SYMBOLCOMMON_NAMEaka. SYNONYMS
win.betabot (Back to overview)

BetaBot

aka: Neurevt
URLhaus      

There is no description at this point.

References
2022-03-28KrabsOnSecurityMr. Krabs
@online{krabs:20220328:betabot:7fd9fe0, author = {Mr. Krabs}, title = {{Betabot in the Rearview Mirror}}, date = {2022-03-28}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2022/03/28/betabot-in-the-rearview-mirror/}, language = {English}, urldate = {2022-04-04} } Betabot in the Rearview Mirror
BetaBot
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
@online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2018-11-04CCN-CERTCCN-CERT
@online{ccncert:20181104:betabot:fd654de, author = {CCN-CERT}, title = {{BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT}}, date = {2018-11-04}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html}, language = {English}, urldate = {2020-01-10} } BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT
BetaBot
2018-10-03CybereasonAssaf Dahan
@online{dahan:20181003:new:5f6c0b5, author = {Assaf Dahan}, title = {{New Betabot campaign under the microscope}}, date = {2018-10-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/betabot-banking-trojan-neurevt}, language = {English}, urldate = {2020-01-06} } New Betabot campaign under the microscope
BetaBot
2018-06-15Medium woj_ciechWojciech
@online{wojciech:20180615:betabot:569dbfd, author = {Wojciech}, title = {{Betabot still alive with multi-stage packing}}, date = {2018-06-15}, organization = {Medium woj_ciech}, url = {https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39}, language = {English}, urldate = {2020-01-13} } Betabot still alive with multi-stage packing
BetaBot
2017-02-27SophosTed Heppner
@online{heppner:20170227:betabot:68ba19f, author = {Ted Heppner}, title = {{Betabot: Configuration Data Extraction}}, date = {2017-02-27}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en}, language = {English}, urldate = {2020-01-13} } Betabot: Configuration Data Extraction
BetaBot
2015-04-15XyliBoxXylitol
@online{xylitol:20150415:betabot:0f2f804, author = {Xylitol}, title = {{Betabot retrospective}}, date = {2015-04-15}, organization = {XyliBox}, url = {http://www.xylibox.com/2015/04/betabot-retrospective.html}, language = {English}, urldate = {2020-01-13} } Betabot retrospective
BetaBot
2013-09-24Hanan Natan
@online{natan:20130924:how:a770f31, author = {Hanan Natan}, title = {{How to extract BetaBot config info}}, date = {2013-09-24}, url = {http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html}, language = {English}, urldate = {2019-11-25} } How to extract BetaBot config info
BetaBot
Yara Rules
[TLP:WHITE] win_betabot_auto (20220411 | Detects win.betabot.)
rule win_betabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.betabot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8918 ebe5 391d???????? 74dd 6878040000 e8???????? 8bf0 }
            // n = 7, score = 400
            //   8918                 | mov                 dword ptr [eax], ebx
            //   ebe5                 | jmp                 0xffffffe7
            //   391d????????         |                     
            //   74dd                 | je                  0xffffffdf
            //   6878040000           | push                0x478
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_1 = { e8???????? be04010000 56 53 8d85d4fbffff 50 }
            // n = 6, score = 400
            //   e8????????           |                     
            //   be04010000           | mov                 esi, 0x104
            //   56                   | push                esi
            //   53                   | push                ebx
            //   8d85d4fbffff         | lea                 eax, dword ptr [ebp - 0x42c]
            //   50                   | push                eax

        $sequence_2 = { 83c40c 8d8588fbffff 50 8d45e0 50 ff15???????? 8bd8 }
            // n = 7, score = 400
            //   83c40c               | add                 esp, 0xc
            //   8d8588fbffff         | lea                 eax, dword ptr [ebp - 0x478]
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, dword ptr [ebp - 0x20]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_3 = { 7910 6afe 58 eb18 668b0c42 663b4d08 7408 }
            // n = 7, score = 400
            //   7910                 | jns                 0x12
            //   6afe                 | push                -2
            //   58                   | pop                 eax
            //   eb18                 | jmp                 0x1a
            //   668b0c42             | mov                 cx, word ptr [edx + eax*2]
            //   663b4d08             | cmp                 cx, word ptr [ebp + 8]
            //   7408                 | je                  0xa

        $sequence_4 = { e8???????? 6a00 ffb5d0feffff ff15???????? 68c8000000 ff15???????? }
            // n = 6, score = 400
            //   e8????????           |                     
            //   6a00                 | push                0
            //   ffb5d0feffff         | push                dword ptr [ebp - 0x130]
            //   ff15????????         |                     
            //   68c8000000           | push                0xc8
            //   ff15????????         |                     

        $sequence_5 = { ff7014 ff15???????? ebac 8b45fc ff700c ff15???????? eb93 }
            // n = 7, score = 400
            //   ff7014               | push                dword ptr [eax + 0x14]
            //   ff15????????         |                     
            //   ebac                 | jmp                 0xffffffae
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   ff700c               | push                dword ptr [eax + 0xc]
            //   ff15????????         |                     
            //   eb93                 | jmp                 0xffffff95

        $sequence_6 = { e8???????? 84c0 7504 6a04 eb02 6a03 58 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7504                 | jne                 6
            //   6a04                 | push                4
            //   eb02                 | jmp                 4
            //   6a03                 | push                3
            //   58                   | pop                 eax

        $sequence_7 = { eb07 8b45e4 40 8945e4 837de410 7315 }
            // n = 6, score = 400
            //   eb07                 | jmp                 9
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   40                   | inc                 eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   837de410             | cmp                 dword ptr [ebp - 0x1c], 0x10
            //   7315                 | jae                 0x17

        $sequence_8 = { 40 8945e4 837de410 7315 8b45f8 0345e4 0fb600 }
            // n = 7, score = 400
            //   40                   | inc                 eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   837de410             | cmp                 dword ptr [ebp - 0x1c], 0x10
            //   7315                 | jae                 0x17
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   0345e4               | add                 eax, dword ptr [ebp - 0x1c]
            //   0fb600               | movzx               eax, byte ptr [eax]

        $sequence_9 = { 8b45e4 5e c9 c20800 55 8bec 83ec20 }
            // n = 7, score = 400
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec20               | sub                 esp, 0x20

    condition:
        7 of them and filesize < 835584
}
[TLP:WHITE] win_betabot_w0   (20170517 | Neurevt Malware Sig)
rule win_betabot_w0 {
    meta:
        author = "Venom23"
        date = "2013-06-21"
        description = "Neurevt Malware Sig"
        hash = "db9a816d58899f1ba92bc338e89f856a"
        hash = "d7b427ce3175fa7704da6b19a464938e"
        hash = "13027beb8aa5e891e8e641c05ccffde3"
        hash = "d1004b63d6d3cb90e6012c68e19ab453"
        hash = "a1286fd94984fd2de857f7b846062b5e"
        yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Neurevt.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $string0 = "BullGuard" wide
        $string1 = "cmd.exe" wide
        $string4 = "eUSERPROFILE" wide
        $string5 = "%c:\\%s.lnk" wide
        $string6 = "services.exe" wide
        $string9 = "Multiples archivos corruptos han sido encontrados en la carpeta \"Mis Documentos\". Para evitar perder" wide
        $string10 = "F-PROT Antivirus Tray application" wide
        $string12 = "-k NetworkService" wide
        $string13 = "firefox.exe"
        $string14 = "uWinMgr.exe" wide
        $string15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8"
        $string16 = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
        $string18 = "Data Path" wide

    condition:
        10 of them
}
Download all Yara Rules