MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aef47ea6290bbdfa6ca5994e556ba1d3a09200a525ab0aa11eb9fca8f324dfdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aef47ea6290bbdfa6ca5994e556ba1d3a09200a525ab0aa11eb9fca8f324dfdf
SHA3-384 hash: b8c89c70b7f66df7f7e6b7a2febf7219eb4d0cea30103b62b70cc0453e9239ad23d9792b1d52f343a7d9d5313d427c50
SHA1 hash: 077d03bbe5c57015103583eb9a6dd3afbc8e45a9
MD5 hash: 9e6a523473b8b248169a7c012df77e71
humanhash: uniform-gee-potato-ceiling
File name:Completed Finance Application and Required Documents.DOC.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:306'688 bytes
First seen:2020-10-13 10:35:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f743ce0c78f71fda5cc340579f681f9c (2 x Neurevt)
ssdeep 6144:6JYLkeRC8x0eTcBZnpMJVhOBJel9XrdQL1yQyAY104d:oYoOkeT22VhCJelNCx7YX
Threatray 209 similar samples on MalwareBazaar
TLSH 6F64E12177A29372C16769308974CAA58A7FB9627B7001CB37E7362E5F307C04A76717
Reporter abuse_ch
Tags:exe Neurevt


Avatar
abuse_ch
Malspam distributing Neurevt:

HELO: saxamarketing.com
Sending IP: 199.217.115.34
From: naledistaat@mweb.co.za
Subject: Re: Finance Application and Required Documents
Attachment: Completed Finance Application and Required Documents.DOC.gz (contains "Completed Finance Application and Required Documents.DOC.exe")

Neurevt C2:
http://cwjamaica.us/et/logout.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70374/
Detection(s):
SecuriteInfo.com.Artemis9E6A523473B8.16070.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Adding an access-denied ACE
Launching a process
Creating a window
Unauthorized injection to a browser process
DNS request
Connection attempt
Sending an HTTP POST request
Changing a file
Searching for analyzing tools
Searching for the window
Setting browser functions hooks
Moving of the original file
Enabling autorun for a service
Firewall traversal
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing settings of the browser security zones
Unauthorized injection to a system process
Enabling autorun
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489506
Signature
Binary is likely a compiled AutoIt script file
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297197 Sample: Completed Finance Applicati... Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Detected unpacking (changes PE section rights) 2->43 45 10 other signatures 2->45 7 Completed Finance Application and Required Documents.DOC.exe 12 25 2->7         started        10 91c55o35ko51.exe 23 2->10         started        12 91c55o35ko51.exe 23 2->12         started        14 2 other processes 2->14 process3 signatures4 49 Creates an undocumented autostart registry key 7->49 51 Maps a DLL or memory area into another process 7->51 53 Sample uses process hollowing technique 7->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->55 16 explorer.exe 18 48 7->16         started        57 Hides threads from debuggers 10->57 process5 dnsIp6 29 cwjamaica.us 45.153.203.141, 49741, 80 NETLABFR Netherlands 16->29 31 System process connects to network (likely due to code injection or exploit) 16->31 33 Overwrites Windows DLL code with PUSH RET codes 16->33 35 Modifies Internet Explorer zone settings 16->35 37 4 other signatures 16->37 20 GynjaUVCTjwds.exe 1 23 16->20 injected 23 GynjaUVCTjwds.exe 1 23 16->23 injected 25 GynjaUVCTjwds.exe 1 23 16->25 injected 27 15 other processes 16->27 signatures7 process8 signatures9 47 Hides threads from debuggers 20->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aef47ea6290bbdfa6ca5994e556ba1d3a09200a525ab0aa11eb9fca8f324dfdf/
Threat name:
Win32.Trojan.Weelsof
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 06:12:24 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v32h5jrjbo67u3fftfhfk25b2oqjeaffewvqvii6xh6kr4ze37pq._file
Verdict:
malicious
Similar samples:
1da069d39e2e88c624698760567c4019ca2de990b05c429be843355a0531b51a
Neurevt
2962eba90f4c76463186e170ae32e1ad8ed50b589a83bee7016dc942b80cd0df
Neurevt
46387625361cd440a23520b7bda25f402b586d00a44229754ab776e5e1bf34f7
Neurevt
757112683c4f6e6d8e0091606b7587acdb71946003b2a803052d3fb1d1686336
Neurevt
7ef7ff0660d406b237fd3253738d60a294c0273ca1436cf9ba87d5b2ea8d62d8
Neurevt
973b3d66cf3f04d5be0e10dfa5ab24fbc8c5d2b58cc5728d81a448dbe079f4e6
Neurevt
b092a330b736b90c25196d0784455f5d605aae83dca16f8569451236204d0976
Neurevt
b4e68cc1125476baac15e128b8e5daacbe857a05c525da252348ba0844ecca83
Neurevt
b5e4950f8979f18ad063f3df3fb483aa88273271254201dbc0e5241b7713edc2
Neurevt
e63df6a7f5c2a30456c884959644745ee0174df416492324c5ee31635958f855
Neurevt
+ 199 additional samples on MalwareBazaar
Result
Malware family:
betabot
Create hunting rule
Score:
  10/10
Tags:
persistence evasion trojan backdoor botnet family:betabot
Link:
https://tria.ge/reports/201013-cen5x84vte/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Checks BIOS information in registry
Sets file execution options in registry
BetaBot
Modifies firewall policy service
Unpacked files
SH256 hash:
aef47ea6290bbdfa6ca5994e556ba1d3a09200a525ab0aa11eb9fca8f324dfdf
MD5 hash:
9e6a523473b8b248169a7c012df77e71
SHA1 hash:
077d03bbe5c57015103583eb9a6dd3afbc8e45a9
Link:
https://www.unpac.me/results/8c0bc3e7-bf08-4423-bfb1-6e330449aed0/
SH256 hash:
f64f0e1b8f2953b848d9faa9422307caa66872fb80e53b68f8a66156ae4b97d6
MD5 hash:
0a21372830da7640ceb48acf52e2830c
SHA1 hash:
8640a3ed8d65dec36d421435d5edf03e33521246
Link:
https://www.unpac.me/results/8c0bc3e7-bf08-4423-bfb1-6e330449aed0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aef47ea6290bbdfa6ca5994e556ba1d3a09200a525ab0aa11eb9fca8f324dfdf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:VMware_detection_bin_mem
Create hunting rule
Author:James_inthe_box
Description:VMWare detection
Rule name:win_betabot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_betabot_w0
Create hunting rule
Author:Venom23
Description:Neurevt Malware Sig

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neurevt

gz 71658592a83a50c7cc2a7c0398003f78b1e1efa5278aba06bf2b37c7c3a3b7b3

Neurevt

Executable exe aef47ea6290bbdfa6ca5994e556ba1d3a09200a525ab0aa11eb9fca8f324dfdf

(this sample)

  
Dropped by
MD5 97caa00aefa8dd8abddfeb2a95d9a71c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70374/
  
Dropped by
SHA256 71658592a83a50c7cc2a7c0398003f78b1e1efa5278aba06bf2b37c7c3a3b7b3

Comments