SYMBOLCOMMON_NAMEaka. SYNONYMS
win.betabot (Back to overview)

BetaBot

aka: Neurevt
VTCollection     URLhaus      

Cybereason concludes that Betabot is a sophisticated infostealer malware that’s evolved significantly since it first appeared in late 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to practically take over a victim’s machine and steal sensitive information.

References
2022-08-08Medium CSIS TechblogBenoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-03-28KrabsOnSecurityMr. Krabs
Betabot in the Rearview Mirror
BetaBot
2021-03-31Kaspersky SASKaspersky
Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-05-14SophosLabsMarkel Picado
RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2018-11-04CCN-CERTCCN-CERT
BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT
BetaBot
2018-10-03CybereasonAssaf Dahan
New Betabot campaign under the microscope
BetaBot
2018-06-15Medium woj_ciechWojciech
Betabot still alive with multi-stage packing
BetaBot
2017-02-27SophosTed Heppner
Betabot: Configuration Data Extraction
BetaBot
2015-04-15XyliBoxXylitol
Betabot retrospective
BetaBot
2013-09-24Hanan Natan
How to extract BetaBot config info
BetaBot
Yara Rules
[TLP:WHITE] win_betabot_auto (20260504 | Detects win.betabot.)
rule win_betabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.betabot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 bb90000000 53 50 e8???????? a1???????? }
            // n = 6, score = 400
            //   56                   | push                esi
            //   bb90000000           | mov                 ebx, 0x90
            //   53                   | push                ebx
            //   50                   | push                eax
            //   e8????????           |                     
            //   a1????????           |                     

        $sequence_1 = { 8365e800 8365fc00 8365e400 8365ec00 8365f800 }
            // n = 5, score = 400
            //   8365e800             | and                 dword ptr [ebp - 0x18], 0
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8365e400             | and                 dword ptr [ebp - 0x1c], 0
            //   8365ec00             | and                 dword ptr [ebp - 0x14], 0
            //   8365f800             | and                 dword ptr [ebp - 8], 0

        $sequence_2 = { 8b461c 8945f8 58 5e 56 50 8b7508 }
            // n = 7, score = 400
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   56                   | push                esi
            //   50                   | push                eax
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]

        $sequence_3 = { 56 e8???????? 8935???????? 8bc6 5e c9 c3 }
            // n = 7, score = 400
            //   56                   | push                esi
            //   e8????????           |                     
            //   8935????????         |                     
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_4 = { ff7508 a4 895dfc ff15???????? 8bf0 83feff }
            // n = 6, score = 400
            //   ff7508               | push                dword ptr [ebp + 8]
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1

        $sequence_5 = { ff15???????? 85c0 740b 43 83c628 83fb0c 72e7 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740b                 | je                  0xd
            //   43                   | inc                 ebx
            //   83c628               | add                 esi, 0x28
            //   83fb0c               | cmp                 ebx, 0xc
            //   72e7                 | jb                  0xffffffe9

        $sequence_6 = { a1???????? 85c0 740b 8d4dfc 51 ff7508 ffd0 }
            // n = 7, score = 400
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   740b                 | je                  0xd
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   51                   | push                ecx
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax

        $sequence_7 = { 50 33ff 56 47 56 895df8 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   33ff                 | xor                 edi, edi
            //   56                   | push                esi
            //   47                   | inc                 edi
            //   56                   | push                esi
            //   895df8               | mov                 dword ptr [ebp - 8], ebx

        $sequence_8 = { 8985e4feffff eb11 8b85e4feffff 2de8030000 8985e4feffff 6a18 e8???????? }
            // n = 7, score = 400
            //   8985e4feffff         | mov                 dword ptr [ebp - 0x11c], eax
            //   eb11                 | jmp                 0x13
            //   8b85e4feffff         | mov                 eax, dword ptr [ebp - 0x11c]
            //   2de8030000           | sub                 eax, 0x3e8
            //   8985e4feffff         | mov                 dword ptr [ebp - 0x11c], eax
            //   6a18                 | push                0x18
            //   e8????????           |                     

        $sequence_9 = { 743e 6880000000 50 8d4580 50 e8???????? 8b450c }
            // n = 7, score = 400
            //   743e                 | je                  0x40
            //   6880000000           | push                0x80
            //   50                   | push                eax
            //   8d4580               | lea                 eax, [ebp - 0x80]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

    condition:
        7 of them and filesize < 835584
}
[TLP:WHITE] win_betabot_w0   (20170517 | Neurevt Malware Sig)
rule win_betabot_w0 {
    meta:
        author = "Venom23"
        date = "2013-06-21"
        description = "Neurevt Malware Sig"
        hash = "db9a816d58899f1ba92bc338e89f856a"
        hash = "d7b427ce3175fa7704da6b19a464938e"
        hash = "13027beb8aa5e891e8e641c05ccffde3"
        hash = "d1004b63d6d3cb90e6012c68e19ab453"
        hash = "a1286fd94984fd2de857f7b846062b5e"
        yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Neurevt.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $string0 = "BullGuard" wide
        $string1 = "cmd.exe" wide
        $string4 = "eUSERPROFILE" wide
        $string5 = "%c:\\%s.lnk" wide
        $string6 = "services.exe" wide
        $string9 = "Multiples archivos corruptos han sido encontrados en la carpeta \"Mis Documentos\". Para evitar perder" wide
        $string10 = "F-PROT Antivirus Tray application" wide
        $string12 = "-k NetworkService" wide
        $string13 = "firefox.exe"
        $string14 = "uWinMgr.exe" wide
        $string15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8"
        $string16 = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
        $string18 = "Data Path" wide

    condition:
        10 of them
}
Download all Yara Rules