MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f620e963130716ac09ba5a7c75d7e7ea42ac1a4b66fc0a106e6feb40941fe23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f620e963130716ac09ba5a7c75d7e7ea42ac1a4b66fc0a106e6feb40941fe23
SHA3-384 hash: 4d49787659877e9c718556220cae2cb01c8acf43f067d6b42aebac99f975f85fc3d65c5c2c9e5144657e65a1586d6fbe
SHA1 hash: 5de471ba28ececf11ea61487a4542bf90acad650
MD5 hash: 08efbec706e1393141e89e711a6bec6f
humanhash: kansas-seventeen-georgia-enemy
File name:8f620e963130716ac09ba5a7c75d7e7ea42ac1a4b66fc0a106e6feb40941fe23
Download: download sample
Signature Neurevt
Create hunting rule
File size:1'467'960 bytes
First seen:2022-05-20 06:53:32 UTC
Last seen:2022-05-20 07:59:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b9c3c1592f11f23844ce8b62fe6373ac (7 x RedLineStealer, 1 x Neurevt, 1 x ArkeiStealer)
ssdeep 24576:tOmF+97bGoT9CXnUcXb4YTnOQYeEobHutJPB+3fsTJ0aob76T4ZlT:E4+M/X7rBnOQNqvPB6fsTJ0aI784XT
TLSH T1726512706B90CDB1E0A1A3F11C769B91A1367D92535294C79AC43BDA1A38FD39C323D7
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c0c49a82b2b2cad6 (1 x Neurevt)
Reporter JAMESWT_WT
Tags:exe exxon-com Neurevt signed

Code Signing Certificate

Organisation:exxon.com
Issuer:GeoTrust RSA CA 2018
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-30T00:00:00Z
Valid to:2022-09-02T23:59:59Z
Serial number: 0a2787fbb4627c91611573e323584113
Intelligence: 18 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 91e48715043484c128b036e90134233def398d0d19f26a2d543dcc9b8bb8c02d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://russk21.icu/forum8/logout.php https://threatfox.abuse.ch/ioc/611662/

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
betabot
Create hunting rule
ID:
1
File name:
CFDI_826271.zip
Verdict:
Malicious activity
Analysis date:
2022-05-17 18:03:10 UTC
Tags:
trojan betabot loader opendir
Link:
https://app.any.run/tasks/f68be4e0-9811-4be4-90d7-a9e5b09ed53d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BetaBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/272862/
Detection(s):
SecuriteInfo.com.Variant.Jaik.74385.19761.8752.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Launching a process
Moving a system file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19115/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62873b49370bb1455cb7194c/reports/26d5f319-0847-40f4-8fd1-cf662510a58d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd51ad01-d009-46cb-8286-f32573a60545
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/998314
Signature
Allocates memory in foreign processes
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Writes to foreign memory regions
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 630810 Sample: gpMmYdPT87 Startdate: 20/05/2022 Architecture: WINDOWS Score: 100 28 russk21.icu 2->28 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 6 other signatures 2->48 9 gpMmYdPT87.exe 2->9         started        signatures3 process4 signatures5 52 Writes to foreign memory regions 9->52 54 Allocates memory in foreign processes 9->54 56 Injects a PE file into a foreign processes 9->56 12 InstallUtil.exe 12 25 9->12         started        process6 signatures7 58 Creates an undocumented autostart registry key 12->58 60 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->60 62 Maps a DLL or memory area into another process 12->62 64 3 other signatures 12->64 15 explorer.exe 7 25 12->15         started        process8 dnsIp9 30 russk21.icu 15->30 32 192.168.2.1 unknown unknown 15->32 34 System process connects to network (likely due to code injection or exploit) 15->34 36 Overwrites Windows DLL code with PUSH RET codes 15->36 38 Modifies Internet Explorer zone settings 15->38 40 3 other signatures 15->40 19 EIINqqiuIJBLVzs.exe 1 23 15->19 injected 22 EIINqqiuIJBLVzs.exe 1 23 15->22 injected 24 EIINqqiuIJBLVzs.exe 1 23 15->24 injected 26 11 other processes 15->26 signatures10 process11 signatures12 50 Hides threads from debuggers 19->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f620e963130716ac09ba5a7c75d7e7ea42ac1a4b66fc0a106e6feb40941fe23/
Threat name:
Win32.Trojan.Neurevt
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 14:02:40 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5ra5frrgbywvqe3uwt4oxl6p2scvqnewzx4biig437lickb7yrq._file
Verdict:
malicious
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:betabot family:systembc backdoor botnet collection evasion persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220520-hn73gaefd7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops desktop.ini file(s)
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Sets file execution options in registry
BetaBot
Modifies firewall policy service
SystemBC
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
Malware Config
C2 Extraction:
85.25.207.68:4208
moscow11.icu:4208
Unpacked files
SH256 hash:
ae50078e48657adf0dcd2673a8a98c896822a68e9c09c80a65c5ffc5baaa7038
MD5 hash:
6f07247e7ad54c31d1be8b45d3baf177
SHA1 hash:
5dab544b9ead7b69f74af25aebfa6d24a3b047c8
Link:
https://www.unpac.me/results/5315cd35-586d-4c81-82c1-294aee93eb17/
SH256 hash:
16171a78b0fffe5f8de3ea2dee6b400539d21bced97d4d74579dd50c04423870
MD5 hash:
5ca1c91219a3832e7f0b9b7037c27114
SHA1 hash:
ae1d25ea3e7d56486e0d3565b16983d8338dcca5
Link:
https://www.unpac.me/results/5315cd35-586d-4c81-82c1-294aee93eb17/
SH256 hash:
88c8a446ae5352d03f266d867e6dca4c67c1c56605befcd69cc6ffe664151118
MD5 hash:
60eea8c557ce5ddc44c2fcfacfd03c8c
SHA1 hash:
f9edb61b8d39bdf14d9b560e128dd68c6326e42d
Link:
https://www.unpac.me/results/5315cd35-586d-4c81-82c1-294aee93eb17/
SH256 hash:
8f620e963130716ac09ba5a7c75d7e7ea42ac1a4b66fc0a106e6feb40941fe23
MD5 hash:
08efbec706e1393141e89e711a6bec6f
SHA1 hash:
5de471ba28ececf11ea61487a4542bf90acad650
Link:
https://www.unpac.me/results/5315cd35-586d-4c81-82c1-294aee93eb17/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f620e963130716ac09ba5a7c75d7e7ea42ac1a4b66fc0a106e6feb40941fe23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/272862/

Comments