MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6ba807010aec7a25ad106d9bce0f3b70d9c3d2223e93344cf5fad10ed1eedd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Neurevt


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6ba807010aec7a25ad106d9bce0f3b70d9c3d2223e93344cf5fad10ed1eedd3
SHA3-384 hash: a35746d6a2be5f62789739f4f7370c498b9bc8318641bb8364112d084c5483185d14a35b0bca02b03cc220bb036b3f92
SHA1 hash: 29b9ee192ebf4b587dbfd0d908f6ae74a7b3817d
MD5 hash: 99cf40f54910d611105302fee1851b7d
humanhash: grey-four-diet-timing
File name:C6BA807010AEC7A25AD106D9BCE0F3B70D9C3D2223E93.exe
Download: download sample
Signature Neurevt
Create hunting rule
File size:343'367 bytes
First seen:2021-10-01 21:16:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e990dd07e89d04c53e337ab9b3f5e0cc (15 x GuLoader, 11 x VIPKeylogger, 3 x Pony)
ssdeep 6144:e2YnYaY9bgKWDjWzuYkyz68it0SGoRyPQq1Vi5SaX5Ep8DM7GUIY:gZesDjWHkxbtf/R8D1VMHX5c8DA
Threatray 5'867 similar samples on MalwareBazaar
TLSH T1F7741202DBD5D857DAD52332C9A767B207B2DA1140702E571B953FBBCC307A18B67B0A
File icon (PE):PE icon
dhash icon 69ccd4d49696cc71 (13 x Adware.Adload, 8 x CoinMiner, 7 x ValleyRAT)
Reporter abuse_ch
Tags:exe Neurevt


Avatar
abuse_ch
Neurevt C2:
http://tachie.com/pop/fra/logout.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://tachie.com/pop/fra/logout.php https://threatfox.abuse.ch/ioc/229554/

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C6BA807010AEC7A25AD106D9BCE0F3B70D9C3D2223E93.exe
Verdict:
Malicious activity
Analysis date:
2021-10-01 21:19:35 UTC
Tags:
installer
Link:
https://app.any.run/tasks/31ad3e9b-1199-44a0-93b6-4d9fca5d9634

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194057/
Detection(s):
Win.Packer.MalwareCrypter-6642003-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Launching a process
Creating a window
Unauthorized injection to a browser process
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending an HTTP POST request
Setting browser functions hooks
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing settings of the browser security zones
Enabling autorun for a service
Unauthorized injection to a system process
Enabling autorun
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1030fa5-0cfa-4735-8987-44583b8038ae
Result
Threat name:
Betabot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862922
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Betabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495350 Sample: C6BA807010AEC7A25AD106D9BCE... Startdate: 01/10/2021 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 8 other signatures 2->54 8 C6BA807010AEC7A25AD106D9BCE0F3B70D9C3D2223E93.exe 13 2->8         started        12 55e3q553571.exe 13 2->12         started        14 55e3q553571.exe 13 2->14         started        16 2 other processes 2->16 process3 file4 36 C:\Users\user\AppData\Local\...\System.dll, PE32 8->36 dropped 74 Detected unpacking (changes PE section rights) 8->74 76 Detected unpacking (overwrites its own PE header) 8->76 18 C6BA807010AEC7A25AD106D9BCE0F3B70D9C3D2223E93.exe 12 25 8->18         started        38 C:\Users\user\AppData\Local\...\System.dll, PE32 12->38 dropped 21 55e3q553571.exe 12->21         started        40 C:\Users\user\AppData\Local\...\System.dll, PE32 14->40 dropped 42 C:\Users\user\AppData\Local\...\System.dll, PE32 16->42 dropped 44 C:\Users\user\AppData\Local\...\System.dll, PE32 16->44 dropped signatures5 process6 signatures7 56 Creates an undocumented autostart registry key 18->56 58 Maps a DLL or memory area into another process 18->58 60 Sample uses process hollowing technique 18->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->62 23 explorer.exe 9 51 18->23         started        64 Hides threads from debuggers 21->64 process8 dnsIp9 46 tachie.com 52.58.78.16, 49758, 49759, 49760 AMAZON-02US United States 23->46 66 System process connects to network (likely due to code injection or exploit) 23->66 68 Overwrites Windows DLL code with PUSH RET codes 23->68 70 Modifies Internet Explorer zone settings 23->70 72 4 other signatures 23->72 27 MWTicwnaPtQgwaFvtSBzxnBpRk.exe 1 23 23->27 injected 30 MWTicwnaPtQgwaFvtSBzxnBpRk.exe 1 23 23->30 injected 32 MWTicwnaPtQgwaFvtSBzxnBpRk.exe 1 23 23->32 injected 34 12 other processes 23->34 signatures10 process11 signatures12 78 Hides threads from debuggers 27->78 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->80
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6ba807010aec7a25ad106d9bce0f3b70d9c3d2223e93344cf5fad10ed1eedd3/
Threat name:
Win32.Trojan.Neurevt
Create hunting rule
Status:
Malicious
First seen:
2018-07-26 23:43:43 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y25ia4aqv3d2ewwra3m3zyhtw4gzypjceputgrgpl6wrb3i65xjq._file
Verdict:
malicious
Similar samples:
03e3837f16d46a1a0a13904fae467c105b1aae66b382e8313b20b90269e53ed6
Neurevt
144c0621ca5ecb402de01d8f10044f92a2ef917522e4b4955f3760bb17095bac
Neurevt
15a23e5e766596dbc471b4e4afa49316c141a8ee981194c0508f73b0a7f2ccf0
Neurevt
273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374
Neurevt
3ad3e9feca98bd1c94415f0319340c3c9416541f4592f7373aeeab289a03c7ac
Neurevt
4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
Neurevt
55c12cb22033e12af48c4bb80b660e4ace8ed2364e7147979e30355bab7d5469
Neurevt
86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595
Neurevt
f7cceb61dd5807edcc2afe0e95d0de6149bcad1b20e3903bd2b3b8b82ae6b3a3
Neurevt
+ 5'857 additional samples on MalwareBazaar
Result
Malware family:
betabot
Create hunting rule
Score:
  10/10
Tags:
family:betabot backdoor botnet evasion persistence suricata trojan
Link:
https://tria.ge/reports/211001-z413jadcfq/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Sets file execution options in registry
Modifies firewall policy service
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
BetaBot
Unpacked files
SH256 hash:
d30f3e0c9dd391c3def4f66df0cf20b84a811b9e87534de24ad7b88d2ffd40c1
MD5 hash:
47fff5eed8533f30662aa66850c06ad4
SHA1 hash:
146b3a853376ea2b90aea1fb36fd062448531ca0
Link:
https://www.unpac.me/results/b739c6f9-4db4-4eaa-8409-7f12375bf3f9/
SH256 hash:
1281aa31f03c0c2408c0365eae80d2ee2cb2a51cc9d2c09851e117f47993864b
MD5 hash:
992f862edc5e415c35895e479d9152db
SHA1 hash:
7a0fff793860cf15cd726604c6166c063a03888b
Link:
https://www.unpac.me/results/b739c6f9-4db4-4eaa-8409-7f12375bf3f9/
SH256 hash:
f9400871f8f4908c7e4955f971d96101c60a65a84f4547d17d6da7fd81856877
MD5 hash:
40c89e417fec284de00d4c54eb707325
SHA1 hash:
78f114d5ad12b81f7850fd6762d67ff052d32373
Link:
https://www.unpac.me/results/b739c6f9-4db4-4eaa-8409-7f12375bf3f9/
SH256 hash:
c6ba807010aec7a25ad106d9bce0f3b70d9c3d2223e93344cf5fad10ed1eedd3
MD5 hash:
99cf40f54910d611105302fee1851b7d
SHA1 hash:
29b9ee192ebf4b587dbfd0d908f6ae74a7b3817d
Link:
https://www.unpac.me/results/b739c6f9-4db4-4eaa-8409-7f12375bf3f9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c6ba807010ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6ba807010aec7a25ad106d9bce0f3b70d9c3d2223e93344cf5fad10ed1eedd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox product IDs
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_betabot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.betabot.
Rule name:win_betabot_w0
Create hunting rule
Author:Venom23
Description:Neurevt Malware Sig

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/194057/

Comments