SYMBOLCOMMON_NAMEaka. SYNONYMS
win.betabot (Back to overview)

BetaBot

aka: Neurevt
URLhaus      

There is no description at this point.

References
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
@online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2018-11-04CCN-CERTCCN-CERT
@online{ccncert:20181104:betabot:fd654de, author = {CCN-CERT}, title = {{BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT}}, date = {2018-11-04}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html}, language = {English}, urldate = {2020-01-10} } BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT
BetaBot
2018-10-03CybereasonAssaf Dahan
@online{dahan:20181003:new:5f6c0b5, author = {Assaf Dahan}, title = {{New Betabot campaign under the microscope}}, date = {2018-10-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/betabot-banking-trojan-neurevt}, language = {English}, urldate = {2020-01-06} } New Betabot campaign under the microscope
BetaBot
2018-06-15Medium woj_ciechWojciech
@online{wojciech:20180615:betabot:569dbfd, author = {Wojciech}, title = {{Betabot still alive with multi-stage packing}}, date = {2018-06-15}, organization = {Medium woj_ciech}, url = {https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39}, language = {English}, urldate = {2020-01-13} } Betabot still alive with multi-stage packing
BetaBot
2017-02-27SophosTed Heppner
@online{heppner:20170227:betabot:68ba19f, author = {Ted Heppner}, title = {{Betabot: Configuration Data Extraction}}, date = {2017-02-27}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en}, language = {English}, urldate = {2020-01-13} } Betabot: Configuration Data Extraction
BetaBot
2015-04-15XyliBoxXylitol
@online{xylitol:20150415:betabot:0f2f804, author = {Xylitol}, title = {{Betabot retrospective}}, date = {2015-04-15}, organization = {XyliBox}, url = {http://www.xylibox.com/2015/04/betabot-retrospective.html}, language = {English}, urldate = {2020-01-13} } Betabot retrospective
BetaBot
2013-09-24Hanan Natan
@online{natan:20130924:how:a770f31, author = {Hanan Natan}, title = {{How to extract BetaBot config info}}, date = {2013-09-24}, url = {http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html}, language = {English}, urldate = {2019-11-25} } How to extract BetaBot config info
BetaBot
Yara Rules
[TLP:WHITE] win_betabot_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_betabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c104 3b5508 72e7 6afe 58 eb07 8bc2 }
            // n = 7, score = 400
            //   83c104               | add                 ecx, 4
            //   3b5508               | cmp                 edx, dword ptr [ebp + 8]
            //   72e7                 | jb                  0xffffffe9
            //   6afe                 | push                -2
            //   58                   | pop                 eax
            //   eb07                 | jmp                 9
            //   8bc2                 | mov                 eax, edx

        $sequence_1 = { 85c0 7402 8930 c645ff01 8a45ff 5b }
            // n = 6, score = 400
            //   85c0                 | test                eax, eax
            //   7402                 | je                  4
            //   8930                 | mov                 dword ptr [eax], esi
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1
            //   8a45ff               | mov                 al, byte ptr [ebp - 1]
            //   5b                   | pop                 ebx

        $sequence_2 = { e8???????? 57 53 68???????? e8???????? bf00100000 57 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   57                   | push                edi
            //   53                   | push                ebx
            //   68????????           |                     
            //   e8????????           |                     
            //   bf00100000           | mov                 edi, 0x1000
            //   57                   | push                edi

        $sequence_3 = { 85c9 74f6 8b4018 0fafc1 83c03c c3 85c0 }
            // n = 7, score = 400
            //   85c9                 | test                ecx, ecx
            //   74f6                 | je                  0xfffffff8
            //   8b4018               | mov                 eax, dword ptr [eax + 0x18]
            //   0fafc1               | imul                eax, ecx
            //   83c03c               | add                 eax, 0x3c
            //   c3                   | ret                 
            //   85c0                 | test                eax, eax

        $sequence_4 = { 6a10 8d45f0 50 ff7508 ff15???????? eb03 6afe }
            // n = 7, score = 400
            //   6a10                 | push                0x10
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   eb03                 | jmp                 5
            //   6afe                 | push                -2

        $sequence_5 = { e8???????? ff750c 8bf8 56 ff7508 e8???????? 56 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8bf8                 | mov                 edi, eax
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   56                   | push                esi

        $sequence_6 = { e8???????? 83f803 7307 33c0 e9???????? b32c }
            // n = 6, score = 400
            //   e8????????           |                     
            //   83f803               | cmp                 eax, 3
            //   7307                 | jae                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   b32c                 | mov                 bl, 0x2c

        $sequence_7 = { 740b ff75f4 6aff ff15???????? 8b4508 85c0 }
            // n = 6, score = 400
            //   740b                 | je                  0xd
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   6aff                 | push                -1
            //   ff15????????         |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   85c0                 | test                eax, eax

        $sequence_8 = { c3 33c0 c3 56 8bf0 8bc1 e8???????? }
            // n = 7, score = 400
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8bf0                 | mov                 esi, eax
            //   8bc1                 | mov                 eax, ecx
            //   e8????????           |                     

        $sequence_9 = { ff7514 ff7510 ff750c ff7508 ffd0 8bf0 83ff01 }
            // n = 7, score = 400
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax
            //   8bf0                 | mov                 esi, eax
            //   83ff01               | cmp                 edi, 1

    condition:
        7 of them and filesize < 835584
}
[TLP:WHITE] win_betabot_w0   (20170517 | Neurevt Malware Sig)
rule win_betabot_w0 {
    meta:
        author = "Venom23"
        date = "2013-06-21"
        description = "Neurevt Malware Sig"
        hash0 = "db9a816d58899f1ba92bc338e89f856a"
        hash1 = "d7b427ce3175fa7704da6b19a464938e"
        hash2 = "13027beb8aa5e891e8e641c05ccffde3"
        hash3 = "d1004b63d6d3cb90e6012c68e19ab453"
        hash4 = "a1286fd94984fd2de857f7b846062b5e"
        yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Neurevt.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $string0 = "BullGuard" wide
        $string1 = "cmd.exe" wide
        $string4 = "eUSERPROFILE" wide
        $string5 = "%c:\\%s.lnk" wide
        $string6 = "services.exe" wide
        $string9 = "Multiples archivos corruptos han sido encontrados en la carpeta \"Mis Documentos\". Para evitar perder" wide
        $string10 = "F-PROT Antivirus Tray application" wide
        $string12 = "-k NetworkService" wide
        $string13 = "firefox.exe"
        $string14 = "uWinMgr.exe" wide
        $string15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8"
        $string16 = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
        $string18 = "Data Path" wide

    condition:
        10 of them
}
Download all Yara Rules