MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc7fb2af77215f36ed3e06ffa0082540b39038ec8f85df98a48879d9d942862b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc7fb2af77215f36ed3e06ffa0082540b39038ec8f85df98a48879d9d942862b
SHA3-384 hash: f9ef1aba5d05c54ad5673cc3a6ff23d339086282bc4a2d4874b962af40ecb270522d0ac15ecf295592db99d64c189ccb
SHA1 hash: d6a2d0ea670ccbe197b6aabae4f936c78c0fe8ca
MD5 hash: cd9cf64a712aaceddaa97147846d1138
humanhash: triple-uniform-robert-robert
File name:Purchase Order 480211- CVE8112.PDF.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:389'120 bytes
First seen:2020-08-05 12:09:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5aba902997c884511d69ae71e1815994 (1 x Neurevt, 1 x ArkeiStealer)
ssdeep 6144:JvBQ8mKFjf2W8gBpiNDZz5mQeLEn8TuIUeCR4TvH:pBQwRUNDTHj2BB6ovH
TLSH 7484E01471C1C072E41D6176482AD7B49E6F787A68265D8F7FFA49BD0F382E2E62630C
Reporter abuse_ch
Tags:exe Neurevt


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: host.qualifairs.com
Sending IP: 85.25.130.41
From: buyer@ffs.co.za
Subject: Purchase Order : 480211- CVE8112
Attachment: Purchase Order 480211- CVE8112.PDF.gz (contains "Purchase Order 480211- CVE8112.PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39558/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Adding an access-denied ACE
Launching a process
Creating a window
Sending a UDP request
Unauthorized injection to a browser process
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending an HTTP POST request
Changing a file
Setting browser functions hooks
Moving of the original file
Enabling autorun for a service
Firewall traversal
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing settings of the browser security zones
Unauthorized injection to a system process
Enabling autorun
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/411181
Signature
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 257939 Sample: Purchase Order  480211- CVE... Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 42 winqits.com 2->42 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Detected unpacking (changes PE section rights) 2->54 56 Detected unpacking (overwrites its own PE header) 2->56 58 8 other signatures 2->58 8 Purchase Order  480211- CVE8112.PDF.exe 12 25 2->8         started        11 1ws75c7g7111.exe 23 2->11         started        13 1ws75c7g7111.exe 2->13         started        15 2 other processes 2->15 signatures3 process4 signatures5 60 Creates an undocumented autostart registry key 8->60 62 Maps a DLL or memory area into another process 8->62 64 Sample uses process hollowing technique 8->64 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->66 17 explorer.exe 18 51 8->17         started        21 WerFault.exe 8->21         started        68 Hides threads from debuggers 11->68 23 WerFault.exe 11->23         started        25 WerFault.exe 13->25         started        27 WerFault.exe 15->27         started        29 WerFault.exe 15->29         started        process6 dnsIp7 40 winqits.com 80.249.144.123, 49736, 49739, 49740 SELECTELRU Russian Federation 17->40 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Overwrites Windows DLL code with PUSH RET codes 17->46 48 Modifies Internet Explorer zone settings 17->48 50 4 other signatures 17->50 31 MrvsObzLcVwlBukuuIqcHGAo.exe 1 23 17->31 injected 34 MrvsObzLcVwlBukuuIqcHGAo.exe 1 23 17->34 injected 36 MrvsObzLcVwlBukuuIqcHGAo.exe 1 23 17->36 injected 38 8 other processes 17->38 signatures8 process9 signatures10 70 Hides threads from debuggers 31->70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc7fb2af77215f36ed3e06ffa0082540b39038ec8f85df98a48879d9d942862b/
Threat name:
Win32.Trojan.Glubpteba
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 11:05:57 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xr73fl3xefptn3j6a372acbficzzaohmr6c57gferb45twkcqyvq._file
Verdict:
unknown
Result
Malware family:
betabot
Create hunting rule
Score:
  10/10
Tags:
evasion trojan persistence backdoor botnet family:betabot
Link:
https://tria.ge/reports/200805-w4qcdvneps/
Behaviour
Modifies Internet Explorer settings
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious behavior: MapViewOfSection
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Checks BIOS information in registry
Sets file execution options in registry
BetaBot
Modifies firewall policy service
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc7fb2af77215f36ed3e06ffa0082540b39038ec8f85df98a48879d9d942862b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_betabot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_betabot_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_betabot_w0
Create hunting rule
Author:Venom23
Description:Neurevt Malware Sig
Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neurevt

gz 53dab0fb12afefb47f342c4e76da063251be9e45555a1b7d6fb436a1e7c3b88e

Neurevt

Executable exe bc7fb2af77215f36ed3e06ffa0082540b39038ec8f85df98a48879d9d942862b

(this sample)

  
Dropped by
MD5 73cd29e8619a44fe142331c93d8f4dea
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 53dab0fb12afefb47f342c4e76da063251be9e45555a1b7d6fb436a1e7c3b88e
Cape
Cape
https://www.capesandbox.com/analysis/39558/

Comments