{
	"id": "53303e00-e858-4a92-ba5b-a627fea4d2a8",
	"created_at": "2026-04-06T02:11:24.020527Z",
	"updated_at": "2026-04-10T03:22:08.60336Z",
	"deleted_at": null,
	"sha1_hash": "383b75296daf91a8249fb760d0ef5954e3ef3232",
	"title": "Neurevt trojan takes aim at Mexican users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5556432,
	"plain_text": "Neurevt trojan takes aim at Mexican users\r\nBy Chetan Raghuprasad\r\nPublished: 2021-08-17 · Archived: 2026-04-06 02:08:50 UTC\r\nTuesday, August 17, 2021 08:01\r\nBy Chetan Raghuprasad, with contributions from Vanja Svajcer.\r\nNews summary\r\nCisco Talos discovered a new version of the Neurevt trojan with spyware and backdoor capabilities in June\r\n2021 using Cisco Secure Endpoint product telemetry.\r\nThis version of Neurevt appears to target users of Mexican financial institutions.\r\nThis threat demonstrates several techniques of the MITRE ATT\u0026CK framework, most notably T1547 –\r\nBoot or Login Autostart Execution, T1055 - Process Injection, T1546 - Event-Triggered Execution, T1056\r\n- Credential API Hooking, T1553 – Subvert Trust Controls, T1562 – Impair Defences, T1112 – Modify\r\nRegistry, T1497 – Virtualization\\Sandbox Evasion, T1083 - File and directory discovery, T1120 -\r\nPeripheral device discovery, T1057 - Process Discovery, T1012 - Query Registry, T1518 - Software\r\nDiscovery and T1082 - System Information Discovery.\r\nCisco Secure Endpoint, SNORTⓇ and Cisco Umbrella can all protect users from downloading this\r\nmalware, protecting their online banking accounts from potential theft.\r\nWhat's new?\r\nAlthough Neurevt has been around for a while, recent samples in Cisco Secure Endpoint show that the actors\r\ncombined this trojan with backdoors and information stealers. This trojan appears to target Mexican organizations.\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 1 of 18\n\nTalos is tracking these campaigns embedding URLs in the associated droppers, which belong to many major\r\nbanks in Mexico.\r\nHow did it work?\r\nThe malware starts with an obfuscated PowerShell command that downloads an executable file belonging to the\r\nNeurevt family. The trojan drops other executables, scripts and files into the folders which it creates during\r\nruntime. The dropped payload ends up in a benign location of the filesystem and runs, thereby elevating its\r\nprivilege by stealing service token information. It executes the following stages of the dropped executable file,\r\nwhich installs hook procedures to the monitor keystrokes and mouse input events. It captures the monitor screen\r\nand clipboard information. Then, Neurevt detects the virtualized and debugger environment, disables the firewall,\r\nmodifies the internet proxy settings in the victim's machine to evade detections and thwart analysis. Instead of\r\ncalling known APIs for HTTP communication, the malware uses System.Web Namespace and includes HTTP\r\nclasses to enable the browser-server communication with the command and control (C2) server to exfiltrate the\r\ndata.\r\nSo what?\r\nOnline banking users in Mexico should be cautious while operating their computers, accessing emails and\r\nattachments, and refrain from accessing unsecured websites. This trojan mostly steals the username and passwords\r\nof users on the sites and may also target other intellectual information. Organizations and individuals should keep\r\ntheir systems updated with the latest security patches for the operating systems and applications and enable multi-factor authentication on their accounts if possible.\r\nTechnical details While researching malicious activity in Cisco Secure Endpoint logs, we spotted\r\nthe execution of a PowerShell command. Attackers usually leverage PowerShell by obfuscating\r\nscripts. In this case, we could not locate the source of this PowerShell command, but it's most\r\nlikely a Microsoft Office document or JavaScript code.\r\nPowerShell execution from the event logs of our telemetry.\r\nThe attacker attempts to bypass the PowerShell execution policy of the compromised endpoint and creates a new\r\nGoogle Chrome web client object to connect to a domain saltoune[.]xyz and download an executable file, which is\r\nthe first stage of the malware.\r\nWe started our research by looking closely at the domain saltoune[.]xyz. It was created on June 21, 2021, and\r\nregistered with NameCheap based out of Reykjavik, Iceland. The serving IP address of the domain saltoune[.]xyz\r\nis 162[.]213[.]251[.]176, detected as malicious by five security vendors in VirusTotal. The domain hosts a\r\nmalicious Win32 EXE with sha256 value is\r\n86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595.\r\nCisco Umbrella Investigate showed a spike in DNS requests to the malicious domain.\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 2 of 18\n\nWe downloaded the contents from the URL https://saltoune[.]xyz/pb/aa.exe.\r\nDownloading Stage 1 of the malware.\r\nWe ran the stage 1 malware in the Cisco Secure Network Analytics environment and found that the activity started\r\nwith the creation of directories and files.\r\nFiles created by the Stage 1 malware.\r\nFiles created by the Stage 1 malware.\r\nThe Stage 1 malware creates a thread that sets registry keys to execute the file with the \".vbs\" extension with the\r\nprogram IDs.\r\nRegistry keys to execute a file with the extension.\r\nWScript.exe process launches and modifies internet settings. ZoneMap registry keys disable the automatic\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 3 of 18\n\ndetection of the intranet. It maps the local sites to the Intranet Zone, bypasses the proxy server and maps all\r\nnetwork paths into the Intranet Zone.\r\nRegistry keys to set internet explorer ZoneMap.\r\nWScript.exe process reads the file \"C:\\LMPupdate\\set\\435246.vbs\"and launches Windows shell and runs the batch\r\nfile \"C:\\LMPupdate\\set\\183.bat\".\r\nContents of the 435246.vbs file.\r\nContents of the 183.bat file.\r\nThe batch file renames the file C:\\LMPupdate\\set\\x0329847998 to a password-protected RAR file,\r\n43939237cx.rar. It runs the unpakedree.exe to extract the contents of the RAR file using the password\r\n\"67dah9fasdd8kja8ds9h9sad\".\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 4 of 18\n\nThe Windows shell launches a process WScript.exe and runs the 3980392cv.vbs file.\r\nContents of the file 3980392cv.vbs.\r\nThis launches another Windows shell instance and runs the batch file 48551.bat.\r\nContents of the 48551.bat file.\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 5 of 18\n\nThe 48551.bat instance runs the second-stage malware xc829374091FD.exe as a process that creates its child\r\nprocess with the name \"xc829374091FD.exe\" by writing its image to the child process virtual memory.The batch\r\nfile deletes the files in the folder \"C:\\LMPupdate\\set\" and removes the empty folder to erase its footprints. The\r\nprocess xc829374091FD.exe will create the explorer.exe process and rename itself to \"13q77qiq.exe\" in the\r\ndirectory \\ProgramData\\Google Updater 2.09\\13q77qiq.exe.\r\nThe sha256 hash value of \"13q77qiq.exe\" is\r\n5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122. \"13q77qiq.exe\" is a 32-bit portable\r\nexecutable, written in Russian which uses Windows graphical user interface (GUI) subsystem, with a version\r\nnumber of 234 234 23 (234 234 234 23).\r\nThe process explorer.exe reads the executable 13q77qiq.exe and writes it to the administrator local temporary\r\nspace: \\Users\\ADMINI~1\\AppData\\Local\\Temp\\13q77qiq_1.exe.This process also allocates memory in its virtual\r\nmemory process and writes the image of 13q77qiq_1.exe, into which it exhibits the process injection mechanism.\r\nThe malware contacts a few domains to download the executables:\r\n1. http://morningstarlincoln[.]co[.]uk/ with the IP address 79[.]170[.]44[.]146. When contacted, it downloads\r\na PE file with SHA256 hash value is\r\n35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29.\r\n2. http://russk17[.]icu with the IP address 23[.]95[.]225[.]105. When contacted, it downloads an executable\r\nfile named \"seer.exe\" with SHA256 hash value is\r\n4d3ee3c1f78754eb21b3b561873fab320b89df650bbb6a69e288175ec286a68f.\r\nWe spotted embedded URLs while looking at the strings in the PE file with SHA256 hash value\r\n35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29. They belong to many major\r\nfinancial institutions in Mexico.\r\nEmbedded strings extracted showing URLs.\r\nLooking closely at the PE file, showed us functions with the capability of accessing the webpage panels and\r\ntextboxes of the above banking websites. Actors use these techniques for stealing credentials and 2FA tokens.\r\nA few of malicious actor defined function calls and its address location are displayed below:\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 6 of 18\n\nPersistence and privilege escalation\r\nThe attacker leveraged the Windows registry features for establishing persistence and privilege escalation.\r\nThe MITRE ATT\u0026CK techniques used are:\r\nT1547 – Boot or Login Autostart Execution\r\nT1055 - Process Injection\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 7 of 18\n\nT1546 - Event-Triggered Execution\r\nT1056 - Credential API Hooking\r\nWe spotted a few processes that set Image File Execution Options in the registry to ensure malicious code runs\r\nwhen another application starts and adds the path to autostart registry keys.The Explorer.exe process creates a\r\ndebugger value.This is standard for developers usually, but is out of place here since it's automated.\r\nRegistry Key: HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution\r\nOptions\\RSTRUI.exe\r\nValue: Debuggre blvzufu.exes\\\\0\r\nRegistry Key: HKLM\\ Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution\r\nOptions\\3K77573KMES7W.exe\r\nValue: DisableExceptiomChainVaidation\r\nRegistry Key:\r\nHKCU\\Software\\Microscoft\\Windows\\CurrentVersion\\Runonce\r\nValue: C:\\ProgramData\\Google Updater 2.09\\13q77qiq.exe\r\nHKCU\\Software\\Microscoft\\Windows\\CurrentVersion\\Run\r\nValue: C:\\ProgramData\\Google Updater 2.09\\13q77qiq.exe\r\nHKLM\\Software\\Microscoft\\Windows\\CurrentVersion\\Runonce\r\nValue: C:\\ProgramData\\Google Updater 2.09\\13q77qiq.exe\r\nThe malware tampers and enumerates user/account privilege by calling GetTokenInformation and\r\nAdjustTokenPrivileges.\r\nFunction that enumerates the user/account privilege information.\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 8 of 18\n\nFunction that tampers with the user/account privilege information.\r\nDefense evasion\r\nWe spotted several techniques the attacker used to evade detection, which we'll break down below.\r\nT1553 – Subvert Trust Controls\r\nThe Explorer.exe process reads the Zone Identifier Alternate Data Stream. The downloaded files will add a Zone\r\nIdentifier, also known as the mark-of-the-web, to the alternate data stream. The malware will check whether it has\r\nany zone identifier metadata and deletes it if it exists, thus bypassing any application protections.\r\nC:\\ProgramData\\Google Updater 2.09\\q99ig1gy1.exe: Zone. Identifier\r\nT1562 – Impair Defences\r\nThe Explorer.exe process sets the registry key value to zero and disables the Windows firewall. It also modified\r\nInternet Explorer security zone registry entries. The attacker weakened Internet Explorer security by allowing\r\nunsigned ActiveX controls, turning off pop-up blocking and changing Java permissions, among other options.\r\nRegistry keys and values to disable the firewall.\r\nT1112 – Modify Registry\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 9 of 18\n\nWe spotted a registry key with a large amount of data placed in the data field designed to conceal the attacker's\r\npresence: HKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\{B56DA420-0B5E-0394-E271-\r\n7DACAF8D4BB5}\\14FD1F9A\\46a66dd5b340073ff9.\r\nMalware storing stream of binary values in the registry keys.\r\nT1497 – Virtualization\\Sandbox Evasion\r\nThe Explorer.exe process attempts to connect to a VirtualBox driver and VMware device or locate a VirtualBox\r\nDLL and VMware DLL. This attacker tried to detect the presence of VirtualBox and VMware as a means of anti-analysis. Neurevt also uses GetTickCount and IsDebuggerPresent APIs as anti-analysis techniques.\r\nDiscovery and collection\r\nNeurevt can enumerate information from the victim's machine. Below are the techniques used by the attacker.\r\nT1083 - File and directory discovery\r\nT1120 - Peripheral device discovery\r\nT1057 - Process Discovery\r\nT1012 - Query Registry\r\nT1518 - Software Discovery\r\nT1082 - System Information Discovery\r\nThe malware has functions that checks the operating system, enumerates system drivers, currently\r\navailable disk drives with the victim's machine, gathers information about the disk drives or directories on\r\nthe system, detects the Java Runtime Environment version, retrieves keyboard layout list and enumerates\r\nuser location information.\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 10 of 18\n\nFunctions that retrieve the operating system version information and the status of the logical drives.\r\nFunctions that retrieve the volume information of the disks attached to the system.\r\nThe malware can also take screenshots of the victim's monitor.\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 11 of 18\n\nFunctions that capture the system monitor screen.\r\nIt also can copy the data on the clipboard, empty it, and then close the clipboard.\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 12 of 18\n\nFunctions that capture clipboard data.\r\nThe malware also writes the data from the active console screen buffer to a file.\r\nFunctions that write the data from the active screen buffer to a file.\r\nNeurevt sets the keyboard layout by calling the API GetKeyboardLayout, ActivateKeyboardLayout and calls\r\nGetKeyboardState which copies the status of 256 virtual keys to the buffer and calls GetKeyState, which retrieves\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 13 of 18\n\nthe status of the virtual keys of the keyboard control characters Line Feed, Vertical Tab and Form Feed. It calls the\r\nMapVirtualKeyW, which maps the virtual key code into scan code. Neurevt installs a hook procedure that\r\nmonitors messages generated as a result of an input event from keystrokes and mouse activity in a dialogue box,\r\nmessage box, menu, or scroll bar.\r\nFunction hooks to monitor the keystrokes and mouse activities.\r\nIt also monitors the keystroke messages posted to an application message queue.\r\nNeurevt waits for the messages from multiple objects, peeks for the message, checks if it's a Unicode window,\r\ngets the message, translates the virtual key's scan code to the characters, and dispatches them.\r\nFunctions that check for the virtual keys, scan code messages and translate to character and dispatches them.\r\nExfiltration\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 14 of 18\n\nThe malware uses System.Web Namespace to enable the browser-server communication to the C2 server with a\r\nNginx web server. The HTTP backdoor method is used by placing the information from the compromised machine\r\ninto the data section of the HTTP POST request to the domains russk18[.]icu and moscow13[.]at.\r\nWireshark displays the HTTP POST request traffic to the C2 russk18[.]icu and the data section of the packet.\r\nConclusion\r\nThis version of Neurevt exhibited multiple functionalities. Once infected, the attacker gains access to the victim's\r\nsystem and modifies their system settings to conceal their existence. The trojan will access the victim's system\r\nservice tokens and elevate its privilege, thereby accessing the operating system, user's account information,\r\ncredentials of banking websites, capture screenshots, and connecting to the C2 servers to steal intellectual property\r\nand personal information.This trojan could affect individual users and organizations leading to a data breach, or\r\nreputational damage that eventually results in a loss of financial value.\r\nOrganizations and defenders can take proactive measures to mitigate the risk of infection and data theft, such as\r\nrestricting users accessing suspicious websites and downloading malicious contents. Talos also encourages\r\nimplementation of role-based access control for the use of Windows administrative tools, PowerShell execution\r\npolicy and block suspicious IP addresses, domains and network traffic from C2.\r\nIndividuals using their personal systems must ensure they have the latest updates installed, including anti-virus\r\nscan engines, operating systems and applications. Automatic execution of browser scripts should be disabled.\r\nUsers should be careful while accessing websites that download their contents to their computer's file system.\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 15 of 18\n\nHigh level overview of Neurevt execution flow.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 16 of 18\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such asThreat\r\nDefense Virtual,Adaptive Security Appliance andMeraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all\r\nCisco Secure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nThe following ClamAV signatures have been released to detect this threat:\r\nWin.Trojan.Neurevt-9880046-0\r\nWin.Trojan.Neurevt-9880047-0\r\nWin.Trojan.Neurevt-9880048-0\r\nWin.Trojan.Neurevt-9880049-1\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nSIDs 57989 has been released to detect this threat.\r\nIOCs\r\nDomains:\r\nrussk18[.]icu\r\nrussk19[.]icu\r\nrussk20[.]icu\r\nrussk21[.]icu\r\nrussk22[.]icu\r\nmoscow13[.]at\r\nmoscow11[.]at\r\nHashes:\r\n86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595\r\nb5624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122\r\n4d3ee3c1f78754eb21b3b561873fab320b89df650bbb6a69e288175ec286a68f\r\n35617cfc3e8cf02b91d59209fc1cd07c9c1bc4d639309d9ab0198cd60af05d29\r\nURLs:\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 17 of 18\n\nhttp://saltoune[.]xyz/pb/aa.exe\r\nhttps://saltoune[.]xyz/pb/aa.exe\r\nhttp://morningstarlincoln[.]co[.]uk/site/bmw/studi.exe\r\nhttp://russk17[.]icu/mailo/seer.exe\r\nSource: https://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nhttps://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html\r\nPage 18 of 18\n\n https://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html  \nHigh level overview of Neurevt execution flow. \nCoverage   \nWays our customers can detect and block this threat are listed below.\n   Page 16 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html"
	],
	"report_names": [
		"neurevt-trojan-takes-aim-at-mexican.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775441484,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/383b75296daf91a8249fb760d0ef5954e3ef3232.pdf",
		"text": "https://archive.orkl.eu/383b75296daf91a8249fb760d0ef5954e3ef3232.txt",
		"img": "https://archive.orkl.eu/383b75296daf91a8249fb760d0ef5954e3ef3232.jpg"
	}
}