Neurevt
273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374
Neurevt
2fbf6c5454bb88073ecbc13b293375ec58a9f8636c188881ffd7a3573f3c1cac
Neurevt
4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
Neurevt
55c12cb22033e12af48c4bb80b660e4ace8ed2364e7147979e30355bab7d5469
Neurevt
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
Neurevt
8fa3eaa46c7d8d1f44a2eeca895f802f2aa7a2251bab347ccb765c72d63ccb58
Neurevt
f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
Neurevt
+ 2'125 additional samples on MalwareBazaar
Result
Malware family:
betabot
Create hunting rule
Score:
  10/10
Tags:
family:betabot backdoor botnet evasion persistence trojan
Link:
https://tria.ge/reports/210624-lhpsp58gs2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Modifies registry class
NTFS ADS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Sets file execution options in registry
Sets file to hidden
Modifies firewall policy service
BetaBot
Unpacked files
SH256 hash:
d27d12d8fda192edae4388568319bd014d8e5894f50ef145dfac691bab9cbf52
MD5 hash:
a0ee0ba482c1c58c26dc6878021270a3
SHA1 hash:
987df0b82062dfd87898b4b5c692f89b5616cfae
Link:
https://www.unpac.me/results/93616092-5b6a-4b67-b79b-5f97988d116b/
SH256 hash:
187df3afe1396593b61a3062de471c74c729dafcf50192cae3caf80f3bbce2e5
MD5 hash:
a5fdeae8ec2c12186b52a59e99c2d261
SHA1 hash:
a6ad21e174b31f0233b42183100f16106c36c3f1
Link:
https://www.unpac.me/results/93616092-5b6a-4b67-b79b-5f97988d116b/
SH256 hash:
b1434e6201e3336c5c16886d64bfa80edf619139730402099635ede39ee83a3e
MD5 hash:
1393392f1ae071b793a5f7939d2a8a8d
SHA1 hash:
f82d5484b77d62569e0970a2cf1e69c20b197165
Link:
https://www.unpac.me/results/93616092-5b6a-4b67-b79b-5f97988d116b/
SH256 hash:
86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595
MD5 hash:
808e34a763acd79d01eeb1f54b18a551
SHA1 hash:
df3f6e0f29d9d65a2afc401ab6938044f24c5506
Link:
https://www.unpac.me/results/93616092-5b6a-4b67-b79b-5f97988d116b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox product IDs
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:VMware_detection_bin_mem
Create hunting rule
Author:James_inthe_box
Description:VMWare detection
Rule name:win_betabot_w0
Create hunting rule
Author:Venom23
Description:Neurevt Malware Sig

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167829/

Comments