2014-08-08 - BETABOT (NEUREVT) INFECTION FROM EMAIL ATTACHMENT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-08-08-Betabot-infection-traffic.pcap.zip
• 2014-08-08-Betabot-malware.zip

 

THE EMAIL

SCREENSHOT:

 

MESSAGE TEXT:

From: Aisha Nadiath <sales@newmanflanqe[.]com>
Date: Friday, August 8, 2014 at 8:33 UTC
Subject: New Request for an offer

Dear Sir,

We are participating in an on going bid.

Please quote us the Offer products at a reasonable prices as mentioned in this tender document.

Thanks and Best Regards,

Aisha Nadiath
Purchase Manager
Overseas New Manflange Co. Ltd.

Attachment: Tender-013.zip (291.9 KB)

 

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  Tender-013.zip
File size:  220,501 bytes
MD5 hash:  95515c7fbe05c1e5faafe8fe55cec57f
Detection ratio:  14 / 54
First submission:  2014-08-08 06:25:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a00b4365b5716c5f2b9f5d62d5c9fd3e7f880089a16f91224ed03df03c1a0c39/analysis/

 

EXTRACTED MALWARE:

File name:  Tender-013.exe
File size:  375,296 bytes
MD5 hash:  17ecbfa39ec3e5f5ba93fdd9d0885fde
Detection ratio:  15 / 53
First submission:  2014-08-08 08:27:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/313b7051761561bc585bc7fe3689ae283f28f2ea54ccceaaffadacf18acc887e/analysis/

 

INFECTION TRAFFIC FROM RUNNING THE MALWARE IN A VM

• 23:41:52 UTC - [intrernal host]:53 - DNS query for: jifcotradingllc[.]biz (did not resolve)
• 23:41:53 UTC - [intrernal host]:53 - DNS query for: brotherlyworship[.]biz (did not resolve)
• 23:42:06 UTC - [intrernal host]:53 - DNS query for: brotherlyworshippers[.]biz (did not resolve)
• 23:42:19 UTC - [intrernal host]:53 - DNS query for: dreamswitchedmylife[.]biz (did not resolve)
• 23:42:24 UTC - [intrernal host]:53 - DNS query for: businessswitchedmylife[.]biz (did not resolve)
• 23:42:25 UTC - [intrernal host]:53 - DNS query for: nobemetalkam[.]com (did not resolve)
• 23:42:38 UTC - [intrernal host]:53 - DNS query for: heavensbreedonline[.]com
• 23:42:38 UTC - 199.175.51[.]62:80 - heavensbreedonline[.]com - POST /imges/order.php

 

ALERTS FROM RUNNING THE MALWARE IN A VM

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 23:42:38 UTC - 199.175.51[.]62:80 - ETPRO TROJAN Win32/Neurevt.A Checkin 3 (sid:2807970)
• 23:42:38 UTC - 199.175.51[.]62:80 - ET TROJAN Win32/Neurevt Check-in 4 (sid:2018784)

 

Click here to return to the main page.