SYMBOLCOMMON_NAMEaka. SYNONYMS
win.betabot (Back to overview)

BetaBot

aka: Neurevt
URLhaus      

There is no description at this point.

References
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
@online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2018-11-04CCN-CERTCCN-CERT
@online{ccncert:20181104:betabot:fd654de, author = {CCN-CERT}, title = {{BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT}}, date = {2018-11-04}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html}, language = {English}, urldate = {2020-01-10} } BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT
BetaBot
2018-10-03CybereasonAssaf Dahan
@online{dahan:20181003:new:5f6c0b5, author = {Assaf Dahan}, title = {{New Betabot campaign under the microscope}}, date = {2018-10-03}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/betabot-banking-trojan-neurevt}, language = {English}, urldate = {2020-01-06} } New Betabot campaign under the microscope
BetaBot
2018-06-15Medium woj_ciechWojciech
@online{wojciech:20180615:betabot:569dbfd, author = {Wojciech}, title = {{Betabot still alive with multi-stage packing}}, date = {2018-06-15}, organization = {Medium woj_ciech}, url = {https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39}, language = {English}, urldate = {2020-01-13} } Betabot still alive with multi-stage packing
BetaBot
2017-02-27SophosTed Heppner
@online{heppner:20170227:betabot:68ba19f, author = {Ted Heppner}, title = {{Betabot: Configuration Data Extraction}}, date = {2017-02-27}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en}, language = {English}, urldate = {2020-01-13} } Betabot: Configuration Data Extraction
BetaBot
2015-04-15XyliBoxXylitol
@online{xylitol:20150415:betabot:0f2f804, author = {Xylitol}, title = {{Betabot retrospective}}, date = {2015-04-15}, organization = {XyliBox}, url = {http://www.xylibox.com/2015/04/betabot-retrospective.html}, language = {English}, urldate = {2020-01-13} } Betabot retrospective
BetaBot
2013-09-24Hanan Natan
@online{natan:20130924:how:a770f31, author = {Hanan Natan}, title = {{How to extract BetaBot config info}}, date = {2013-09-24}, url = {http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html}, language = {English}, urldate = {2019-11-25} } How to extract BetaBot config info
BetaBot
Yara Rules
[TLP:WHITE] win_betabot_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_betabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 85c0 7504 33c0 eb45 8365fc00 }
            // n = 6, score = 400
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb45                 | jmp                 0x47
            //   8365fc00             | and                 dword ptr [ebp - 4], 0

        $sequence_1 = { c9 c20800 55 8bec 33c0 394508 7419 }
            // n = 7, score = 400
            //   c9                   | leave               
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   33c0                 | xor                 eax, eax
            //   394508               | cmp                 dword ptr [ebp + 8], eax
            //   7419                 | je                  0x1b

        $sequence_2 = { 8b461c 8945f8 58 5e 56 50 8b7508 }
            // n = 7, score = 400
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   56                   | push                esi
            //   50                   | push                eax
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]

        $sequence_3 = { 8d45e8 50 e8???????? 6a41 58 668945e4 }
            // n = 6, score = 400
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a41                 | push                0x41
            //   58                   | pop                 eax
            //   668945e4             | mov                 word ptr [ebp - 0x1c], ax

        $sequence_4 = { ff15???????? 85c0 781d 6a10 58 8bc8 66890e }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   781d                 | js                  0x1f
            //   6a10                 | push                0x10
            //   58                   | pop                 eax
            //   8bc8                 | mov                 ecx, eax
            //   66890e               | mov                 word ptr [esi], cx

        $sequence_5 = { 83ec14 53 56 837d0800 }
            // n = 4, score = 400
            //   83ec14               | sub                 esp, 0x14
            //   53                   | push                ebx
            //   56                   | push                esi
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0

        $sequence_6 = { 7423 51 6a08 5f e8???????? 03f0 }
            // n = 6, score = 400
            //   7423                 | je                  0x25
            //   51                   | push                ecx
            //   6a08                 | push                8
            //   5f                   | pop                 edi
            //   e8????????           |                     
            //   03f0                 | add                 esi, eax

        $sequence_7 = { 6a00 8d45c8 50 e8???????? ff75ea ff15???????? }
            // n = 6, score = 400
            //   6a00                 | push                0
            //   8d45c8               | lea                 eax, [ebp - 0x38]
            //   50                   | push                eax
            //   e8????????           |                     
            //   ff75ea               | push                dword ptr [ebp - 0x16]
            //   ff15????????         |                     

        $sequence_8 = { 8975ec 8945f0 8975f4 e8???????? 68d2040000 ff35???????? 8bd8 }
            // n = 7, score = 400
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8975f4               | mov                 dword ptr [ebp - 0xc], esi
            //   e8????????           |                     
            //   68d2040000           | push                0x4d2
            //   ff35????????         |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_9 = { 5e c9 c20800 55 8bec 33c0 56 }
            // n = 7, score = 400
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   33c0                 | xor                 eax, eax
            //   56                   | push                esi

    condition:
        7 of them and filesize < 835584
}
[TLP:WHITE] win_betabot_w0   (20170517 | Neurevt Malware Sig)
rule win_betabot_w0 {
    meta:
        author = "Venom23"
        date = "2013-06-21"
        description = "Neurevt Malware Sig"
        hash = "db9a816d58899f1ba92bc338e89f856a"
        hash = "d7b427ce3175fa7704da6b19a464938e"
        hash = "13027beb8aa5e891e8e641c05ccffde3"
        hash = "d1004b63d6d3cb90e6012c68e19ab453"
        hash = "a1286fd94984fd2de857f7b846062b5e"
        yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
        source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Neurevt.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $string0 = "BullGuard" wide
        $string1 = "cmd.exe" wide
        $string4 = "eUSERPROFILE" wide
        $string5 = "%c:\\%s.lnk" wide
        $string6 = "services.exe" wide
        $string9 = "Multiples archivos corruptos han sido encontrados en la carpeta \"Mis Documentos\". Para evitar perder" wide
        $string10 = "F-PROT Antivirus Tray application" wide
        $string12 = "-k NetworkService" wide
        $string13 = "firefox.exe"
        $string14 = "uWinMgr.exe" wide
        $string15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8"
        $string16 = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
        $string18 = "Data Path" wide

    condition:
        10 of them
}
Download all Yara Rules