{
	"id": "7c913d20-867f-4304-b8cf-252e61802541",
	"created_at": "2026-04-06T00:06:37.21635Z",
	"updated_at": "2026-04-10T13:11:33.36803Z",
	"deleted_at": null,
	"sha1_hash": "7e57aa4e8fe8661b38cae94227a33e78cb981001",
	"title": "Analysis of Neutrino Bot Sample (dated 2018-08-27)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1650417,
	"plain_text": "Analysis of Neutrino Bot Sample (dated 2018-08-27)\r\nArchived: 2026-04-05 14:19:15 UTC\r\nIn this post I analyze a Neutrino Bot sample. It was probably generated 2018-08-27. I will compare the analyzed\r\nNeutrino sample with the NukeBot's source code that was leaked on spring, 2017, and I will check that Neutrino\r\nBot is probably an evolution (or, at least, it reuses parts) of the NukeBot leaked code.\r\nOriginal Packed Sample: 3F77B24C569600E73F9C112B9E7BE43F\r\nAutomatic Generated Report: PepperMalware Report\r\nVirustotal First Submission: 2018-08-28 14:36:26\r\nSample Creation Date:  2018-08-27\r\nUnpacked Banker Module: 896609A8EE8CC860C2214FCD1E3CF264\r\nInternal executable id: aug27\r\nRelated links: \r\nhttps://www.malware-traffic-analysis.net/2018/08/21/index2.html\r\nhttps://twitter.com/malware_traffic/status/1032066941953945600\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nhttps://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/\r\n1. Loader\r\n1.1. First stage packer\r\n1.2. Second stage, custom packer / injector\r\n1.2.1. Antidebug Tricks\r\n1.2.1.1. Antidebug tricks: API Obfuscation\r\n1.2.1.2. Antidebug tricks: Time Tricks\r\n1.2.1.3. Antidebug tricks: HKCU\\Software\\Microsoft\\Windows\\Identifier\r\n1.2.1.3. Antidebug tricks: CPUID checks\r\n1.2.1.4. Antidebug tricks: Walk running processes searching for wellknown names\r\n1.2.1.5. Antidebug tricks: Walk own process' modules searching for wellknown names\r\n1.2.1.6. Antidebug tricks: IsDebuggerPresent / CheckRemoteDebuggerPresent\r\n1.2.2. Injection\r\n1.2.3. Other details\r\n1.2.3.1. BotId and mutex\r\n1.2.3.2. PRNG\r\n2. Banker module\r\n2.1. WebInjects\r\n2.2. Browser hooks\r\n2.3. Other stealer capabilities\r\n3. Similarities with NukeBot leaked source code\r\n3.1. InjectDll function at banker module\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 1 of 19\n\n3.2. Hollow-process explorer.exe\r\n3.3. Random BotId\r\n4. Yara rules\r\n5. Conclussions\r\n1. Loader\r\n1.1. First stage packer\r\nIn the first stage, the sample is packed with an usual packer that allocates a memory block where it copies a\r\nshellcode that decrypts a second stage code, and that second stage code is overwritten over the original PE in\r\nmemory.\r\n1.2. Second stage, custom packer / injector\r\nThis second stage is an executable that is unpacked over the original executable in memory. This second stage\r\nperfoms some antidebug tricks such as VM detection and API calls obfuscation. In addition, it decrypts the third\r\nstage PE: the main banking code, and it injects this third stage PE to explorer.exe process.\r\n1.2.1. Antidebug Tricks\r\nThe analyzed sample performs a somo usual antidebug tricks. From analyzed sample (IDA decompiled):\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 2 of 19\n\n1.2.1.1. Antidebug tricks: API Obfuscation\r\nIn the Neutrino Bot loader, each time a API is going to be called, it is got from a hash.\r\nIt seems to be using a custom hash algorithm, not crc32 or similar well-known algorithm (frequently used by other\r\nmalware families).\r\n1.2.1.2. Antidebug tricks: Time Tricks\r\nThe analyzed sample plays with GetTickCount and waits (Sleep and WaitForSingleObject), performing usual\r\ntricks to detect that it is running into a VM. From analyzed sample (IDA decompiled):\r\n1.2.1.3. Antidebug tricks: HKCU\\Software\\Microsoft\\Windows\\Identifier\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 3 of 19\n\nThe analyzed sample checks the key: HKCU\\Software\\Microsoft\\Windows value: Identifier, it hashs the content\r\nof that value with Fowler–Noll–Vo hash algorithm and it compares the hash with 0xC9C8F009. I don't know\r\nexactly what content would match this hash, but probably it matchs an specified content for some wellknown VMs\r\n(virtualbox, vmware, ...). From analyzed sample (IDA decompiled):\r\n1.2.1.3. Antidebug tricks: CPUID checks\r\nThe analyzed sample executes cpuid instruction to get cpu information, then it calculates a fowler-noll-vo hash\r\nwith the information returned by cpuid, and compares that hash with a set of values: 0x3A72221D, 0xB609E57D,\r\n0x11482F93, 0xA7C9423F, 0x7816EDDD, 0x6361F34. I don't know exactly the original data causing these\r\nhashes, but probably they are values returned by cpuid related to wellknown VMs such as vmware, virtualbox,\r\netc... From analyzed sample (IDA decompiled):\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 4 of 19\n\n1.2.1.4. Antidebug tricks: Walk running processes searching for wellknown process's names\r\nThe analyzed sample calls toolhelp32's functions to walk running processes. Again, it calculates the fowler-noll-vo\r\nhash foreach process name and compares against a set of precalculated hashes: 0x4FAEA2EB, 0x689ED848,\r\n0x57337435, 0xE8BC3AB9, 0x3C30BBA6, 0xA421254D, 0x26638D6A, 0xE3449C1. These hashes probably\r\ncorrespond to names such as vmtoolsd.exe and other well known processes associated to VMs and security\r\nproducts.From analyzed sample (IDA decompiled):\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 5 of 19\n\n1.2.1.5. Antidebug tricks: Walk own process' modules searching for wellknown module' names\r\nIn addition, it walks the modules of the current process searching for wellknown libraries such as SbieDll.dll, etc...\r\nIt compares the fowler-noll-vo hash of each module's name with the following set of hashes:  0xCC23DB0E,\r\n0xCCFE57BB, 0x9FECD578, 0xE69D9465, 0xC55CC270, 0x601CDCE9, 0x9DF7C709, 0x23E9F2F5,\r\n0x70E2598E, 0x2C82D8A, 0x99CC8618, 0xB62000C5. From analyzed sample (IDA decompiled):\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 6 of 19\n\n1.2.1.6. Antidebug tricks: IsDebuggerPresent / CheckRemoteDebuggerPresent\r\nNot necesary explanation, usual antidebug checks:\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 7 of 19\n\n1.2.1.7. Antidebug tricks: Query device' names\r\nThe analyzed sample calls QueryDosDeviceW to get a list of devices, and calculates the fowler-noll-vo hash\r\nforeach name, and then compares each name with a set of values:   0x5C86B533, 0x7F65B61C, 0x464768AD,\r\n0x9A781952. It tries to detect VM's common devices, such as vmci or HGFS. From analyzed sample (IDA\r\ndecompiled):\r\n1.2.2. Injection\r\nThe analyzed sample decrypts the third stage PE (the banking module) by using the RC4 algorithm +\r\ndecompression. It creates an explorer.exe instance, and it will inject the decrypted PE into the address space of\r\nthat explorer.exe instance (hollow process). From analyzed sample (IDA decompiled):\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 8 of 19\n\n1.2.3. Other details\r\n1.2.3.1. BotId and mutex\r\nThe analyzed sample contains a kind of executable id, and the name of the mutex is created based on that\r\nexecutable id. In the case of the analyzed sample this exe id is \"aug27\", probably the date that it was generated\r\n(the virustotal first analysis date is 2018/08/28). From analyzed sample (IDA decompiled):\r\nA fowler-noll-vo hash is calculated from the string \"aug27\". Later, it uses the calculated hash to initialize a PRNG\r\n(based on idum=1664525*idum+1013904223) to generate a random guid, that will be the name of the created\r\nmutex. From analyzed sample (IDA decompiled):\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 9 of 19\n\n1.2.3.2. PRNG\r\nFrom analyzed sample (IDA decompiled):\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 10 of 19\n\n2. Banker module\r\nThe third stage is the banker module. You can find the unpacked banker module's dll that I unpacked here. It is\r\nquite similar to this other dll that was extracted by @james_in_the_box (you can read about at twitter, here) from\r\na sample shared by @malware_traffic, here.\r\nThis is a list of strings of the Neutrino Bot unpacked banker module.\r\n2.1. WebInjects\r\nThe banker module performs webinjects. The following parts of code manage the downloaded injects (IDA\r\ndecompiled):\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 11 of 19\n\n2.2. Browser hooks\r\nIt performs hooks at frequently targetted nss3 and wininet APIs at browsers.\r\nNss3 hooks (IDA decompiled):\r\nWininet hooks (IDA decompiled):\r\n2.3. Other stealer capabilities\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 12 of 19\n\nOther strings found into the banker module reveal additional stealer capabilities:\r\n3. Similarities with NukeBot leaked source\r\nComparing some parts of the NukeBot code that was leaked on spring 2017 with the disassembled/decompiled\r\ncode of the analyzed sample, we can check that there are similarities between them. Probably Neutrino Bot is an\r\nevolution or, at least, it reused code from NukeBot leaked code.\r\nIn this section, I comment about some parts of code where I found similarities, but probably, there are other parts\r\nof code that are very similar too.\r\n3.1. InjectDll function at banker module\r\nInjectDll is a function that appears in NukeBot leaked code and Neutrino Banker module.You can find the full\r\ncode of both functions here:\r\nInjectDll source code from NukeBot leaked source:  https://pastebin.com/LL9PnVb6\r\nInjectDll decompiled code from Neutrino Bot analyzed sample: https://pastebin.com/K4cfUq4C\r\nComparing both codes, we can check both functions are almost identical between NukeBot leaked source code\r\nand Neutrino analyzed sample. Probably this part of code was reused.\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 13 of 19\n\n3.2. Hollow-process explorer.exe\r\nThe following parts of code from the neutrino and nukebot loader get the path of explorer.exe, create an instance\r\nof the process, and inject it (hollow process).\r\nFrom NukeBot leaked source code:\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 14 of 19\n\nFrom Neutrino analyzed sample's loader (IDA decompiled):\r\nThe code used to inject processes is quite similar between the leaked source code and the analyzed version:\r\nFrom Nukebot leaked source code:\r\nFrom Neutrino analyzed sample's loader (IDA decompiled):\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 15 of 19\n\n3.3. Random BotId\r\nBoth, leaked NukeBot and Neutrino, generate a random GUID that is used as botid and to create a mutex that the\r\nmalware uses to know it is already running.\r\nFrom NukeBot leaked code:\r\nRandom GUID is used to create the mutex:\r\nFrom Neutrino analyzed sample (IDA decompiled):\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 16 of 19\n\nRandom GUID is used to create the mutex:\r\n4. Yara rules\r\n \r\nrule jimmy_08_2018 {\r\nstrings:\r\n $string1 = \"reg add HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /ve /t REG_SZ /d \\\"%ls\\\" /f\"\r\n $string2 = \"Rundll32.exe SHELL32.DLL,ShellExec_RunDLL \\\"cmd.exe\\\" \\\"/c %ls\\\"\" wide\r\n $string3 = \"Rundll32.exe SHELL32.DLL,ShellExec_RunDLL \\\"%ls\\\"\" wide\r\n $string4 = \"Rundll32.exe url.dll,FileProtocolHandler \\\"%ls\\\"\" wide\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 17 of 19\n\n$string5 = \"Rundll32.exe zipfldr.dll,RouteTheCall \\\"%ls\\\"\" wide\r\n $string6 = \"/a /c %s\" wide\r\n $string7 = \"%ls_%ls_DLL\" wide\r\n $string8 = \"Cookie: %s=%s;uid=%ls\"\r\n $string9 = \"%ls\\\\nss3.dll\" wide\r\n $injects1 = \"injects\"\r\n $injects2 = \"set_host\"\r\n $injects3 = \"set_path\"\r\n $injects4 = \"inject_setting\"\r\n $injects5 = \"data_keyword\"\r\n $injects6 = \"inject_before_keyword\"\r\n $injects7 = \"inject_after_keyword\"\r\ncondition:\r\n (all of them)\r\n}\r\n \r\n \r\nPacker stage 2:\r\n \r\nrule neutrino_packer_stage2_08_2018 {\r\nstrings:\r\n $code1 = { 6A 25 [0-15] 6A 6C [0-15] 6A 73 [0-15] 6A 5C [0-15] 6A 2A [0-15] 6A 25 [0-15] 6A 6C [0-15] 6A 73 [0\r\n $code2 = { 6A 65 [0-15] 6A 78 [0-15] 6A 70 [0-15] 6A 6C [0-15] 6A 6F [0-15] 6A 72 [0-15] 6A 72 [0-15] 6A 2E [0\r\n $code3 = { 6A 6B [0-15] 6A 65 [0-15] 6A 72 [0-15] 6A 6E [0-15] 6A 65 [0-15] 6A 6C [0-15] 6A 33 [0-15] 6A 32 [0\r\n $code4 = { 6A 25 [0-15] 6A 6C [0-15] 6A 73 [0-15] 6A 5C [0-15] 6A 25 [0-15] 6A 6C [0-15] 6A 73 }\r\ncondition:\r\n all of them\r\n}\r\n \r\n \r\n5. Conclussions\r\nWe have analyzed a Neutrino Bot sample dated 2018/08/27. After analyzing the sample\r\n(3F77B24C569600E73F9C112B9E7BE43F), we have checked it could be an evolution (or at least, could be using\r\nparts) of the leaked NukeBot source code's loader. Nukebot / JimmyNukebot / NeutrinoBot / ... Probably, this set\r\nof families share code between them and are in continuous development.\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 18 of 19\n\nSource: http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nhttp://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html"
	],
	"report_names": [
		"analysis-of-neutrino-bot-sample-2018-08-27.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433997,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e57aa4e8fe8661b38cae94227a33e78cb981001.pdf",
		"text": "https://archive.orkl.eu/7e57aa4e8fe8661b38cae94227a33e78cb981001.txt",
		"img": "https://archive.orkl.eu/7e57aa4e8fe8661b38cae94227a33e78cb981001.jpg"
	}
}