MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1ebfaa5144a986271298dd044a82bc3e27362debe5475b028a916dbbfb97bbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1ebfaa5144a986271298dd044a82bc3e27362debe5475b028a916dbbfb97bbd
SHA3-384 hash: 42928c4592ac91c4175182f38a8a4b8b2a39a55065b4732a279ff6b8dfa0dda5bfbba493b92eb61676186ce3afe7af50
SHA1 hash: 2d4ac07c3d4ede47c08accf50d0dcbbf23725090
MD5 hash: 3a34763afced1c015e7dbf36bccd545b
humanhash: speaker-alabama-alanine-mirror
File name:Notification from SARS, Defaulter letter.PDF.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:315'392 bytes
First seen:2020-10-08 12:48:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a534487f1fbb5f5f14f9354c3335289f (1 x Neurevt, 1 x Amadey)
ssdeep 6144:LqWt5+LFJ0sADl1/XKzK8sS85IQSG1m3tSM0PFr9oJBG:228xJ0sA7KKw85IQSGE6
Threatray 201 similar samples on MalwareBazaar
TLSH D564E00077D1D432E6611E3589A2C675067FFCA5AB2449CB7BB4BF1A9E322D18E34783
Reporter abuse_ch
Tags:exe geo Neurevt SARS ZAF


Avatar
abuse_ch
Malspam distributing Neurevt:

From: noreply@sars.gov.za
Subject: Notification from SARS: (You have been Listed as a DEFAULTER)
Attachment: Notification from SARS, Defaulter letter.PDF.gz (contains "Notification from SARS, Defaulter letter.PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69233/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
Launching a process
Creating a window
Unauthorized injection to a browser process
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending an HTTP POST request
Changing a file
Setting browser functions hooks
Moving of the original file
Enabling autorun for a service
Firewall traversal
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing settings of the browser security zones
Unauthorized injection to a system process
Enabling autorun
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485436
Signature
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295254 Sample: Notification from SARS, Def... Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Detected unpacking (changes PE section rights) 2->43 45 8 other signatures 2->45 7 Notification from SARS, Defaulter letter.PDF.exe 12 25 2->7         started        10 ye1cmwo919.exe 23 2->10         started        12 ye1cmwo919.exe 23 2->12         started        14 3 other processes 2->14 process3 signatures4 51 Creates an undocumented autostart registry key 7->51 53 Maps a DLL or memory area into another process 7->53 55 Sample uses process hollowing technique 7->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->57 16 explorer.exe 18 51 7->16         started        59 Hides threads from debuggers 10->59 process5 dnsIp6 29 cwjamaica.us 45.153.203.141, 49745, 80 NETLABFR Netherlands 16->29 31 System process connects to network (likely due to code injection or exploit) 16->31 33 Overwrites Windows DLL code with PUSH RET codes 16->33 35 Modifies Internet Explorer zone settings 16->35 37 4 other signatures 16->37 20 ewNgBDwWiAhonZqpKfNmPLOpOcbDk.exe 1 23 16->20 injected 23 ewNgBDwWiAhonZqpKfNmPLOpOcbDk.exe 1 23 16->23 injected 25 ewNgBDwWiAhonZqpKfNmPLOpOcbDk.exe 1 23 16->25 injected 27 9 other processes 16->27 signatures7 process8 signatures9 47 Hides threads from debuggers 20->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1ebfaa5144a986271298dd044a82bc3e27362debe5475b028a916dbbfb97bbd/
Threat name:
Win32.Trojan.Neurevt
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 12:50:08 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhv7vjiujkmge4jjrxiejkblyprhgyw6xzkhlmbivelnxp5zpo6q._file
Verdict:
malicious
Similar samples:
1da069d39e2e88c624698760567c4019ca2de990b05c429be843355a0531b51a
Neurevt
46387625361cd440a23520b7bda25f402b586d00a44229754ab776e5e1bf34f7
Neurevt
468f9abc380cedf17528958eb0ccd8e42e100e05ecb250f31a11d3f946765990
Neurevt
8d6e4671da660a178432514e56aaf7445ea4f03a60f20cc9b6d29826ab435975
Neurevt
959621ed5f48dbbefe1c0e0e0a87bba88bc7a6b39cd1e10af930e1b969de9f97
Neurevt
973b3d66cf3f04d5be0e10dfa5ab24fbc8c5d2b58cc5728d81a448dbe079f4e6
Neurevt
9ea8141b737b1dd5d56c800d4f84048014d83489f0fb3a78e42076a81186e30d
Neurevt
a606cc038ea51f1a3093199c2faaa5181ea983e7da03ad72287d4ff968c9c766
Neurevt
b4e68cc1125476baac15e128b8e5daacbe857a05c525da252348ba0844ecca83
Neurevt
e63df6a7f5c2a30456c884959644745ee0174df416492324c5ee31635958f855
Neurevt
+ 191 additional samples on MalwareBazaar
Result
Malware family:
betabot
Create hunting rule
Score:
  10/10
Tags:
evasion trojan backdoor botnet family:betabot persistence
Link:
https://tria.ge/reports/201008-benqbcctmn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Checks BIOS information in registry
Sets file execution options in registry
BetaBot
Modifies firewall policy service
Unpacked files
SH256 hash:
c1ebfaa5144a986271298dd044a82bc3e27362debe5475b028a916dbbfb97bbd
MD5 hash:
3a34763afced1c015e7dbf36bccd545b
SHA1 hash:
2d4ac07c3d4ede47c08accf50d0dcbbf23725090
Link:
https://www.unpac.me/results/3290531d-7d88-41c9-8499-b2a3cce76775/
SH256 hash:
f64f0e1b8f2953b848d9faa9422307caa66872fb80e53b68f8a66156ae4b97d6
MD5 hash:
0a21372830da7640ceb48acf52e2830c
SHA1 hash:
8640a3ed8d65dec36d421435d5edf03e33521246
Link:
https://www.unpac.me/results/3290531d-7d88-41c9-8499-b2a3cce76775/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1ebfaa5144a986271298dd044a82bc3e27362debe5475b028a916dbbfb97bbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_betabot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_betabot_w0
Create hunting rule
Author:Venom23
Description:Neurevt Malware Sig

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Neurevt

gz 5f58d3aa78d0404d182712b283393bb8b759080791439c474a81cf6cddd13dc3

Neurevt

Executable exe c1ebfaa5144a986271298dd044a82bc3e27362debe5475b028a916dbbfb97bbd

(this sample)

  
Dropped by
MD5 c8b6d6f792f46bf60025fe010b0b2ca7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69233/
  
Dropped by
SHA256 5f58d3aa78d0404d182712b283393bb8b759080791439c474a81cf6cddd13dc3

Comments