SYMBOLCOMMON_NAMEaka. SYNONYMS
win.betabot (Back to overview)

BetaBot

aka: Neurevt
URLhaus      

There is no description at this point.

References
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
@online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2018-11-04CCN-CERTCCN-CERT
@online{ccncert:20181104:betabot:fd654de, author = {CCN-CERT}, title = {{BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT}}, date = {2018-11-04}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html}, language = {English}, urldate = {2020-01-10} } BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT
BetaBot
2018-10-03CybereasonAssaf Dahan
@online{dahan:20181003:new:5f6c0b5, author = {Assaf Dahan}, title = {{New Betabot campaign under the microscope}}, date = {2018-10-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/betabot-banking-trojan-neurevt}, language = {English}, urldate = {2020-01-06} } New Betabot campaign under the microscope
BetaBot
2018-06-15Medium woj_ciechWojciech
@online{wojciech:20180615:betabot:569dbfd, author = {Wojciech}, title = {{Betabot still alive with multi-stage packing}}, date = {2018-06-15}, organization = {Medium woj_ciech}, url = {https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39}, language = {English}, urldate = {2020-01-13} } Betabot still alive with multi-stage packing
BetaBot
2017-02-27SophosTed Heppner
@online{heppner:20170227:betabot:68ba19f, author = {Ted Heppner}, title = {{Betabot: Configuration Data Extraction}}, date = {2017-02-27}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en}, language = {English}, urldate = {2020-01-13} } Betabot: Configuration Data Extraction
BetaBot
2015-04-15XyliBoxXylitol
@online{xylitol:20150415:betabot:0f2f804, author = {Xylitol}, title = {{Betabot retrospective}}, date = {2015-04-15}, organization = {XyliBox}, url = {http://www.xylibox.com/2015/04/betabot-retrospective.html}, language = {English}, urldate = {2020-01-13} } Betabot retrospective
BetaBot
2013-09-24Hanan Natan
@online{natan:20130924:how:a770f31, author = {Hanan Natan}, title = {{How to extract BetaBot config info}}, date = {2013-09-24}, url = {http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html}, language = {English}, urldate = {2019-11-25} } How to extract BetaBot config info
BetaBot
Yara Rules
[TLP:WHITE] win_betabot_auto (20210616 | Detects win.betabot.)
rule win_betabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.betabot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8d4701 bb04010000 895dc0 8945bc e8???????? 8945f4 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8d4701               | lea                 eax, dword ptr [edi + 1]
            //   bb04010000           | mov                 ebx, 0x104
            //   895dc0               | mov                 dword ptr [ebp - 0x40], ebx
            //   8945bc               | mov                 dword ptr [ebp - 0x44], eax
            //   e8????????           |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax

        $sequence_1 = { 81ec7c040000 53 6850020000 6a00 8d8588fbffff 50 e8???????? }
            // n = 7, score = 400
            //   81ec7c040000         | sub                 esp, 0x47c
            //   53                   | push                ebx
            //   6850020000           | push                0x250
            //   6a00                 | push                0
            //   8d8588fbffff         | lea                 eax, dword ptr [ebp - 0x478]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_2 = { e8???????? 85c0 7504 33c0 eb25 8365fc00 56 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb25                 | jmp                 0x27
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   56                   | push                esi

        $sequence_3 = { 837d0800 740d 8b4d08 e8???????? 83f803 7307 33c0 }
            // n = 7, score = 400
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   740d                 | je                  0xf
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   83f803               | cmp                 eax, 3
            //   7307                 | jae                 9
            //   33c0                 | xor                 eax, eax

        $sequence_4 = { c20400 85f6 7504 83c8ff c3 66833e22 750e }
            // n = 7, score = 400
            //   c20400               | ret                 4
            //   85f6                 | test                esi, esi
            //   7504                 | jne                 6
            //   83c8ff               | or                  eax, 0xffffffff
            //   c3                   | ret                 
            //   66833e22             | cmp                 word ptr [esi], 0x22
            //   750e                 | jne                 0x10

        $sequence_5 = { c20400 55 8bec 51 51 8365fc00 803d????????01 }
            // n = 7, score = 400
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   803d????????01       |                     

        $sequence_6 = { 40 5f c9 c20400 55 8bec 83e4f8 }
            // n = 7, score = 400
            //   40                   | inc                 eax
            //   5f                   | pop                 edi
            //   c9                   | leave               
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83e4f8               | and                 esp, 0xfffffff8

        $sequence_7 = { e9???????? a1???????? 83780800 7507 32c0 e9???????? 833d????????00 }
            // n = 7, score = 400
            //   e9????????           |                     
            //   a1????????           |                     
            //   83780800             | cmp                 dword ptr [eax + 8], 0
            //   7507                 | jne                 9
            //   32c0                 | xor                 al, al
            //   e9????????           |                     
            //   833d????????00       |                     

        $sequence_8 = { 0590030000 7509 b80d0000c0 5d c20800 5d ffe0 }
            // n = 7, score = 400
            //   0590030000           | add                 eax, 0x390
            //   7509                 | jne                 0xb
            //   b80d0000c0           | mov                 eax, 0xc000000d
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8
            //   5d                   | pop                 ebp
            //   ffe0                 | jmp                 eax

        $sequence_9 = { 83e70f 53 83c702 ff15???????? 50 33d2 8bc6 }
            // n = 7, score = 400
            //   83e70f               | and                 edi, 0xf
            //   53                   | push                ebx
            //   83c702               | add                 edi, 2
            //   ff15????????         |                     
            //   50                   | push                eax
            //   33d2                 | xor                 edx, edx
            //   8bc6                 | mov                 eax, esi

    condition:
        7 of them and filesize < 835584
}
[TLP:WHITE] win_betabot_w0   (20170517 | Neurevt Malware Sig)
rule win_betabot_w0 {
    meta:
        author = "Venom23"
        date = "2013-06-21"
        description = "Neurevt Malware Sig"
        hash = "db9a816d58899f1ba92bc338e89f856a"
        hash = "d7b427ce3175fa7704da6b19a464938e"
        hash = "13027beb8aa5e891e8e641c05ccffde3"
        hash = "d1004b63d6d3cb90e6012c68e19ab453"
        hash = "a1286fd94984fd2de857f7b846062b5e"
        yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Neurevt.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $string0 = "BullGuard" wide
        $string1 = "cmd.exe" wide
        $string4 = "eUSERPROFILE" wide
        $string5 = "%c:\\%s.lnk" wide
        $string6 = "services.exe" wide
        $string9 = "Multiples archivos corruptos han sido encontrados en la carpeta \"Mis Documentos\". Para evitar perder" wide
        $string10 = "F-PROT Antivirus Tray application" wide
        $string12 = "-k NetworkService" wide
        $string13 = "firefox.exe"
        $string14 = "uWinMgr.exe" wide
        $string15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8"
        $string16 = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
        $string18 = "Data Path" wide

    condition:
        10 of them
}
Download all Yara Rules