SYMBOLCOMMON_NAMEaka. SYNONYMS
win.betabot (Back to overview)

BetaBot

aka: Neurevt
URLhaus      

Cybereason concludes that Betabot is a sophisticated infostealer malware that’s evolved significantly since it first appeared in late 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to practically take over a victim’s machine and steal sensitive information.

References
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-03-28KrabsOnSecurityMr. Krabs
@online{krabs:20220328:betabot:7fd9fe0, author = {Mr. Krabs}, title = {{Betabot in the Rearview Mirror}}, date = {2022-03-28}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2022/03/28/betabot-in-the-rearview-mirror/}, language = {English}, urldate = {2022-04-04} } Betabot in the Rearview Mirror
BetaBot
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
@online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2018-11-04CCN-CERTCCN-CERT
@online{ccncert:20181104:betabot:fd654de, author = {CCN-CERT}, title = {{BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT}}, date = {2018-11-04}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html}, language = {English}, urldate = {2020-01-10} } BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT
BetaBot
2018-10-03CybereasonAssaf Dahan
@online{dahan:20181003:new:5f6c0b5, author = {Assaf Dahan}, title = {{New Betabot campaign under the microscope}}, date = {2018-10-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/betabot-banking-trojan-neurevt}, language = {English}, urldate = {2020-01-06} } New Betabot campaign under the microscope
BetaBot
2018-06-15Medium woj_ciechWojciech
@online{wojciech:20180615:betabot:569dbfd, author = {Wojciech}, title = {{Betabot still alive with multi-stage packing}}, date = {2018-06-15}, organization = {Medium woj_ciech}, url = {https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39}, language = {English}, urldate = {2020-01-13} } Betabot still alive with multi-stage packing
BetaBot
2017-02-27SophosTed Heppner
@online{heppner:20170227:betabot:68ba19f, author = {Ted Heppner}, title = {{Betabot: Configuration Data Extraction}}, date = {2017-02-27}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en}, language = {English}, urldate = {2020-01-13} } Betabot: Configuration Data Extraction
BetaBot
2015-04-15XyliBoxXylitol
@online{xylitol:20150415:betabot:0f2f804, author = {Xylitol}, title = {{Betabot retrospective}}, date = {2015-04-15}, organization = {XyliBox}, url = {http://www.xylibox.com/2015/04/betabot-retrospective.html}, language = {English}, urldate = {2020-01-13} } Betabot retrospective
BetaBot
2013-09-24Hanan Natan
@online{natan:20130924:how:a770f31, author = {Hanan Natan}, title = {{How to extract BetaBot config info}}, date = {2013-09-24}, url = {http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html}, language = {English}, urldate = {2019-11-25} } How to extract BetaBot config info
BetaBot
Yara Rules
[TLP:WHITE] win_betabot_auto (20230125 | Detects win.betabot.)
rule win_betabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.betabot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c104 3b5508 72e7 6afe 58 eb07 8bc2 }
            // n = 7, score = 400
            //   83c104               | add                 ecx, 4
            //   3b5508               | cmp                 edx, dword ptr [ebp + 8]
            //   72e7                 | jb                  0xffffffe9
            //   6afe                 | push                -2
            //   58                   | pop                 eax
            //   eb07                 | jmp                 9
            //   8bc2                 | mov                 eax, edx

        $sequence_1 = { 8bd8 397508 7470 8b4d08 e8???????? 83f802 7263 }
            // n = 7, score = 400
            //   8bd8                 | mov                 ebx, eax
            //   397508               | cmp                 dword ptr [ebp + 8], esi
            //   7470                 | je                  0x72
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   83f802               | cmp                 eax, 2
            //   7263                 | jb                  0x65

        $sequence_2 = { 8b45dc 8b4de4 ff3481 e8???????? 8b45fc 0fb74002 50 }
            // n = 7, score = 400
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   ff3481               | push                dword ptr [ecx + eax*4]
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   0fb74002             | movzx               eax, word ptr [eax + 2]
            //   50                   | push                eax

        $sequence_3 = { 8bec 33d2 56 57 3bca 7431 }
            // n = 6, score = 400
            //   8bec                 | mov                 ebp, esp
            //   33d2                 | xor                 edx, edx
            //   56                   | push                esi
            //   57                   | push                edi
            //   3bca                 | cmp                 ecx, edx
            //   7431                 | je                  0x33

        $sequence_4 = { 8b55fc 42 8955fc 3bc8 7c05 e9???????? }
            // n = 6, score = 400
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   42                   | inc                 edx
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   3bc8                 | cmp                 ecx, eax
            //   7c05                 | jl                  7
            //   e9????????           |                     

        $sequence_5 = { 832300 0fb7c0 c1e010 0bc1 eb08 c70303000000 33c0 }
            // n = 7, score = 400
            //   832300               | and                 dword ptr [ebx], 0
            //   0fb7c0               | movzx               eax, ax
            //   c1e010               | shl                 eax, 0x10
            //   0bc1                 | or                  eax, ecx
            //   eb08                 | jmp                 0xa
            //   c70303000000         | mov                 dword ptr [ebx], 3
            //   33c0                 | xor                 eax, eax

        $sequence_6 = { 8bec 83ec14 8365fc00 56 57 bf64050000 57 }
            // n = 7, score = 400
            //   8bec                 | mov                 ebp, esp
            //   83ec14               | sub                 esp, 0x14
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   56                   | push                esi
            //   57                   | push                edi
            //   bf64050000           | mov                 edi, 0x564
            //   57                   | push                edi

        $sequence_7 = { 7508 83c8ff e9???????? 837d1400 741a 8b4510 }
            // n = 6, score = 400
            //   7508                 | jne                 0xa
            //   83c8ff               | or                  eax, 0xffffffff
            //   e9????????           |                     
            //   837d1400             | cmp                 dword ptr [ebp + 0x14], 0
            //   741a                 | je                  0x1c
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_8 = { 40 8945e4 837de410 7315 8b45f8 0345e4 0fb600 }
            // n = 7, score = 400
            //   40                   | inc                 eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   837de410             | cmp                 dword ptr [ebp - 0x1c], 0x10
            //   7315                 | jae                 0x17
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   0345e4               | add                 eax, dword ptr [ebp - 0x1c]
            //   0fb600               | movzx               eax, byte ptr [eax]

        $sequence_9 = { ff7514 ff7510 ff750c ff7508 ffd0 8bf0 83ff01 }
            // n = 7, score = 400
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax
            //   8bf0                 | mov                 esi, eax
            //   83ff01               | cmp                 edi, 1

    condition:
        7 of them and filesize < 835584
}
[TLP:WHITE] win_betabot_w0   (20170517 | Neurevt Malware Sig)
rule win_betabot_w0 {
    meta:
        author = "Venom23"
        date = "2013-06-21"
        description = "Neurevt Malware Sig"
        hash = "db9a816d58899f1ba92bc338e89f856a"
        hash = "d7b427ce3175fa7704da6b19a464938e"
        hash = "13027beb8aa5e891e8e641c05ccffde3"
        hash = "d1004b63d6d3cb90e6012c68e19ab453"
        hash = "a1286fd94984fd2de857f7b846062b5e"
        yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Neurevt.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $string0 = "BullGuard" wide
        $string1 = "cmd.exe" wide
        $string4 = "eUSERPROFILE" wide
        $string5 = "%c:\\%s.lnk" wide
        $string6 = "services.exe" wide
        $string9 = "Multiples archivos corruptos han sido encontrados en la carpeta \"Mis Documentos\". Para evitar perder" wide
        $string10 = "F-PROT Antivirus Tray application" wide
        $string12 = "-k NetworkService" wide
        $string13 = "firefox.exe"
        $string14 = "uWinMgr.exe" wide
        $string15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8"
        $string16 = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
        $string18 = "Data Path" wide

    condition:
        10 of them
}
Download all Yara Rules