SYMBOLCOMMON_NAMEaka. SYNONYMS
win.betabot (Back to overview)

BetaBot

aka: Neurevt
URLhaus      

There is no description at this point.

References
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
@online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2018-11-04CCN-CERTCCN-CERT
@online{ccncert:20181104:betabot:fd654de, author = {CCN-CERT}, title = {{BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT}}, date = {2018-11-04}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html}, language = {English}, urldate = {2020-01-10} } BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT
BetaBot
2018-10-03CybereasonAssaf Dahan
@online{dahan:20181003:new:5f6c0b5, author = {Assaf Dahan}, title = {{New Betabot campaign under the microscope}}, date = {2018-10-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/betabot-banking-trojan-neurevt}, language = {English}, urldate = {2020-01-06} } New Betabot campaign under the microscope
BetaBot
2018-06-15Medium woj_ciechWojciech
@online{wojciech:20180615:betabot:569dbfd, author = {Wojciech}, title = {{Betabot still alive with multi-stage packing}}, date = {2018-06-15}, organization = {Medium woj_ciech}, url = {https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39}, language = {English}, urldate = {2020-01-13} } Betabot still alive with multi-stage packing
BetaBot
2017-02-27SophosTed Heppner
@online{heppner:20170227:betabot:68ba19f, author = {Ted Heppner}, title = {{Betabot: Configuration Data Extraction}}, date = {2017-02-27}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en}, language = {English}, urldate = {2020-01-13} } Betabot: Configuration Data Extraction
BetaBot
2015-04-15XyliBoxXylitol
@online{xylitol:20150415:betabot:0f2f804, author = {Xylitol}, title = {{Betabot retrospective}}, date = {2015-04-15}, organization = {XyliBox}, url = {http://www.xylibox.com/2015/04/betabot-retrospective.html}, language = {English}, urldate = {2020-01-13} } Betabot retrospective
BetaBot
2013-09-24Hanan Natan
@online{natan:20130924:how:a770f31, author = {Hanan Natan}, title = {{How to extract BetaBot config info}}, date = {2013-09-24}, url = {http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html}, language = {English}, urldate = {2019-11-25} } How to extract BetaBot config info
BetaBot
Yara Rules
[TLP:WHITE] win_betabot_auto (20211008 | Detects win.betabot.)
rule win_betabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.betabot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 3dfe000000 7610 ff75f8 e8???????? 6afe 58 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   3dfe000000           | cmp                 eax, 0xfe
            //   7610                 | jbe                 0x12
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   e8????????           |                     
            //   6afe                 | push                -2
            //   58                   | pop                 eax

        $sequence_1 = { eb30 81bde4feffff10270000 7613 8b85e4feffff 2dd0070000 8985e4feffff }
            // n = 6, score = 400
            //   eb30                 | jmp                 0x32
            //   81bde4feffff10270000     | cmp    dword ptr [ebp - 0x11c], 0x2710
            //   7613                 | jbe                 0x15
            //   8b85e4feffff         | mov                 eax, dword ptr [ebp - 0x11c]
            //   2dd0070000           | sub                 eax, 0x7d0
            //   8985e4feffff         | mov                 dword ptr [ebp - 0x11c], eax

        $sequence_2 = { e8???????? f705????????00020000 56 57 7408 ff15???????? eb06 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   f705????????00020000     |     
            //   56                   | push                esi
            //   57                   | push                edi
            //   7408                 | je                  0xa
            //   ff15????????         |                     
            //   eb06                 | jmp                 8

        $sequence_3 = { 8d85f8feffff 50 8d85c8fdffff 50 8b8594fcffff 8b8dacfcffff ff3481 }
            // n = 7, score = 400
            //   8d85f8feffff         | lea                 eax, dword ptr [ebp - 0x108]
            //   50                   | push                eax
            //   8d85c8fdffff         | lea                 eax, dword ptr [ebp - 0x238]
            //   50                   | push                eax
            //   8b8594fcffff         | mov                 eax, dword ptr [ebp - 0x36c]
            //   8b8dacfcffff         | mov                 ecx, dword ptr [ebp - 0x354]
            //   ff3481               | push                dword ptr [ecx + eax*4]

        $sequence_4 = { 57 ff15???????? 894508 3bde 7636 6a08 56 }
            // n = 7, score = 400
            //   57                   | push                edi
            //   ff15????????         |                     
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   3bde                 | cmp                 ebx, esi
            //   7636                 | jbe                 0x38
            //   6a08                 | push                8
            //   56                   | push                esi

        $sequence_5 = { ff7014 ff15???????? ebac 8b45fc ff700c ff15???????? eb93 }
            // n = 7, score = 400
            //   ff7014               | push                dword ptr [eax + 0x14]
            //   ff15????????         |                     
            //   ebac                 | jmp                 0xffffffae
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   ff700c               | push                dword ptr [eax + 0xc]
            //   ff15????????         |                     
            //   eb93                 | jmp                 0xffffff95

        $sequence_6 = { 7411 56 ff7508 e8???????? 56 8bf8 e8???????? }
            // n = 7, score = 400
            //   7411                 | je                  0x13
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   56                   | push                esi
            //   8bf8                 | mov                 edi, eax
            //   e8????????           |                     

        $sequence_7 = { 8945f4 837df400 7504 33c0 eb40 8b0d???????? e8???????? }
            // n = 7, score = 400
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb40                 | jmp                 0x42
            //   8b0d????????         |                     
            //   e8????????           |                     

        $sequence_8 = { 56 57 8d85f0fbffff 50 e8???????? 56 57 }
            // n = 7, score = 400
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d85f0fbffff         | lea                 eax, dword ptr [ebp - 0x410]
            //   50                   | push                eax
            //   e8????????           |                     
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_9 = { c645ff01 8a45ff 5b 5e c9 c20400 }
            // n = 6, score = 400
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1
            //   8a45ff               | mov                 al, byte ptr [ebp - 1]
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c20400               | ret                 4

    condition:
        7 of them and filesize < 835584
}
[TLP:WHITE] win_betabot_w0   (20170517 | Neurevt Malware Sig)
rule win_betabot_w0 {
    meta:
        author = "Venom23"
        date = "2013-06-21"
        description = "Neurevt Malware Sig"
        hash = "db9a816d58899f1ba92bc338e89f856a"
        hash = "d7b427ce3175fa7704da6b19a464938e"
        hash = "13027beb8aa5e891e8e641c05ccffde3"
        hash = "d1004b63d6d3cb90e6012c68e19ab453"
        hash = "a1286fd94984fd2de857f7b846062b5e"
        yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Neurevt.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $string0 = "BullGuard" wide
        $string1 = "cmd.exe" wide
        $string4 = "eUSERPROFILE" wide
        $string5 = "%c:\\%s.lnk" wide
        $string6 = "services.exe" wide
        $string9 = "Multiples archivos corruptos han sido encontrados en la carpeta \"Mis Documentos\". Para evitar perder" wide
        $string10 = "F-PROT Antivirus Tray application" wide
        $string12 = "-k NetworkService" wide
        $string13 = "firefox.exe"
        $string14 = "uWinMgr.exe" wide
        $string15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8"
        $string16 = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
        $string18 = "Data Path" wide

    condition:
        10 of them
}
Download all Yara Rules