Open Hunting - Threat Library

Openhunting Threat Library

BetaBot

BetaBot, Neurevt

(Type: Banking trojan, Backdoor, Info stealer, Credential stealer, DDoS, Downloader)

(Cybereason) Betabot’s main features include: • Browsers Form Grabber • FTP and mail client stealer • Banker module • Running DDOS attacks • USB infection module • Robust Userland Rootkit (x86/x64) • Arbitrary command execution via shell • The ability to download additional malware • Persistence • Crypto-currency miner module (added 2017)

[News Analysis] Trends:

Total Trend: 11

Trend Per Year

2013

2015

2017

2018

2020

2021

2022

Trend Per Month

Sep 2013

Apr 2015

Feb 2017

Jun 2018

Oct 2018

Nov 2018

May 2020

Jul 2020

Mar 2021

Mar 2022

Aug 2022

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp
russk21.icu	2023-04-26
rusianlover.icu	2021-03-10
siidocumentos.icu	2021-03-10
informaciones.siidocumentos.cu	2021-03-10

URL	Timestamp
http://b.uandmearertyasport1.com/direct/mail9/order.php	2023-02-23
http://elkip.ru/kernel/includes/robots/order.php	2023-01-28
http://urbanworld.ml/news/order.php	2022-12-31
http://api.wifi-update.biz/cdn/img.php	2022-12-23
http://z0m1.com/king/logout.php	2022-12-08
http://issasname.ws/xyz/abc/order.php	2022-12-05
http://sunny-displays.com/nex/bb/logout.php	2022-10-17
http://b.5dietmydartk5.com/direct/mail/order.php	2022-10-04
http://www.climetrics.com/wp-includes/js/swf/wp-form.php	2022-10-01
http://ns1.globsynbschool.com/wp-poster.php	2022-10-01

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure

2022-08-08 by Benoît Ancel from Medium CSIS Techblog

Betabot in the Rearview Mirror

2022-03-28 by Mr. Krabs from KrabsOnSecurity

Financial Cyberthreats in 2020

2021-03-31 by Kaspersky from Kaspersky

RATicate upgrades “RATs as a Service” attacks with commercial “crypter”

2020-07-14 by Markel Picado from SophosLabs Uncut

RATicate: an attacker’s waves of information-stealing malware

2020-05-14 by Markel Picado from SophosLabs

BetaBot y Fleercivet, dos nuevos informes de código dañino del CCN-CERT

2018-11-04 by CCN-CERT from CCN-CERT

New Betabot campaign under the microscope

2018-10-03 by Assaf Dahan from Cybereason

Betabot still alive with multi-stage packing

2018-06-15 by Wojciech from Medium woj_ciech

Betabot: Configuration Data Extraction

2017-02-27 by Ted Heppner from Sophos

Betabot retrospective

2015-04-15 by Xylitol from XyliBox

How to extract BetaBot config info

2013-09-24 by Hanan Natan from

Basic Information (Credit @etda.or.th)

Tool: BetaBot

Names: BetaBot, Neurevt

Description: (Cybereason) Betabot’s main features include: • Browsers Form Grabber • FTP and mail client stealer • Banker module • Running DDOS attacks • USB infection module • Robust Userland Rootkit (x86/x64) • Arbitrary command execution via shell • The ability to download additional malware • Persistence • Crypto-currency miner module (added 2017)

Category: Malware

Type: Banking trojan, Backdoor, Info stealer, Credential stealer, DDoS, Downloader

Information: https://www.cybereason.com/blog/betabot-banking-trojan-neurevt

Information: https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39

Information: http://www.xylibox.com/2015/04/betabot-retrospective.html

Information: https://asert.arbornetworks.com/beta-bot-a-code-review/

Information: http://resources.infosecinstitute.com/beta-bot-analysis-part-1/

Information: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf

Information: http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html

Information: https://blog.talosintelligence.com/2021/08/neurevt-trojan-takes-aim-at-mexican.html

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:betabot

Last-card-change: 2021-11-01

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

Indicators of Compromise (Credit @ThreatFox)

URL

http://b.uandmearertyasport1.com/direct/mail9/order.php
http://elkip.ru/kernel/includes/robots/order.php
http://urbanworld.ml/news/order.php
http://api.wifi-update.biz/cdn/img.php
http://z0m1.com/king/logout.php
http://issasname.ws/xyz/abc/order.php
http://sunny-displays.com/nex/bb/logout.php
http://b.5dietmydartk5.com/direct/mail/order.php
http://www.climetrics.com/wp-includes/js/swf/wp-form.php
http://ns1.globsynbschool.com/wp-poster.php
http://www.globsyn.com/stylesheet/text/info.php
http://mayoristas.divisared.es/ajax/support.php
http://www.sahebzaman.org/includes/css/load.php
http://cleanhomemade.com/clean/logout.php
http://eatlunch.top/cfg-bin/logout.php
http://russk21.icu/forum9/logout.php
http://update-silo.com/beta/order.php
http://dacosse.com/css/order.php
http://moscow13.at/forum8/logout.php
http://russk21.icu/forum8/logout.php
http://moscow13.at/forum2/logout.php
http://b.new2u700andmearevideos1k1.com/direct/mail3/order.php
http://russk20.icu/forum8/logout.php
http://moscow13.at/forum4/logout.php
http://russk19.icu/forum8/logout.php
http://faded.website/panel/logout.php
http://russk18.icu/forum7/logout.php
http://103.194.170.51/beta/logout.php
http://tachie.com/pop/fra/logout.php
http://darrassaad.com/darrassaad/p/logout.php
http://firecrackers.ru/kin/logout.php
http://russk18.icu/forum8/logout.php
http://b.9thegamejuststarted14k9.com/direct/mail/order.php
http://b.12thegamejuststarted10k12.com/direct/mail/order.php
http://b.7thegamejuststarted11k7.com/direct/mail/order.php
http://russk17.icu/forum8/logout.php
http://rusianlover.icu/forum/logout.php?pid=701
http://rusianlover.icu/forum/logout.php
https://zakriasons.co/wp-includes/rest-api/endpoints/898/index.php

DOMAIN

russk21.icu
rusianlover.icu
siidocumentos.icu
informaciones.siidocumentos.cu

SHA256_HASH

1b2c4ed9193792bfe48a5722705085e2afa7c14fd19512cb280e9750924852b4
7733c3d804cbb59a0c643e7318ae437ad3b5577289e5a44417a3768696f614f0
b6d6a7e37e23e7a65e964bc982979ceb94ab98a49fccf77cb888388fafa974eb
f3c6ec081b07206679c92b3ce2066fe2db39e8977c650bf126cfd390637ae651
fea0fdad9f440f68feb5c3b6f4952a952375397a6220c253fe7d3eeb15523397
e28c66491d701757a7b370aae235521e5e409edc45a1a90b544b4fb704324f70
8df03bfad7860d4f609e48de215c6f40fbb0de78bdaeb08fdf3409e722585efb
55c12cb22033e12af48c4bb80b660e4ace8ed2364e7147979e30355bab7d5469
273811e7b3de14abc8cfbbb28be4ab3c39922ff09c869f1a4b6b357577f0d374
eb7cea525ecef555356c13b6948c21ddad4b8a622ff4c027f285c0c096570253
4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
02dce269070bfec91e4f01a67d774167f8208f17211e8027d8a7fe3dc62a356b

MD5_HASH

23873f7412c1985c6b227e7b0a9f3ae5
808e34a763acd79d01eeb1f54b18a551
f7e4a28f1ed37123d6e0851e573cd640
2ced2c14eece71c72c5e45e8a607bb4c

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact