Win32/Betabot (alias Neurevt)

Forum for analysis and discussion about malware.
Darksin
Posts: 1
Joined: Thu Nov 29, 2012 7:18 am

Re: Win32/Betabot (alias Neurevt)

Post by Darksin » Thu Nov 21, 2013 8:53 am

You do not have the required permissions to view the files attached to this post.

Userbased
Posts: 21
Joined: Tue Oct 09, 2012 11:38 pm

Re: Win32/Betabot (alias Neurevt)

Post by Userbased » Sat Dec 07, 2013 7:55 pm

The coder copied solarbot.net and is now advertising the bot directly from a website.

Code: Select all

betabot.ru
Image

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Win32/Betabot (alias Neurevt)

Post by Xylitol » Mon Jan 20, 2014 4:08 pm

https://www.virustotal.com/en/file/39c2 ... 390228650/ > 0/49

Code: Select all

http://fbcentral.net/software/HPmanager.exe
• dns: 1 ›› ip: 109.163.228.196 - adress: FBCENTRAL.NET
C&C login interface changed a bit since the 1.7 announcement.
Image
You do not have the required permissions to view the files attached to this post.

Userbased
Posts: 21
Joined: Tue Oct 09, 2012 11:38 pm

Re: Win32/Betabot (alias Neurevt)

Post by Userbased » Tue Jan 28, 2014 8:02 pm

I had a look at one of the C&C's Xylitol posted on cybercrime tracker.

Betabot 1.7 Panel and uncrypted binary

Code: Select all

hxxp://world-star-madness.com/pan.rar
You do not have the required permissions to view the files attached to this post.

tx707
Posts: 4
Joined: Sun Dec 08, 2013 1:53 pm

Re: Win32/Betabot (alias Neurevt)

Post by tx707 » Wed Jan 29, 2014 5:48 am

Userbased wrote:I had a look at one of the C&C's Xylitol posted on cybercrime tracker.

Betabot 1.7 Panel and uncrypted binary

Code: Select all

hxxp://world-star-madness.com/pan.rar
Actually I'm interested on how Xylitol got the panel url anyways.
Damn.. forgot to remove the panel after I've downloaded it. Thanks xylitol...

Userbased
Posts: 21
Joined: Tue Oct 09, 2012 11:38 pm

Re: Win32/Betabot (alias Neurevt)

Post by Userbased » Wed Jan 29, 2014 5:38 pm

The virus bulletin article is out from behind the paywall.

http://blog.fortinet.com/NEUREVT-BOT-ANALYSIS/

The samples in the article are the from versions 1.0 and 1.0.2.5, so some things have changed in the more recent versions.

Interestingly, the article shows that a Skype spreading function was complete and available in the binary, despite the fact that this was (as far as I know) never given as an option in the panel (The author had it listed as an initial feature but was then terrified by the attention it could draw to the bot).

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Win32/Betabot (alias Neurevt)

Post by Xylitol » Mon Apr 21, 2014 7:31 am

https://www.virustotal.com/en/file/62dd ... 398065285/
> http://vxvault.siri-urz.net/ViriList.ph ... 6BC7D3963A

Image

Code: Select all

Key1=CF056C78778C0811
Key2=6E0F2D841777EF11
"-DO NOT SHARE YOUR UNCRYPTED BINARY OR EXECUTABLE. ALWAYS SHARE OR SPREAD YOUR CRYPTED FILE.
-USERS CAUGHT DISTRIBUTING UNCRYPTED BINARIES WILL NO LONGER RECEIVE UPDATES."
Fail.
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Win32/Betabot (alias Neurevt)

Post by Xylitol » Tue May 06, 2014 10:32 pm

You do not have the required permissions to view the files attached to this post.

Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: Win32/Betabot (alias Neurevt)

Post by Cody Johnston » Fri May 09, 2014 12:56 am

Nice post about Betabot Process Injection:

http://vrt-blog.snort.org/2014/05/betab ... ction.html


Post Reply