SYMBOLCOMMON_NAMEaka. SYNONYMS
win.betabot (Back to overview)

BetaBot

aka: Neurevt
VTCollection     URLhaus      

Cybereason concludes that Betabot is a sophisticated infostealer malware that’s evolved significantly since it first appeared in late 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to practically take over a victim’s machine and steal sensitive information.

References
2022-08-08Medium CSIS TechblogBenoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-03-28KrabsOnSecurityMr. Krabs
Betabot in the Rearview Mirror
BetaBot
2021-03-31KasperskyKaspersky
Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-05-14SophosLabsMarkel Picado
RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2018-11-04CCN-CERTCCN-CERT
BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT
BetaBot
2018-10-03CybereasonAssaf Dahan
New Betabot campaign under the microscope
BetaBot
2018-06-15Medium woj_ciechWojciech
Betabot still alive with multi-stage packing
BetaBot
2017-02-27SophosTed Heppner
Betabot: Configuration Data Extraction
BetaBot
2015-04-15XyliBoxXylitol
Betabot retrospective
BetaBot
2013-09-24Hanan Natan
How to extract BetaBot config info
BetaBot
Yara Rules
[TLP:WHITE] win_betabot_auto (20230808 | Detects win.betabot.)
rule win_betabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.betabot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d85e4f7ffff 89bde8f7ffff 50 33ff 56 47 56 }
            // n = 7, score = 400
            //   8d85e4f7ffff         | lea                 eax, [ebp - 0x81c]
            //   89bde8f7ffff         | mov                 dword ptr [ebp - 0x818], edi
            //   50                   | push                eax
            //   33ff                 | xor                 edi, edi
            //   56                   | push                esi
            //   47                   | inc                 edi
            //   56                   | push                esi

        $sequence_1 = { 8d44244c 50 ff15???????? 8d442448 50 e8???????? 8d442448 }
            // n = 7, score = 400
            //   8d44244c             | lea                 eax, [esp + 0x4c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d442448             | lea                 eax, [esp + 0x48]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d442448             | lea                 eax, [esp + 0x48]

        $sequence_2 = { 32c0 e9???????? 6a40 5e e8???????? a3???????? }
            // n = 6, score = 400
            //   32c0                 | xor                 al, al
            //   e9????????           |                     
            //   6a40                 | push                0x40
            //   5e                   | pop                 esi
            //   e8????????           |                     
            //   a3????????           |                     

        $sequence_3 = { 884617 2407 80fa40 7413 80fa80 7404 }
            // n = 6, score = 400
            //   884617               | mov                 byte ptr [esi + 0x17], al
            //   2407                 | and                 al, 7
            //   80fa40               | cmp                 dl, 0x40
            //   7413                 | je                  0x15
            //   80fa80               | cmp                 dl, 0x80
            //   7404                 | je                  6

        $sequence_4 = { 85c0 7503 6afd 58 5f 5e 5b }
            // n = 7, score = 400
            //   85c0                 | test                eax, eax
            //   7503                 | jne                 5
            //   6afd                 | push                -3
            //   58                   | pop                 eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_5 = { c20400 55 8bec 83ec18 53 56 8365f800 }
            // n = 7, score = 400
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec18               | sub                 esp, 0x18
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8365f800             | and                 dword ptr [ebp - 8], 0

        $sequence_6 = { a1???????? 85c0 740b 8d4dfc 51 ff7508 ffd0 }
            // n = 7, score = 400
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   740b                 | je                  0xd
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   51                   | push                ecx
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax

        $sequence_7 = { bbb0040000 85f6 7433 a1???????? 48 50 }
            // n = 6, score = 400
            //   bbb0040000           | mov                 ebx, 0x4b0
            //   85f6                 | test                esi, esi
            //   7433                 | je                  0x35
            //   a1????????           |                     
            //   48                   | dec                 eax
            //   50                   | push                eax

        $sequence_8 = { 8a460a 3cb9 740c 3c33 7408 c70302000000 eb34 }
            // n = 7, score = 400
            //   8a460a               | mov                 al, byte ptr [esi + 0xa]
            //   3cb9                 | cmp                 al, 0xb9
            //   740c                 | je                  0xe
            //   3c33                 | cmp                 al, 0x33
            //   7408                 | je                  0xa
            //   c70302000000         | mov                 dword ptr [ebx], 2
            //   eb34                 | jmp                 0x36

        $sequence_9 = { 7470 66397508 746a 6a02 59 ff7508 66894de8 }
            // n = 7, score = 400
            //   7470                 | je                  0x72
            //   66397508             | cmp                 word ptr [ebp + 8], si
            //   746a                 | je                  0x6c
            //   6a02                 | push                2
            //   59                   | pop                 ecx
            //   ff7508               | push                dword ptr [ebp + 8]
            //   66894de8             | mov                 word ptr [ebp - 0x18], cx

    condition:
        7 of them and filesize < 835584
}
[TLP:WHITE] win_betabot_w0   (20170517 | Neurevt Malware Sig)
rule win_betabot_w0 {
    meta:
        author = "Venom23"
        date = "2013-06-21"
        description = "Neurevt Malware Sig"
        hash = "db9a816d58899f1ba92bc338e89f856a"
        hash = "d7b427ce3175fa7704da6b19a464938e"
        hash = "13027beb8aa5e891e8e641c05ccffde3"
        hash = "d1004b63d6d3cb90e6012c68e19ab453"
        hash = "a1286fd94984fd2de857f7b846062b5e"
        yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Neurevt.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $string0 = "BullGuard" wide
        $string1 = "cmd.exe" wide
        $string4 = "eUSERPROFILE" wide
        $string5 = "%c:\\%s.lnk" wide
        $string6 = "services.exe" wide
        $string9 = "Multiples archivos corruptos han sido encontrados en la carpeta \"Mis Documentos\". Para evitar perder" wide
        $string10 = "F-PROT Antivirus Tray application" wide
        $string12 = "-k NetworkService" wide
        $string13 = "firefox.exe"
        $string14 = "uWinMgr.exe" wide
        $string15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8"
        $string16 = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
        $string18 = "Data Path" wide

    condition:
        10 of them
}
Download all Yara Rules