SYMBOLCOMMON_NAMEaka. SYNONYMS
win.betabot (Back to overview)

BetaBot

aka: Neurevt
URLhaus      

Cybereason concludes that Betabot is a sophisticated infostealer malware that’s evolved significantly since it first appeared in late 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to practically take over a victim’s machine and steal sensitive information.

References
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-03-28KrabsOnSecurityMr. Krabs
@online{krabs:20220328:betabot:7fd9fe0, author = {Mr. Krabs}, title = {{Betabot in the Rearview Mirror}}, date = {2022-03-28}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2022/03/28/betabot-in-the-rearview-mirror/}, language = {English}, urldate = {2022-04-04} } Betabot in the Rearview Mirror
BetaBot
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
@online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2018-11-04CCN-CERTCCN-CERT
@online{ccncert:20181104:betabot:fd654de, author = {CCN-CERT}, title = {{BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT}}, date = {2018-11-04}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html}, language = {English}, urldate = {2020-01-10} } BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT
BetaBot
2018-10-03CybereasonAssaf Dahan
@online{dahan:20181003:new:5f6c0b5, author = {Assaf Dahan}, title = {{New Betabot campaign under the microscope}}, date = {2018-10-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/betabot-banking-trojan-neurevt}, language = {English}, urldate = {2020-01-06} } New Betabot campaign under the microscope
BetaBot
2018-06-15Medium woj_ciechWojciech
@online{wojciech:20180615:betabot:569dbfd, author = {Wojciech}, title = {{Betabot still alive with multi-stage packing}}, date = {2018-06-15}, organization = {Medium woj_ciech}, url = {https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39}, language = {English}, urldate = {2020-01-13} } Betabot still alive with multi-stage packing
BetaBot
2017-02-27SophosTed Heppner
@online{heppner:20170227:betabot:68ba19f, author = {Ted Heppner}, title = {{Betabot: Configuration Data Extraction}}, date = {2017-02-27}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en}, language = {English}, urldate = {2020-01-13} } Betabot: Configuration Data Extraction
BetaBot
2015-04-15XyliBoxXylitol
@online{xylitol:20150415:betabot:0f2f804, author = {Xylitol}, title = {{Betabot retrospective}}, date = {2015-04-15}, organization = {XyliBox}, url = {http://www.xylibox.com/2015/04/betabot-retrospective.html}, language = {English}, urldate = {2020-01-13} } Betabot retrospective
BetaBot
2013-09-24Hanan Natan
@online{natan:20130924:how:a770f31, author = {Hanan Natan}, title = {{How to extract BetaBot config info}}, date = {2013-09-24}, url = {http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html}, language = {English}, urldate = {2019-11-25} } How to extract BetaBot config info
BetaBot
Yara Rules
[TLP:WHITE] win_betabot_auto (20230407 | Detects win.betabot.)
rule win_betabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.betabot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83780400 740c c78554ffffff01000000 eb07 83a554ffffff00 83bd54ffffff01 }
            // n = 6, score = 400
            //   83780400             | cmp                 dword ptr [eax + 4], 0
            //   740c                 | je                  0xe
            //   c78554ffffff01000000     | mov    dword ptr [ebp - 0xac], 1
            //   eb07                 | jmp                 9
            //   83a554ffffff00       | and                 dword ptr [ebp - 0xac], 0
            //   83bd54ffffff01       | cmp                 dword ptr [ebp - 0xac], 1

        $sequence_1 = { e9???????? 834dfcff 8365f400 8b45f8 ff7004 e8???????? }
            // n = 6, score = 400
            //   e9????????           |                     
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff
            //   8365f400             | and                 dword ptr [ebp - 0xc], 0
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   ff7004               | push                dword ptr [eax + 4]
            //   e8????????           |                     

        $sequence_2 = { 85c0 7420 8b460c 8d04b8 833800 740f ff7508 }
            // n = 7, score = 400
            //   85c0                 | test                eax, eax
            //   7420                 | je                  0x22
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   8d04b8               | lea                 eax, [eax + edi*4]
            //   833800               | cmp                 dword ptr [eax], 0
            //   740f                 | je                  0x11
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_3 = { 83a5d0feffff00 83a5c4fdffff00 83a5b0fcffff00 83a5d4feffff00 83a5d8feffff00 83a5f4feffff00 83a5e4feffff00 }
            // n = 7, score = 400
            //   83a5d0feffff00       | and                 dword ptr [ebp - 0x130], 0
            //   83a5c4fdffff00       | and                 dword ptr [ebp - 0x23c], 0
            //   83a5b0fcffff00       | and                 dword ptr [ebp - 0x350], 0
            //   83a5d4feffff00       | and                 dword ptr [ebp - 0x12c], 0
            //   83a5d8feffff00       | and                 dword ptr [ebp - 0x128], 0
            //   83a5f4feffff00       | and                 dword ptr [ebp - 0x10c], 0
            //   83a5e4feffff00       | and                 dword ptr [ebp - 0x11c], 0

        $sequence_4 = { 8b08 57 56 50 ff5128 8b45fc 8b08 }
            // n = 7, score = 400
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   57                   | push                edi
            //   56                   | push                esi
            //   50                   | push                eax
            //   ff5128               | call                dword ptr [ecx + 0x28]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_5 = { 57 e8???????? 8365fc00 8bcb e8???????? 8945f8 83f802 }
            // n = 7, score = 400
            //   57                   | push                edi
            //   e8????????           |                     
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   83f802               | cmp                 eax, 2

        $sequence_6 = { 56 8d8588feffff 50 e8???????? 397508 745d 8b4d08 }
            // n = 7, score = 400
            //   56                   | push                esi
            //   8d8588feffff         | lea                 eax, [ebp - 0x178]
            //   50                   | push                eax
            //   e8????????           |                     
            //   397508               | cmp                 dword ptr [ebp + 8], esi
            //   745d                 | je                  0x5f
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_7 = { 7507 33c0 e9???????? 83a5e8feffff00 83a5b8fcffff00 83a5dcfeffff00 83a5e0feffff00 }
            // n = 7, score = 400
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   83a5e8feffff00       | and                 dword ptr [ebp - 0x118], 0
            //   83a5b8fcffff00       | and                 dword ptr [ebp - 0x348], 0
            //   83a5dcfeffff00       | and                 dword ptr [ebp - 0x124], 0
            //   83a5e0feffff00       | and                 dword ptr [ebp - 0x120], 0

        $sequence_8 = { 837d0800 740c 6a10 6a00 ff7508 e8???????? }
            // n = 6, score = 400
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   740c                 | je                  0xe
            //   6a10                 | push                0x10
            //   6a00                 | push                0
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_9 = { ff15???????? 85c0 7411 ff750c ff7508 6a08 }
            // n = 6, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7411                 | je                  0x13
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a08                 | push                8

    condition:
        7 of them and filesize < 835584
}
[TLP:WHITE] win_betabot_w0   (20170517 | Neurevt Malware Sig)
rule win_betabot_w0 {
    meta:
        author = "Venom23"
        date = "2013-06-21"
        description = "Neurevt Malware Sig"
        hash = "db9a816d58899f1ba92bc338e89f856a"
        hash = "d7b427ce3175fa7704da6b19a464938e"
        hash = "13027beb8aa5e891e8e641c05ccffde3"
        hash = "d1004b63d6d3cb90e6012c68e19ab453"
        hash = "a1286fd94984fd2de857f7b846062b5e"
        yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Neurevt.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $string0 = "BullGuard" wide
        $string1 = "cmd.exe" wide
        $string4 = "eUSERPROFILE" wide
        $string5 = "%c:\\%s.lnk" wide
        $string6 = "services.exe" wide
        $string9 = "Multiples archivos corruptos han sido encontrados en la carpeta \"Mis Documentos\". Para evitar perder" wide
        $string10 = "F-PROT Antivirus Tray application" wide
        $string12 = "-k NetworkService" wide
        $string13 = "firefox.exe"
        $string14 = "uWinMgr.exe" wide
        $string15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8"
        $string16 = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
        $string18 = "Data Path" wide

    condition:
        10 of them
}
Download all Yara Rules