win.betabot (Back to overview)

BetaBot

aka: Neurevt
URLhaus      

There is no description at this point.

References
https://www.cybereason.com/blog/betabot-banking-trojan-neurevt
https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39
https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html
http://www.xylibox.com/2015/04/betabot-retrospective.html
https://asert.arbornetworks.com/beta-bot-a-code-review/
http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en
http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html
Yara Rules
[TLP:WHITE] win_betabot_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_betabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { e8???????? 8bf8 3bfe 74?? 8d45f8 50 56 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   3bfe                 | cmp                 edi, esi
            //   74??                 |                     
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_1 = { 85c0 74?? 56 0fbe30 8b5508 40 0fbe0a }
            // n = 7, score = 400
            //   85c0                 | test                eax, eax
            //   74??                 |                     
            //   56                   | push                esi
            //   0fbe30               | movsx               esi, byte ptr [eax]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   40                   | inc                 eax
            //   0fbe0a               | movsx               ecx, byte ptr [edx]

        $sequence_2 = { 8bec 8b4508 81ec28020000 53 33db 56 57 }
            // n = 7, score = 400
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   81ec28020000         | sub                 esp, 0x228
            //   53                   | push                ebx
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_3 = { 8d041a 8d7108 f7c7feffffff 76?? 0fb716 83fa01 72?? }
            // n = 7, score = 400
            //   8d041a               | lea                 eax, [edx + ebx]
            //   8d7108               | lea                 esi, [ecx + 8]
            //   f7c7feffffff         | test                edi, 0xfffffffe
            //   76??                 |                     
            //   0fb716               | movzx               edx, word ptr [esi]
            //   83fa01               | cmp                 edx, 1
            //   72??                 |                     

        $sequence_4 = { e8???????? 33c0 e9???????? 68c0570100 e8???????? 8985acfcffff 83bdacfcffff00 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   68c0570100           | push                0x157c0
            //   e8????????           |                     
            //   8985acfcffff         | mov                 dword ptr [ebp - 0x354], eax
            //   83bdacfcffff00       | cmp                 dword ptr [ebp - 0x354], 0

        $sequence_5 = { 8d85d0fdffff 50 8b85a4fcffff 8b8db4fcffff ff3481 8b85ecfeffff e8???????? }
            // n = 7, score = 400
            //   8d85d0fdffff         | lea                 eax, [ebp - 0x230]
            //   50                   | push                eax
            //   8b85a4fcffff         | mov                 eax, dword ptr [ebp - 0x35c]
            //   8b8db4fcffff         | mov                 ecx, dword ptr [ebp - 0x34c]
            //   ff3481               | push                dword ptr [ecx + eax*4]
            //   8b85ecfeffff         | mov                 eax, dword ptr [ebp - 0x114]
            //   e8????????           |                     

        $sequence_6 = { c645ff01 eb?? 33f6 46 57 ff15???????? eb?? }
            // n = 7, score = 400
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1
            //   eb??                 |                     
            //   33f6                 | xor                 esi, esi
            //   46                   | inc                 esi
            //   57                   | push                edi
            //   ff15????????         |                     
            //   eb??                 |                     

        $sequence_7 = { 8d8588feffff 50 e8???????? 397508 74?? 8b4d08 e8???????? }
            // n = 7, score = 400
            //   8d8588feffff         | lea                 eax, [ebp - 0x178]
            //   50                   | push                eax
            //   e8????????           |                     
            //   397508               | cmp                 dword ptr [ebp + 8], esi
            //   74??                 |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_8 = { ff7510 56 56 ff15???????? 5f eb?? 83c8ff }
            // n = 7, score = 400
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   56                   | push                esi
            //   56                   | push                esi
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   eb??                 |                     
            //   83c8ff               | or                  eax, 0xffffffff

        $sequence_9 = { 83f806 73?? 32c0 c3 a1???????? 85c0 74?? }
            // n = 7, score = 400
            //   83f806               | cmp                 eax, 6
            //   73??                 |                     
            //   32c0                 | xor                 al, al
            //   c3                   | ret                 
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   74??                 |                     

    condition:
        7 of them
}
[TLP:WHITE] win_betabot_w0   (20170517 | Neurevt Malware Sig)
rule win_betabot_w0 {
    meta:
        author = "Venom23"
        date = "2013-06-21"
        description = "Neurevt Malware Sig"
        hash0 = "db9a816d58899f1ba92bc338e89f856a"
        hash1 = "d7b427ce3175fa7704da6b19a464938e"
        hash2 = "13027beb8aa5e891e8e641c05ccffde3"
        hash3 = "d1004b63d6d3cb90e6012c68e19ab453"
        hash4 = "a1286fd94984fd2de857f7b846062b5e"
        yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Neurevt.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $string0 = "BullGuard" wide
        $string1 = "cmd.exe" wide
        $string4 = "eUSERPROFILE" wide
        $string5 = "%c:\\%s.lnk" wide
        $string6 = "services.exe" wide
        $string9 = "Multiples archivos corruptos han sido encontrados en la carpeta \"Mis Documentos\". Para evitar perder" wide
        $string10 = "F-PROT Antivirus Tray application" wide
        $string12 = "-k NetworkService" wide
        $string13 = "firefox.exe"
        $string14 = "uWinMgr.exe" wide
        $string15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8"
        $string16 = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
        $string18 = "Data Path" wide

    condition:
        10 of them
}
Download all Yara Rules