There is no description at this point.
https://www.cybereason.com/blog/betabot-banking-trojan-neurevt |
https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39 |
https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html |
http://www.xylibox.com/2015/04/betabot-retrospective.html |
https://asert.arbornetworks.com/beta-bot-a-code-review/ |
http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref |
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en |
http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html |
rule win_betabot_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2018-11-23"
version = "1"
description = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator 0.1a"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
malpedia_version = "20180607"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using yara-signator.
* The code and documentation / approach will be published in the near future here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 7507 33c0 e983000000 834dfcff }
// n = 4, score = 3000
// 7507 | jne 0x3d67b4
// 33c0 | xor eax, eax
// e983000000 | jmp 0x3d6837
// 834dfcff | or dword ptr [ebp - 4], 0xffffffff
$sequence_1 = { 33c0 837d0801 721e 39450c }
// n = 4, score = 3000
// 33c0 | xor eax, eax
// 837d0801 | cmp dword ptr [ebp + 8], 1
// 721e | jb 0x3d5371
// 39450c | cmp dword ptr [ebp + 0xc], eax
$sequence_2 = { 56 ff7508 53 ff750c }
// n = 4, score = 3000
// 56 | push esi
// ff7508 | push dword ptr [ebp + 8]
// 53 | push ebx
// ff750c | push dword ptr [ebp + 0xc]
$sequence_3 = { 335514 8bc8 83e11f 034d10 }
// n = 4, score = 3000
// 335514 | xor edx, dword ptr [ebp + 0x14]
// 8bc8 | mov ecx, eax
// 83e11f | and ecx, 0x1f
// 034d10 | add ecx, dword ptr [ebp + 0x10]
$sequence_4 = { 5e 8b45fc 833800 7504 }
// n = 4, score = 3000
// 5e | pop esi
// 8b45fc | mov eax, dword ptr [ebp - 4]
// 833800 | cmp dword ptr [eax], 0
// 7504 | jne 0x3d6217
$sequence_5 = { 81ec0c080000 83fb01 723d 85ff }
// n = 4, score = 3000
// 81ec0c080000 | sub esp, 0x80c
// 83fb01 | cmp ebx, 1
// 723d | jb 0x3d53f2
// 85ff | test edi, edi
$sequence_6 = { 3bc1 7512 89942448060000 c784244006000002000000 }
// n = 4, score = 3000
// 3bc1 | cmp eax, ecx
// 7512 | jne 0x3db959
// 89942448060000 | mov dword ptr [esp + 0x648], edx
// c784244006000002000000 | mov dword ptr [esp + 0x640], 2
$sequence_7 = { 0f92c0 0fb6c0 85c0 754f }
// n = 4, score = 3000
// 0f92c0 | setb al
// 0fb6c0 | movzx eax, al
// 85c0 | test eax, eax
// 754f | jne 0x3cd1fb
$sequence_8 = { 757e 8365dc00 eb07 8b45dc }
// n = 4, score = 3000
// 757e | jne 0x3daf1a
// 8365dc00 | and dword ptr [ebp - 0x24], 0
// eb07 | jmp 0x3daea9
// 8b45dc | mov eax, dword ptr [ebp - 0x24]
$sequence_9 = { 0fb685a3fcffff 83f801 7507 33c0 }
// n = 4, score = 3000
// 0fb685a3fcffff | movzx eax, byte ptr [ebp - 0x35d]
// 83f801 | cmp eax, 1
// 7507 | jne 0x3ccf60
// 33c0 | xor eax, eax
condition:
7 of them
}
rule win_betabot_w0 {
meta:
author = "Venom23"
date = "2013-06-21"
description = "Neurevt Malware Sig"
hash0 = "db9a816d58899f1ba92bc338e89f856a"
hash1 = "d7b427ce3175fa7704da6b19a464938e"
hash2 = "13027beb8aa5e891e8e641c05ccffde3"
hash3 = "d1004b63d6d3cb90e6012c68e19ab453"
hash4 = "a1286fd94984fd2de857f7b846062b5e"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Neurevt.yar"
malpedia_version = "20170517"
malpedia_license = "CC BY-NC-SA 4.0"
malpedia_sharing = "TLP:WHITE"
strings:
$string0 = "BullGuard" wide
$string1 = "cmd.exe" wide
$string4 = "eUSERPROFILE" wide
$string5 = "%c:\\%s.lnk" wide
$string6 = "services.exe" wide
$string9 = "Multiples archivos corruptos han sido encontrados en la carpeta \"Mis Documentos\". Para evitar perder" wide
$string10 = "F-PROT Antivirus Tray application" wide
$string12 = "-k NetworkService" wide
$string13 = "firefox.exe"
$string14 = "uWinMgr.exe" wide
$string15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8"
$string16 = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
$string18 = "Data Path" wide
condition:
10 of them
}