MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c040a2c32938707e1579fecce89e3c4fa04d019a467f642dd2bb18bab35bf99d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c040a2c32938707e1579fecce89e3c4fa04d019a467f642dd2bb18bab35bf99d
SHA3-384 hash: f6ed6c6671b7ae7ea4a6ad9d99b27b89d44481ed27b2dacf14cb91edc1c99a7dc15d15f2f7e5556f0b57e3512113a347
SHA1 hash: de58bf97363c74d83249df1ec2f1e9d62a2101d9
MD5 hash: f89a4c9d373e3c928bc405d56a496850
humanhash: zebra-hawaii-apart-five
File name:CFDI_826271_53535.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:916'276 bytes
First seen:2022-07-13 06:33:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 24576:v20gPgFK7pQxAVBbIcXbQQ78cDEVcLjm1kL5rSS:uKJxAjIEv78c2cLyaL5rSS
TLSH T1B515126271D1C072F99324318BF49672FD797C318661B28BA7A03A6D2F31961C72AF53
TrID 80.5% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
9.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
3.1% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 36313179494949a1 (1 x Neurevt)
Reporter JAMESWT_WT
Tags:exe Neurevt

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
betabot
Create hunting rule
ID:
1
File name:
CFDI 826271 36057.exe
Verdict:
Malicious activity
Analysis date:
2022-01-18 17:43:36 UTC
Tags:
trojan betabot loader
Link:
https://app.any.run/tasks/a2b5d299-f588-4efe-bfb2-644e48a626e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/286769/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.24943.1502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Moving a file to the %AppData% subdirectory
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Moving a recently created file
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62ce67693ec0b068997644b6/reports/ba62db84-0c2e-49c2-9088-ace0554c5b01/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/47f31acc-70dc-4bcf-9790-f02dc0167c11
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1029898
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes memory attributes in foreign processes to executable or writable
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Early bird code injection technique detected
Found API chain indicative of debugger detection
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 662392 Sample: CFDI_826271_53535.exe Startdate: 13/07/2022 Architecture: WINDOWS Score: 100 89 russk21.icu 2->89 119 Snort IDS alert for network traffic 2->119 121 Malicious sample detected (through community Yara rule) 2->121 123 Antivirus detection for URL or domain 2->123 125 12 other signatures 2->125 14 CFDI_826271_53535.exe 3 12 2->14         started        17 w35979c5s51s.exe 2->17         started        20 w35979c5s51s.exe 2->20         started        22 w35979c5s51s.exe 2->22         started        signatures3 process4 file5 87 C:\Users\user\AppData\Roaming\...behaviorgraphozip.exe, PE32 14->87 dropped 24 wscript.exe 1 14->24         started        99 Injects a PE file into a foreign processes 17->99 26 w35979c5s51s.exe 17->26         started        29 w35979c5s51s.exe 20->29         started        31 w35979c5s51s.exe 22->31         started        signatures6 process7 signatures8 33 cmd.exe 2 24->33         started        133 Hides threads from debuggers 26->133 process9 signatures10 101 Uses cmd line tools excessively to alter registry or file data 33->101 36 wscript.exe 1 33->36         started        39 Gozip.exe 5 33->39         started        43 conhost.exe 33->43         started        45 3 other processes 33->45 process11 dnsIp12 91 192.168.2.1 unknown unknown 36->91 47 cmd.exe 1 36->47         started        83 C:\Users\user\AppData\...\miktotik.exe, PE32 39->83 dropped 131 Found API chain indicative of debugger detection 39->131 file13 signatures14 process15 signatures16 143 Early bird code injection technique detected 47->143 145 Uses cmd line tools excessively to alter registry or file data 47->145 50 miktotik.exe 47->50         started        53 taskkill.exe 1 47->53         started        55 conhost.exe 47->55         started        57 5 other processes 47->57 process17 signatures18 111 Antivirus detection for dropped file 50->111 113 Multi AV Scanner detection for dropped file 50->113 115 Detected unpacking (changes PE section rights) 50->115 117 3 other signatures 50->117 59 miktotik.exe 12 26 50->59         started        process19 file20 85 C:\ProgramData\...\w35979c5s51s.exe, PE32 59->85 dropped 135 Creates an undocumented autostart registry key 59->135 137 Maps a DLL or memory area into another process 59->137 139 Sample uses process hollowing technique 59->139 141 2 other signatures 59->141 63 explorer.exe 59->63         started        signatures21 process22 dnsIp23 93 russk21.icu 62.204.41.171, 49800, 49823, 49856 TNNET-ASTNNetOyMainnetworkFI United Kingdom 63->93 95 russk20.icu 63->95 97 russk19.icu 63->97 77 C:\Users\user\AppData\...\w35979c5s51s_1.exe, PE32 63->77 dropped 79 C:\Users\user\AppData\Local\...\go19cyq79.exe, PE32 63->79 dropped 81 C:\Users\user\...\w35979c5s51s_1.exe:14EDFC78, data 63->81 dropped 103 System process connects to network (likely due to code injection or exploit) 63->103 105 Changes memory attributes in foreign processes to executable or writable 63->105 107 Overwrites Windows DLL code with PUSH RET codes 63->107 109 5 other signatures 63->109 68 egcxPXyYXrRKUkdj.exe 63->68 injected 71 egcxPXyYXrRKUkdj.exe 63->71 injected 73 egcxPXyYXrRKUkdj.exe 63->73 injected 75 4 other processes 63->75 file24 signatures25 process26 signatures27 127 Hides threads from debuggers 68->127 129 Hides that the sample has been downloaded from the Internet (zone.identifier) 68->129
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c040a2c32938707e1579fecce89e3c4fa04d019a467f642dd2bb18bab35bf99d/
Threat name:
Win32.Infostealer.Xploder
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 13:09:00 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ybakfqzjhbyh4flz73gorhr4j6qe2am2iz7wilosxmmlvm237goq._file
Verdict:
malicious
Result
Malware family:
betabot
Create hunting rule
Score:
  10/10
Tags:
family:betabot backdoor botnet evasion persistence trojan
Link:
https://tria.ge/reports/220713-hbsr1sahgl/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Sets file execution options in registry
Sets file to hidden
BetaBot
Modifies firewall policy service
Unpacked files
SH256 hash:
b937fe9d61fa467c4fc267dd068d10aa40b5bd083af73cbf136d3dce7189732b
MD5 hash:
a23922ebc914609f86047caa1ab7e5e1
SHA1 hash:
bfb7066a69d1c690491b51bb0b2afea090e5774f
Link:
https://www.unpac.me/results/b34cc2c1-dcbf-487f-b4d8-863dd4d28439/
SH256 hash:
2f7a93c6038b43bb018583591813182b2db3543d4551ebdae099082a7885ef3f
MD5 hash:
d7c67d3f450afbaa83712d903f345ce0
SHA1 hash:
b68ac720c411bbaf707c73ab9da5a00896a67aab
Link:
https://www.unpac.me/results/b34cc2c1-dcbf-487f-b4d8-863dd4d28439/
SH256 hash:
acb39a9d0d7455b41a3dc4e279df69715f26b41c1659851ec5e8ebc0f133f0a2
MD5 hash:
eaf113826092e489be9071d57f0ec317
SHA1 hash:
3aabf8e08749fe219d410bb23bf40c8017ca8a20
Link:
https://www.unpac.me/results/b34cc2c1-dcbf-487f-b4d8-863dd4d28439/
SH256 hash:
c040a2c32938707e1579fecce89e3c4fa04d019a467f642dd2bb18bab35bf99d
MD5 hash:
f89a4c9d373e3c928bc405d56a496850
SHA1 hash:
de58bf97363c74d83249df1ec2f1e9d62a2101d9
Link:
https://www.unpac.me/results/b34cc2c1-dcbf-487f-b4d8-863dd4d28439/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c040a2c32938/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c040a2c32938707e1579fecce89e3c4fa04d019a467f642dd2bb18bab35bf99d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox product IDs
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:WIN32_MALWR_DROPPER_INJECTOR_RANSOMWARE
Create hunting rule
Author:Jesper Mikkelsen
Description:Detect Suspicous dropper injector - possible ransomware dropper
Reference:SHA-1:0feda1e7b0d4506270c85973826fa498e9ed0f5b
Rule name:win_betabot_w0
Create hunting rule
Author:Venom23
Description:Neurevt Malware Sig

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/286769/

Comments