win.betabot (Back to overview)

BetaBot

aka: Neurevt
URLhaus      

There is no description at this point.

References
https://www.cybereason.com/blog/betabot-banking-trojan-neurevt
https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39
https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html
http://www.xylibox.com/2015/04/betabot-retrospective.html
https://asert.arbornetworks.com/beta-bot-a-code-review/
http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en
http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html
Yara Rules
[TLP:WHITE] win_betabot_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_betabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 7507 33c0 e983000000 834dfcff }
            // n = 4, score = 3000
            //   7507                 | jne                 0x3d67b4
            //   33c0                 | xor                 eax, eax
            //   e983000000           | jmp                 0x3d6837
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff

        $sequence_1 = { 33c0 837d0801 721e 39450c }
            // n = 4, score = 3000
            //   33c0                 | xor                 eax, eax
            //   837d0801             | cmp                 dword ptr [ebp + 8], 1
            //   721e                 | jb                  0x3d5371
            //   39450c               | cmp                 dword ptr [ebp + 0xc], eax

        $sequence_2 = { 56 ff7508 53 ff750c }
            // n = 4, score = 3000
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   53                   | push                ebx
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_3 = { 335514 8bc8 83e11f 034d10 }
            // n = 4, score = 3000
            //   335514               | xor                 edx, dword ptr [ebp + 0x14]
            //   8bc8                 | mov                 ecx, eax
            //   83e11f               | and                 ecx, 0x1f
            //   034d10               | add                 ecx, dword ptr [ebp + 0x10]

        $sequence_4 = { 5e 8b45fc 833800 7504 }
            // n = 4, score = 3000
            //   5e                   | pop                 esi
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   833800               | cmp                 dword ptr [eax], 0
            //   7504                 | jne                 0x3d6217

        $sequence_5 = { 81ec0c080000 83fb01 723d 85ff }
            // n = 4, score = 3000
            //   81ec0c080000         | sub                 esp, 0x80c
            //   83fb01               | cmp                 ebx, 1
            //   723d                 | jb                  0x3d53f2
            //   85ff                 | test                edi, edi

        $sequence_6 = { 3bc1 7512 89942448060000 c784244006000002000000 }
            // n = 4, score = 3000
            //   3bc1                 | cmp                 eax, ecx
            //   7512                 | jne                 0x3db959
            //   89942448060000       | mov                 dword ptr [esp + 0x648], edx
            //   c784244006000002000000     | mov    dword ptr [esp + 0x640], 2

        $sequence_7 = { 0f92c0 0fb6c0 85c0 754f }
            // n = 4, score = 3000
            //   0f92c0               | setb                al
            //   0fb6c0               | movzx               eax, al
            //   85c0                 | test                eax, eax
            //   754f                 | jne                 0x3cd1fb

        $sequence_8 = { 757e 8365dc00 eb07 8b45dc }
            // n = 4, score = 3000
            //   757e                 | jne                 0x3daf1a
            //   8365dc00             | and                 dword ptr [ebp - 0x24], 0
            //   eb07                 | jmp                 0x3daea9
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]

        $sequence_9 = { 0fb685a3fcffff 83f801 7507 33c0 }
            // n = 4, score = 3000
            //   0fb685a3fcffff       | movzx               eax, byte ptr [ebp - 0x35d]
            //   83f801               | cmp                 eax, 1
            //   7507                 | jne                 0x3ccf60
            //   33c0                 | xor                 eax, eax

    condition:
        7 of them
}
[TLP:WHITE] win_betabot_w0   (20170517 | Neurevt Malware Sig)
rule win_betabot_w0 {
    meta:
        author = "Venom23"
        date = "2013-06-21"
        description = "Neurevt Malware Sig"
        hash0 = "db9a816d58899f1ba92bc338e89f856a"
        hash1 = "d7b427ce3175fa7704da6b19a464938e"
        hash2 = "13027beb8aa5e891e8e641c05ccffde3"
        hash3 = "d1004b63d6d3cb90e6012c68e19ab453"
        hash4 = "a1286fd94984fd2de857f7b846062b5e"
        yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Neurevt.yar"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $string0 = "BullGuard" wide
        $string1 = "cmd.exe" wide
        $string4 = "eUSERPROFILE" wide
        $string5 = "%c:\\%s.lnk" wide
        $string6 = "services.exe" wide
        $string9 = "Multiples archivos corruptos han sido encontrados en la carpeta \"Mis Documentos\". Para evitar perder" wide
        $string10 = "F-PROT Antivirus Tray application" wide
        $string12 = "-k NetworkService" wide
        $string13 = "firefox.exe"
        $string14 = "uWinMgr.exe" wide
        $string15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8"
        $string16 = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
        $string18 = "Data Path" wide

    condition:
        10 of them
}
Download all Yara Rules