New version of Neurevt malware identified

The trojan malware Neurevt is back in a new version as an infostealer with spyware and backdoor capabilities


About the threat:


The Neurevt trojan malware has been around for some time now. This newer version is a refinement of the earlier one and has sophisticated spyware and backdoor capabilities. Being an infostealer, Neurevt exfiltrates user credentials like username and password as well as other intellectual information. It is also capable of capturing screenshots of the infected system.

Neurevt is called sophisticated for good reason. It enters the infected system impersonating a legitimate update and quickly creates a folder with executable files. During its initial infiltration it renames the newly created folder containing the executable files, which itself is password protected. After installing the executable files, the trojan deletes all executable files and the folders it created.


Other names / aliases:

Neurevt Trojan also goes by the alias Betabot.


Our Analysis of the Modus Operandi


Analysts from SecneurX have analysed the Neurevt malware based on artifacts acquired from the wild. These artifacts were analysed using SecneurX Advanced Dynamic Malware Analysis Platform. Along with this article we have included IOC’s (Indicators of Compromise) and malware’s behavioural analysis report that comes in handy for SOC / Security Analysts.


In this article we will use one of the analyzed artifact (86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595) and explain the behaviour of the malware.


Malware Process Flow


The below image showcases the execution flow of the sample artifact. The detailed analysis of each step is explained in the next section.


Malware execution sequence:

Step 1

The artifact when executed creates a folder “C:\LMPupdate\set“ and extracts executable and batch files. The extracted files are of .exe, .bat and .rar extensions. Figure 1 below shows the extracted contents.

Figure.1 Files and scripts extracted by malware

Step 2

The Malware uses inbuilt Microsoft Windows Based Script to launch the vb script which in turn launches the bat file. In this sample the vbs script "C:\LMPupdate\set\435246.vbs" launches the Bat file “183.bat”.

Figure 2 shows the contents of 435246.vbs script showing the process creation of the batch file.

Figure 2: Content of 435246.vbs

Step 3

The “183.bat” file extracts the password protected rar (43939237cx.rar) file to the same path and then executes the extracted “3980392CV.vbs” and deletes itself and the rar file. Figure 3 and 4 shows the contents of 183.bat and extracted 43939237cx.rar file.

Figure 3: Content of 183.bat


Figure 4: Files and scripts inside in 43939237cx.rar


Step 4

The Bat file 48551.bat extracts 43939237cx.rar file and launches xc829374091FD.exe.

After launching the executable it deletes all files in the folder and then it deletes the folder to erase its footprints.


Figure 5: Content of 48551.bat

Step 5

The executable xc829374091FD.exe initiates explorer.exe process and an executable file (k77saes3u.exe) is dropped in the directory C:\Users\ADMINI~1\AppData\Local\Temp\k77saes3u.exe. This executable when launched communicates with Command & Control. Figure 6 shows the process flow of 48551.bat.


Figure 6: Process flow of 48551.bat

Step 6:

The final payload has the following capabilities

  • Exfiltration of user account information

  • Exfiltration of system information

  • Ability to capture screenshots

Figure 7, 8 and 9 shows the code snippet of the above capabilities

Figure 7: Getting User account information


Figure 8: Reading logical drive information


Figure 9: Screen capturing functionality

Data Exfiltration

Below is the screenshot of the network communication of this malware to the CNC russk18[.]icu

Figure 10: Network packet screenshot showing CNC Communication

Indicator of Compromise

Malicious Domains

russk17[.]icu

russk18[.]icu

morningstarlincoln[.]co[.]uk

brascase-br[.]com

eastexs[.]com

ereds6969[.]co

firecrackers[.]ru

moscow13[.]at

qdrenfa[.]com

rusianlover[.]icu

russk16[.]icu

winqits[.]com


Malicious SHA256

25bde46d4e813fdf14947860320313914d34753d84f4b0a7ded8787374b38559

86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595

152f5a9fbf434b4c0822fae2c373e9be9eba8cc89a1881cd5777832ea13287c7

73e8b8b48a312fb73bf31d822161a4dfda993449cc46a28bce67e11812f0b8da

096e15816ae4b046b38397a893f6f0524f4ead95973da24b4bc17d0a735a6f8d

3a2c441a96936c089c1444f4cd50436593fcd43a18c80a1699fc6b2d62dd6907

424f2f46f0cf4c96c2f8ef8954d1438db206486353601425ead011d74c4cb128

4cbea2e1043516b6868e4063119c0e3fdd0e16c2804bfe9e89a79bc52256c1d1

9a187a75ca61db6c079259b14f3b2921c9a9d5687ba5507ee2804b9029e1e7cd

9c717de3d5625d0aad114bd5148c8320e0a390c1b57c5bf9ced70fff06aa5729

144c0621ca5ecb402de01d8f10044f92a2ef917522e4b4955f3760bb17095bac

15e4cb0935bbbe01c87cd16904ee225c1e52e417a16ee4dd9bd3337453332a42

273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374

2750d82acc17245fb3f34ceb34d12d50090626ce0bb28902dd2dcc5db924dd48

39d13925ce0c57d2c5bb9603e9f65825c56daf4e0a7d5896e1b314866a8cda21

4241044fce8bace299a5a348c736970be1c89ecaf3aa0f28533486c915b8e1c1

4af7c93f154aff7489fa923d76328ef0ec16027b578b24f1ae40f2172f6e246c

4ec6bc906eed57679d67d4e20dd1725fe1e2d956cc76caef1a6661adaaa1cda4

4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e

53533c1e66deaaba84275f5d11465423bf957a5bcc51de05492792128381e7d7

6ca72b7d95f2194e902cac169cabc9dff55335046f5edabe3d6b6bb3d9a22bee

7081da7b4b389cb8caea2c0c9b1fc42f34785ec8481fec8159b931f5fb14f4ab

87d5b045f713c7029d1e48326535ca5fd11868ec714b4fab5b3871988f385dfe

8a59dfbd3825871183117a0b17cbb13af20b10f63297a47b92b0d38f7c2ecd54

916cb8f929a866acab106a2c2d28c38d365fbf07d171447a51d42c4986181cd6

9f9201840dd99614fb416b361d0553f732ca317a3883abf2c84a044cca4b1f2a

a6eeed448b239a2d3816c42959ffe4441202510061e27b9d1de9b5e5353cbed0

ad5b309dcd4971e85929fecc8c73494857a242971b5dcdae26d9a6d0903dc108

c1ebfaa5144a986271298dd044a82bc3e27362debe5475b028a916dbbfb97bbd

c2eea0526fcd8596d700eb7001185ac149b232319e8268bce21ccfe4fd1d7500

cf014a210dffdbab2295725281e5e92922093219ccb34a25d300f74b8fcc111b

d55d2d63aad9a8d3ca2c5f7fbbd8074d792c2a58ebc6e8dd00b369256cf2a1c8

d71c316ed713d1af43a650c071d49e2f21bea010d7b6abde364c8096d86b7b07


Behaviour report

86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595

How can you validate if your security controls can protect you against this malware?


Every month SecneurX releases the top prevalent malware that was active during the period. Penataur will automatically validate if your security controls can prevent this malware. We released this Neurevt strain as part of the Windows threat June 2021 suite of Penataur - Continuous Security Validation Platform.


171 views0 comments