{
	"id": "a239602a-2f03-4806-a204-7675f5f539f5",
	"created_at": "2026-04-06T00:14:54.554371Z",
	"updated_at": "2026-04-10T03:21:00.105618Z",
	"deleted_at": null,
	"sha1_hash": "e874f00a4bd93dbf56706355e65290904eb25207",
	"title": "New Neutrino Bot comes in a protective loader | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1098007,
	"plain_text": "New Neutrino Bot comes in a protective loader | Malwarebytes\r\nLabs\r\nBy Malwarebytes Labs\r\nPublished: 2017-02-26 · Archived: 2026-04-05 14:13:00 UTC\r\nCo-authored by Hasherezade and Jérôme Segura.\r\nIn this blog post we will cover a recent version of the multi-purpose Neutrino Bot (AKA Kasidet) which ironically\r\nwas distributed by an exploit kit of the same name. Earlier in January this year, we had described Neutrino Bot\r\nthat came via spam so we won’t go over those details again, but instead will focus on an interesting loader.\r\nAnti VM detection is complemented by multiple layers hiding the actual core which made extraction of the final\r\npayload a bit of challenge.\r\nDistribution method\r\nThis sample was collected via a malvertising campaign in the US that leveraged the Neutrino exploit kit. The\r\ninfection flow starts with a fingerprinting check for virtualization, network traffic capture and antivirus software.\r\nIf any are found (i.e. not a genuine victim), the infection will not happen. This check is done via heavily\r\nobfuscated JavaScript code in the pre-landing pages, rather than within the Flash exploit itself, like it used to in\r\nthe past.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nPage 1 of 13\n\nOnce the initial check has passed, the next step is to launch a specially crafted Flash file containing a bunch of\r\nexploits for Internet Explorer and the Flash Player (similar to what was described here). The final step is the\r\ndownload and execution of the RC4 encoded payload via wscript.exe to bypass proxies.\r\nThe overall infection flow is summarized in the diagram below (click to enlarge):\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nPage 2 of 13\n\nA script from Maciej Kotowicz was used to extract artifacts from the Flash file.\r\nAnalyzed samples\r\nb2be7836cd3edf838ca9c409ab92b36d – original sample (dropped by the EK)\r\n349f5eb7c421ed49f9a260d17d4205d3 – loader\r\n6239963eeda5df72995ad83dd4dedb18 – payload (Neutrino bot)\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nPage 3 of 13\n\nBehavioral analysis\r\nThe sample was well protected against being deployed in a controlled environment. When it detects that it is being\r\nrun in a VM/sandbox it just deletes itself:\r\nIf the environment passed the checks, it drops its copy into: %APPDATA%/Y1ViUVZZXQxx/.exe  (during tests we\r\nobserved the following names: abgrcnq.exe, uu.exe):\r\nThe folder and the sample are hidden.\r\nPersistence is achieved via the Task Scheduler:\r\nThe malware adds and modifies several registry keys. It adds some basic settings, including the installation date:\r\nIt modifies some keys in order to remain hidden in the system. Hidden/SuperHidden features allows its dropped\r\ncopy to remain unnoticed by the user. It disables viewing such files by modifying the following registry keys:\r\nSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden SoftwareMicrosoftWindowsCurrentVersionEx\r\nIt also adds itself into the firewall’s whitelist with this command:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nPage 4 of 13\n\ncmd.exe \" /a /c netsh advfirewall firewall add rule name=\"Y1ViUVZZXQxx\" dir=in action=allow program=\r\nSimilarly, path to the malware is added to Windows Defender’s exclusions:\r\nIt disables reporting incidents to Microsoft’s cloud service (SpyNet):\r\nHKLMSOFTWAREMicrosoftWindows DefenderSpyNetSpyNetReporting\r\nIt modifies settings of terminal services, setting MaxDisconnectionTime and MaxIdleTime to 0. Modified keys:\r\nHKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal ServicesMaxDisconnectionTime HKLMSOFTWAREPoliciesMic\r\nIf the full installation process went successfully, it finally loads the malicious core, and we can see a traffic typical\r\nfor the Neutrino Bot. You can see below the beacon “enter” and the response “success”, encoded in base64. The\r\nresponse is sent as a comment in the retrieved blank html page, in order to avoid being noticed:\r\nIn the next request the bot sends information about itself, and in response the CnC gives it commands to be\r\nexecuted. Requests and responses are also base64 encoded. Example after decoding:\r\nreq:\r\ncmd\u00269bc67713-9390-4bcd-9811-36457b704c9c\u0026TESTMACHINE\u0026Windows%207%20(32-bit)\u00260\u0026N%2FA\u00265.2\u002622.02.2017\u0026NO\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nPage 5 of 13\n\nresp:\r\n1463020066516169#screenshot#1469100096882000#botkiller#1481642022438251#rate 15#\r\nThe first command was to take a screenshot, and indeed, soon after we can see the bot sending a screenshot in JPG\r\nformat:\r\nFrom the sent version number we can conclude, that the version of the bot is 5.2 (similarly to this campaign).\r\nInside\r\nThe first layer is a stub of a crypter, that overwrites the initial PE in memory by the image of the loader.\r\nUnpacking it is demonstrated in this video: https://www.youtube.com/watch?v=m_xh33M_CRo.\r\nThe second layer is a loader that prevents from running the core bot in a controlled environment (i.e. on VM or\r\nunder a debugger). This element is probably new (we didn’t observe it so far in previous campaigns of Neturino\r\nBot, i.e. the one described here). We found the loader very effective in its protective task. Most of the sandboxes\r\nand test VMs used during tests failed to provide any useful results.\r\nThe final payload had features typical for Neutrino Bot family.\r\nThe loader code shows that it is an integral part of the full Neutrino Bot package – not yet another layer added by\r\nan independent crypter. Both, the payload and the loader are written in C++, use similar functions and contain\r\noverlapping strings. It  will be demonstrated in details later in this article. They both also have very close\r\ncompilation timestamps: payload: 2017-02-16 17:15:43, loader: 2017-02-16 17:15:52.\r\nA patched version of the loader, with environment checks disabled can be viewed here.\r\nLoader\r\nObfuscation techniques\r\nThe code inside contains some level of obfuscation. A few strings are visible:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nPage 6 of 13\n\nDirectory name\r\nSome functions\r\nRegistry keys related with Windows Security features that are going to be disabled\r\nStrings used to add a new scheduled task.\r\nHowever, that is not all. Most of the strings are decrypted at runtime. Here is an example of loading\r\nan encrypted string:\r\nFirst, the obfuscated string is written to the dynamically loaded memory by a dedicated function. Then, it is\r\ndecrypted using a simple, XOR-based algorithm:\r\ndef decode(data): maxlen = len(data) decoded = bytearray() for i in range(0, maxlen):\r\nThe same string after decryption:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nPage 7 of 13\n\nMost of the API calls are also dynamically resolved. Example:\r\nTracing API calls helps to understand the programs’s functionality. For this reason, the authors of this malware file\r\nimplemented some of the functions without using API calls at all. In the below example you can see the function\r\nGetLastError() implemented by reading a low-level structure: Thread Envioroment Block (TEB):\r\nFunctionality\r\nIn order to prevent from being executed more than once, the loader creates a mutex with a name that\r\nis hardcoded in the binary: 1ViUVZZXQxx.\r\nThe primary task of the loader is to check the environment, in order to make sure that the execution is not being\r\nwatched. But, in contrary to most of the malware, the check is not just done once. There is a dedicated thread\r\ndeployed:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nPage 8 of 13\n\nIt runs checks in a never ending loop:\r\nIf at any time, the loader detects i.e. some blacklisted process being deployed, execution is terminated.\r\nExamples of the checks performed:\r\n1. Enumerates through the list of the running processes (using dynamically loaded functions\r\nCreateToolhelp32Snapshot – Process32First– Process32Next). Calculates checksum from each retrieved process\r\nname and compares it with the built-in blacklist:\r\nThe blacklisted checksums:\r\nhttps://gist.github.com/hasherezade/aefabdb9a67193ef05c93228a78c20c6#file-processes_blacklist-txt\r\nImplementation of the function searching blacklisted processes – as we can see, every function is loaded\r\ndynamically with the help of a corresponding checksum:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nPage 9 of 13\n\n2. Searches blacklisted modules within the current process (using dynamically loaded functions\r\nCreateToolhelp32Snapshot – Module32First– Module32Next). Similarly, it calculates the checksum from each\r\nretrieved process name and compares it with the built-in blacklist.\r\nChecksum calculation algorithm (implementation):\r\nThe blacklisted checksums:\r\nhttps://gist.github.com/hasherezade/aefabdb9a67193ef05c93228a78c20c6#file-modules_blacklist-txt\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nPage 10 of 13\n\n3, Checking if the process is under the debugger, using: IsDebuggerPresent, CheckRemoteDebuggerPresent\r\n4. Detecting single-stepping with the help of time measurement, using GetTickCount – Sleep – GetTickCount\r\n5. Anti-VM check with the help of detecting blacklisted devices – using QueryDosDevices i.e. VBoxGuest\r\n6. Searching and hiding blacklisted windows by their classes – using  EnumWindows – GetClassName (i.e.\r\nprocexpl)\r\nThe blacklisted checksums:\r\nhttps://gist.github.com/hasherezade/aefabdb9a67193ef05c93228a78c20c6#file-windows_blacklist-txt\r\nIn another thread, the malware performs operations related to the bot installation – adding a task to the Windows\r\nScheduler, adding exclusions to the Firewall etc.\r\nFinally, it unpacks the final payload and runs it with the help of the Run PE method. First, it creates another\r\ninstance of its own:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nPage 11 of 13\n\nThen, it maps a new PE file on this place:\r\nPayload\r\nThe loaded payload is a Neutrino Bot, with very similar features to the one that we described in\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nPage 12 of 13\n\nConclusion\r\nNeutrino Bot has been on the market for a few years. It is rich in features but its internal structure\r\nwas never impressive. This time also, the malware authors did not make any significant\r\nimprovements to the main bot’s structure. However, they added one more protection layer which is\r\nvery scrupulous in its task of fingerprinting the environment and not allowing the bot to be\r\ndiscovered.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/"
	],
	"report_names": [
		"new-neutrino-bot-comes-in-a-protective-loader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434494,
	"ts_updated_at": 1775791260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e874f00a4bd93dbf56706355e65290904eb25207.pdf",
		"text": "https://archive.orkl.eu/e874f00a4bd93dbf56706355e65290904eb25207.txt",
		"img": "https://archive.orkl.eu/e874f00a4bd93dbf56706355e65290904eb25207.jpg"
	}
}