The trojan malware Neurevt is back in a new version as an infostealer with spyware and backdoor capabilities
About the threat:
The Neurevt trojan malware has been around for some time now. This newer version is a refinement of the earlier one and has sophisticated spyware and backdoor capabilities. Being an infostealer, Neurevt exfiltrates user credentials like username and password as well as other intellectual information. It is also capable of capturing screenshots of the infected system.
Neurevt is called sophisticated for good reason. It enters the infected system impersonating a legitimate update and quickly creates a folder with executable files. During its initial infiltration it renames the newly created folder containing the executable files, which itself is password protected. After installing the executable files, the trojan deletes all executable files and the folders it created.
Other names / aliases:
Neurevt Trojan also goes by the alias Betabot.
Our Analysis of the Modus Operandi
Analysts from SecneurX have analysed the Neurevt malware based on artifacts acquired from the wild. These artifacts were analysed using SecneurX Advanced Dynamic Malware Analysis Platform. Along with this article we have included IOC’s (Indicators of Compromise) and malware’s behavioural analysis report that comes in handy for SOC / Security Analysts.
In this article we will use one of the analyzed artifact (86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595) and explain the behaviour of the malware.
Malware Process Flow
The below image showcases the execution flow of the sample artifact. The detailed analysis of each step is explained in the next section.
Malware execution sequence:
Step 1
The artifact when executed creates a folder “C:\LMPupdate\set“ and extracts executable and batch files. The extracted files are of .exe, .bat and .rar extensions. Figure 1 below shows the extracted contents.
Figure.1 Files and scripts extracted by malware
Step 2
The Malware uses inbuilt Microsoft Windows Based Script to launch the vb script which in turn launches the bat file. In this sample the vbs script "C:\LMPupdate\set\435246.vbs" launches the Bat file “183.bat”.
Figure 2 shows the contents of 435246.vbs script showing the process creation of the batch file.
Figure 2: Content of 435246.vbs
Step 3
The “183.bat” file extracts the password protected rar (43939237cx.rar) file to the same path and then executes the extracted “3980392CV.vbs” and deletes itself and the rar file. Figure 3 and 4 shows the contents of 183.bat and extracted 43939237cx.rar file.
Figure 3: Content of 183.bat
Figure 4: Files and scripts inside in 43939237cx.rar
Step 4
The Bat file 48551.bat extracts 43939237cx.rar file and launches xc829374091FD.exe.
After launching the executable it deletes all files in the folder and then it deletes the folder to erase its footprints.
Figure 5: Content of 48551.bat
Step 5
The executable xc829374091FD.exe initiates explorer.exe process and an executable file (k77saes3u.exe) is dropped in the directory C:\Users\ADMINI~1\AppData\Local\Temp\k77saes3u.exe. This executable when launched communicates with Command & Control. Figure 6 shows the process flow of 48551.bat.
Figure 6: Process flow of 48551.bat
Step 6:
The final payload has the following capabilities
Exfiltration of user account information
Exfiltration of system information
Ability to capture screenshots
Figure 7, 8 and 9 shows the code snippet of the above capabilities
Figure 7: Getting User account information
Figure 8: Reading logical drive information
Figure 9: Screen capturing functionality
Data Exfiltration
Below is the screenshot of the network communication of this malware to the CNC russk18[.]icu
Figure 10: Network packet screenshot showing CNC Communication
Indicator of Compromise
Malicious Domains
russk17[.]icu
russk18[.]icu
morningstarlincoln[.]co[.]uk
brascase-br[.]com
eastexs[.]com
ereds6969[.]co
firecrackers[.]ru
moscow13[.]at
qdrenfa[.]com
rusianlover[.]icu
russk16[.]icu
winqits[.]com
Malicious SHA256
25bde46d4e813fdf14947860320313914d34753d84f4b0a7ded8787374b38559
86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595
152f5a9fbf434b4c0822fae2c373e9be9eba8cc89a1881cd5777832ea13287c7
73e8b8b48a312fb73bf31d822161a4dfda993449cc46a28bce67e11812f0b8da
096e15816ae4b046b38397a893f6f0524f4ead95973da24b4bc17d0a735a6f8d
3a2c441a96936c089c1444f4cd50436593fcd43a18c80a1699fc6b2d62dd6907
424f2f46f0cf4c96c2f8ef8954d1438db206486353601425ead011d74c4cb128
4cbea2e1043516b6868e4063119c0e3fdd0e16c2804bfe9e89a79bc52256c1d1
9a187a75ca61db6c079259b14f3b2921c9a9d5687ba5507ee2804b9029e1e7cd
9c717de3d5625d0aad114bd5148c8320e0a390c1b57c5bf9ced70fff06aa5729
144c0621ca5ecb402de01d8f10044f92a2ef917522e4b4955f3760bb17095bac
15e4cb0935bbbe01c87cd16904ee225c1e52e417a16ee4dd9bd3337453332a42
273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374
2750d82acc17245fb3f34ceb34d12d50090626ce0bb28902dd2dcc5db924dd48
39d13925ce0c57d2c5bb9603e9f65825c56daf4e0a7d5896e1b314866a8cda21
4241044fce8bace299a5a348c736970be1c89ecaf3aa0f28533486c915b8e1c1
4af7c93f154aff7489fa923d76328ef0ec16027b578b24f1ae40f2172f6e246c
4ec6bc906eed57679d67d4e20dd1725fe1e2d956cc76caef1a6661adaaa1cda4
4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
53533c1e66deaaba84275f5d11465423bf957a5bcc51de05492792128381e7d7
6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee
7081da7b4b389cb8caea2c0c9b1fc42f34785ec8481fec8159b931f5fb14f4ab
87d5b045f713c7029d1e48326535ca5fd11868ec714b4fab5b3871988f385dfe
8a59dfbd3825871183117a0b17cbb13af20b10f63297a47b92b0d38f7c2ecd54
916cb8f929a866acab106a2c2d28c38d365fbf07d171447a51d42c4986181cd6
9f9201840dd99614fb416b361d0553f732ca317a3883abf2c84a044cca4b1f2a
a6eeed448b239a2d3816c42959ffe4441202510061e27b9d1de9b5e5353cbed0
ad5b309dcd4971e85929fecc8c73494857a242971b5dcdae26d9a6d0903dc108
c1ebfaa5144a986271298dd044a82bc3e27362debe5475b028a916dbbfb97bbd
c2eea0526fcd8596d700eb7001185ac149b232319e8268bce21ccfe4fd1d7500
cf014a210dffdbab2295725281e5e92922093219ccb34a25d300f74b8fcc111b
d55d2d63aad9a8d3ca2c5f7fbbd8074d792c2a58ebc6e8dd00b369256cf2a1c8
d71c316ed713d1af43a650c071d49e2f21bea010d7b6abde364c8096d86b7b07
Behaviour report
How can you validate if your security controls can protect you against this malware?
Every month SecneurX releases the top prevalent malware that was active during the period. Penataur will automatically validate if your security controls can prevent this malware. We released this Neurevt strain as part of the Windows threat June 2021 suite of Penataur - Continuous Security Validation Platform.
Comments