SYMBOLCOMMON_NAMEaka. SYNONYMS
win.betabot (Back to overview)

BetaBot

aka: Neurevt
URLhaus      

Cybereason concludes that Betabot is a sophisticated infostealer malware that’s evolved significantly since it first appeared in late 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to practically take over a victim’s machine and steal sensitive information.

References
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-03-28KrabsOnSecurityMr. Krabs
@online{krabs:20220328:betabot:7fd9fe0, author = {Mr. Krabs}, title = {{Betabot in the Rearview Mirror}}, date = {2022-03-28}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2022/03/28/betabot-in-the-rearview-mirror/}, language = {English}, urldate = {2022-04-04} } Betabot in the Rearview Mirror
BetaBot
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
@online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2018-11-04CCN-CERTCCN-CERT
@online{ccncert:20181104:betabot:fd654de, author = {CCN-CERT}, title = {{BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT}}, date = {2018-11-04}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html}, language = {English}, urldate = {2020-01-10} } BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT
BetaBot
2018-10-03CybereasonAssaf Dahan
@online{dahan:20181003:new:5f6c0b5, author = {Assaf Dahan}, title = {{New Betabot campaign under the microscope}}, date = {2018-10-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/betabot-banking-trojan-neurevt}, language = {English}, urldate = {2020-01-06} } New Betabot campaign under the microscope
BetaBot
2018-06-15Medium woj_ciechWojciech
@online{wojciech:20180615:betabot:569dbfd, author = {Wojciech}, title = {{Betabot still alive with multi-stage packing}}, date = {2018-06-15}, organization = {Medium woj_ciech}, url = {https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39}, language = {English}, urldate = {2020-01-13} } Betabot still alive with multi-stage packing
BetaBot
2017-02-27SophosTed Heppner
@online{heppner:20170227:betabot:68ba19f, author = {Ted Heppner}, title = {{Betabot: Configuration Data Extraction}}, date = {2017-02-27}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en}, language = {English}, urldate = {2020-01-13} } Betabot: Configuration Data Extraction
BetaBot
2015-04-15XyliBoxXylitol
@online{xylitol:20150415:betabot:0f2f804, author = {Xylitol}, title = {{Betabot retrospective}}, date = {2015-04-15}, organization = {XyliBox}, url = {http://www.xylibox.com/2015/04/betabot-retrospective.html}, language = {English}, urldate = {2020-01-13} } Betabot retrospective
BetaBot
2013-09-24Hanan Natan
@online{natan:20130924:how:a770f31, author = {Hanan Natan}, title = {{How to extract BetaBot config info}}, date = {2013-09-24}, url = {http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html}, language = {English}, urldate = {2019-11-25} } How to extract BetaBot config info
BetaBot
Yara Rules
[TLP:WHITE] win_betabot_auto (20220808 | Detects win.betabot.)
rule win_betabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.betabot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 894708 83670400 66891f a1???????? 894710 a1???????? }
            // n = 6, score = 400
            //   894708               | mov                 dword ptr [edi + 8], eax
            //   83670400             | and                 dword ptr [edi + 4], 0
            //   66891f               | mov                 word ptr [edi], bx
            //   a1????????           |                     
            //   894710               | mov                 dword ptr [edi + 0x10], eax
            //   a1????????           |                     

        $sequence_1 = { 7426 57 33ff 397508 7619 8b04b3 83f801 }
            // n = 7, score = 400
            //   7426                 | je                  0x28
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   397508               | cmp                 dword ptr [ebp + 8], esi
            //   7619                 | jbe                 0x1b
            //   8b04b3               | mov                 eax, dword ptr [ebx + esi*4]
            //   83f801               | cmp                 eax, 1

        $sequence_2 = { 0fafc1 c3 85c0 7406 6683383c 7403 33c0 }
            // n = 7, score = 400
            //   0fafc1               | imul                eax, ecx
            //   c3                   | ret                 
            //   85c0                 | test                eax, eax
            //   7406                 | je                  8
            //   6683383c             | cmp                 word ptr [eax], 0x3c
            //   7403                 | je                  5
            //   33c0                 | xor                 eax, eax

        $sequence_3 = { 8b7508 8b4618 8945f0 58 5e 56 50 }
            // n = 7, score = 400
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   56                   | push                esi
            //   50                   | push                eax

        $sequence_4 = { ff760c e8???????? 8d45f8 50 ff75f8 8b460c 83e805 }
            // n = 7, score = 400
            //   ff760c               | push                dword ptr [esi + 0xc]
            //   e8????????           |                     
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   83e805               | sub                 eax, 5

        $sequence_5 = { 33c0 e9???????? 68d0020000 e8???????? 8985b4fcffff 83bdb4fcffff00 }
            // n = 6, score = 400
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   68d0020000           | push                0x2d0
            //   e8????????           |                     
            //   8985b4fcffff         | mov                 dword ptr [ebp - 0x34c], eax
            //   83bdb4fcffff00       | cmp                 dword ptr [ebp - 0x34c], 0

        $sequence_6 = { e9???????? 837d0800 7426 837d0c00 7413 8b450c 0fb700 }
            // n = 7, score = 400
            //   e9????????           |                     
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7426                 | je                  0x28
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   7413                 | je                  0x15
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   0fb700               | movzx               eax, word ptr [eax]

        $sequence_7 = { 7504 6a06 58 c3 68c0510000 e8???????? a3???????? }
            // n = 7, score = 400
            //   7504                 | jne                 6
            //   6a06                 | push                6
            //   58                   | pop                 eax
            //   c3                   | ret                 
            //   68c0510000           | push                0x51c0
            //   e8????????           |                     
            //   a3????????           |                     

        $sequence_8 = { 6a30 53 8d442418 50 e8???????? e8???????? 3c01 }
            // n = 7, score = 400
            //   6a30                 | push                0x30
            //   53                   | push                ebx
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   50                   | push                eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   3c01                 | cmp                 al, 1

        $sequence_9 = { 8b45fc 83e803 eb03 6afe 58 c9 c20400 }
            // n = 7, score = 400
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83e803               | sub                 eax, 3
            //   eb03                 | jmp                 5
            //   6afe                 | push                -2
            //   58                   | pop                 eax
            //   c9                   | leave               
            //   c20400               | ret                 4

    condition:
        7 of them and filesize < 835584
}
[TLP:WHITE] win_betabot_w0   (20170517 | Neurevt Malware Sig)
rule win_betabot_w0 {
    meta:
        author = "Venom23"
        date = "2013-06-21"
        description = "Neurevt Malware Sig"
        hash = "db9a816d58899f1ba92bc338e89f856a"
        hash = "d7b427ce3175fa7704da6b19a464938e"
        hash = "13027beb8aa5e891e8e641c05ccffde3"
        hash = "d1004b63d6d3cb90e6012c68e19ab453"
        hash = "a1286fd94984fd2de857f7b846062b5e"
        yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Neurevt.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $string0 = "BullGuard" wide
        $string1 = "cmd.exe" wide
        $string4 = "eUSERPROFILE" wide
        $string5 = "%c:\\%s.lnk" wide
        $string6 = "services.exe" wide
        $string9 = "Multiples archivos corruptos han sido encontrados en la carpeta \"Mis Documentos\". Para evitar perder" wide
        $string10 = "F-PROT Antivirus Tray application" wide
        $string12 = "-k NetworkService" wide
        $string13 = "firefox.exe"
        $string14 = "uWinMgr.exe" wide
        $string15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8"
        $string16 = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
        $string18 = "Data Path" wide

    condition:
        10 of them
}
Download all Yara Rules