{ "id": "43efb841-1b04-4ba4-9689-967d538ee3cc", "created_at": "2026-04-06T00:16:26.54671Z", "updated_at": "2026-04-10T13:12:22.795212Z", "deleted_at": null, "sha1_hash": "e7f52ecfb66f0969bd3e0d8663eb15b8d32ed966", "title": "New Betabot campaign under the microscope", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2034954, "plain_text": "New Betabot campaign under the microscope\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 19:23:27 UTC\r\nResearch by: Assaf Dahan\r\nIn the past few weeks, the Cybereason SOC has detected multiple Betabot (aka Neurevt) infections in customer\r\nenvironments. Betabot is a sophisticated infostealer malware that’s evolved significantly since it first appeared in\r\nlate 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to\r\npractically take over a victim’s machine and steal sensitive information.\r\nWant to start threat hunting like the pros?\r\nCheck out our webinar on how to generate a hypothesis in a threat hunt.\r\nBetabot’s main features include:\r\nBrowsers Form Grabber\r\nFTP and mail client stealer\r\nBanker module\r\nRunning DDOS attacks\r\nUSB infection module\r\nRobust Userland Rootkit (x86/x64)\r\nArbitrary command execution via shell\r\nThe ability to download additional malware\r\nPersistence\r\nCrypto-currency miner module (added 2017)\r\nBetabot exploits an 18-year-old vulnerability in the Equation Editor tool in Microsoft Office. The vulnerability has\r\nbeen around since 2000 when Equation Editor was added to Office. However, it wasn’t discovered by researchers\r\nand patched by Microsoft until 2017.\r\nMost modern malware have self-defense features designed to bypass detection and thwart analysis. These features\r\ninclude anti-debugging, anti-virtual machine/sandbox, anti-disassembly and the ability to detect security products\r\nand analysis tools. It is not uncommon for malware to take a more aggressive approach and disable or uninstall\r\nantivirus software. Other programs remove malware and bots that are already on a person’s machine, eliminating\r\nthe competition with heuristic approaches that would put many security products to shame.  \r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 1 of 23\n\nBetabot stands out because it implements all of these self-defense features and has an exhaustive blacklist of file\r\nand process names, product IDs, hashes and domains from major antivirus, security and virtualization companies.\r\nThis blog will use Cybereason telemetry data gathered from multiple customer endpoints to look at the infection\r\nchain. We’ll also delve into Betabot’s self-defense mechanisms.\r\nInfection Vector: CVE-2017-11882 Exploit-Weaponized Document\r\nThe Betabot infections seen in our telemetry originated from phishing campaigns that used social engineering to\r\npersuade users to download and open what appears to be a Word document that is attached to an email.\r\nThis screenshot shows the infection vector from Lotus Notes email client:\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 2 of 23\n\nPurchase order#.doc details (SHA-1: 566154dadb304019a8b035d883c9e32ca95cd64e)\r\nExamining the document in a Hex editor, we can see that it is, in fact, an RTF file:\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 3 of 23\n\nUsing Didier Steven’s rtfdump.py, we can see multiple entries with embedded objects:\r\nUsed command: rtfdump.py -f O [file]\r\nExample of a dumped and decoded entry, showing a batch script embedded in the document:\r\nUsed command: rtfdump.py -s 7 -H [file]\r\nDropped Files\r\nDumping each entry results in the following files, which will be eventually dropped:\r\nFile Purpose SHA-1\r\n%temp%\\dqfm.cmd\r\nChecks for previous\r\ninfection and launches\r\nhondi.cmd\r\n86B5058C89231C691655306E12E1E4640D23ED19\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 4 of 23\n\n%temp%\\gondi.doc Decoy Word document 33C3F3F4BA62017F5186343C0869B23AB72E081E\r\n%temp%\\hondi.cmd\r\nDeleting traces by\r\ndeleting the\r\nresiliency registry\r\nentry\r\nKilling Word\r\nprocess\r\nDeploying a decoy\r\ndocument\r\nStarting\r\nmondi.exe\r\n92F2515828C77056AE04696FD207783DFF8F778D\r\n%temp%\\mondi.exe\r\nNSIS-based\r\ndropper\r\nUnpacks malware\r\npayload\r\nInjects payload to\r\nother running\r\nprocesses\r\n(predefined list)\r\nCreates\r\npersistence\r\nFE1B51FE46BDAD6EA051110AB0D1B788A54331E4\r\nIllustration of the observed infection chain:\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 5 of 23\n\nContents of dqfm.cmd:\r\nContents of hondi.cmd\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 6 of 23\n\nExploit Behavioral Execution Tree\r\nThe Cybereason platform caught the exploit’s behavioral chain, as seen in these screenshots:\r\n1. Opening the weaponized RTF documents triggers the Equation Editor exploit (CVE-2017-11882) and\r\nexecutes dqfm.cmd, which spawns hondi.cmd:\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 7 of 23\n\n2. Hondi.cmd will execute the following commands:\r\nDelete traces of the original RTF document by enumerating all the Resiliency registry keys and\r\ndeleting them:\r\nreg  delete HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\16.0\\Word\\Resiliency /f\r\nGather information about the Most Recently Used (MRU) Office files for the decoy document:\r\nC:\\Windows\\system32\\cmd.exe /c REG QUERY\r\n\"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\11.0\\Word\\File MRU\" /v \"Item 1\"\r\nKill Word Process (which executed the RTF document):\r\nTaskill.exe TASkKILL /F /IM winword.exe\r\nExecute Betabot dropper “mondi.exe”:\r\nC:\\Users\\[snip]\\AppData\\Local\\Temp\\mondi.eXe\r\nOpen the decoy document:\r\n\"C:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE\" /n /dde\r\nBetabot Dropper Analysis\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 8 of 23\n\nThe Mondi.exe binary is actually compressed by NSIS (Nullsoft Scriptable Install System), an open-source\r\nsoftware used to create Windows Installers, as indicated by the “Nullsoft PiMP stub” compiler signature:\r\nThe installer will extract Betabot loader and the encrypted main payload:\r\n1. Performances.dll (Loader: SHA-1: 22C35AEF70D708AA791AFC4FC8097C3C0B6DC0C1)\r\n2. Midiron.dat (Encrypted Betabot payload SHA-1: B7599AF48FC3124BE65856012A7C2DCB18BE579A)\r\nBetabot’s Unpacking and Process Injection\r\nThe loader will unpack the payload and inject it into its own child process.\r\nThe injecting process raised the following behavioral suspicions:\r\n  Performances.dll loaded to mondi.exe:\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 9 of 23\n\nThe loader child process will then enumerate all the running processes in order to find injection candidates. In\r\nmany of the case Cybereason observed, the Betabot loader injected its code into multiple running processes for\r\npersistence and maximized survival purposes. If an injected process is terminated, another process will kick in and\r\nspawn the loader as a child process.\r\nIn most cases, the main payload will first be injected into a second instance of Explorer.exe:\r\nBetabot code injected into a second instance of Explorer.exe\r\nHowever, in one of the incidents, we observed Betabot injecting itself into a McAfee process called “shtat.exe”:\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 10 of 23\n\nShtat.exe’s file details indicate that it’s a legitimate McAfee antivirus product :\r\n(SHA-1:f384bb7564f26f37a48aadf714fccb5cbffe2dc6)\r\nC2 Communication\r\nOnce injected, Betabot will attempt to communicate with its C2 servers. Prior to that, it will check Internet\r\nconnectivity by sending requests to the following domains (the “check_connectivity” function was renamed by the\r\nblog’s author):  \r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 11 of 23\n\nOnce Internet connectivity is verified, Betabot will send requests to its C2 servers, as shown below:\r\nThe IP address “185.246.153[.]251” serves other malware, such as LokiBot.\r\nhttp://cybercrime-tracker.net/index.php?search=185.22.152.146\r\nObserved Persistence\r\nBetabot utilizes several interesting persistence techniques. However, in the sample we analyzed, it used a classic\r\nregistry Autorun:\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 12 of 23\n\nIt dropped a renamed copy of the installer in Programdata under the name “Google Updater 2.0” and changed the\r\ndirectory’s and file’s permissions and ownership to prevent them from being removed or tampered with. Once\r\nBetabot is executed, it make extensive usage of API hooking to hide the persistence from regedit, Sysinternal’s\r\nAutoruns and other monitoring tools.  \r\nA secondary persistence mechanism that was implemented via Windows Task Scheduler was also observed in\r\nsome infections:\r\nThe code above will result in the following scheduled task command:\r\nschtasks.exe' /CREATE /SC ONLOGON /TN 'Windows Update Check - [variable]' /TR 'C:\\ProgramData\\\r\n[path_to_file]\r\nBetabot is Paranoid \r\nBetabot’s authors designed the malware to operate in paranoid mode. For example, it can detect security products\r\nrunning on a victim’s machine, determine if it’s running in a research lab environment and identify and shut down\r\nother malware that’s on a machine. These self-defense mechanisms are well advertised in hacking forums:\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 13 of 23\n\nLet’s explore some of these features:\r\nVirtualization detection\r\nBetabot will attempt to determine if it is executed in a virtual environment by querying the registry and looking\r\nfor the names of virtual machine vendors such as VMware, VirtualBox and Parallels, as well as searching for\r\nspecific drivers vendor files:\r\nHARDWARE\\\\DESCRIPTION\\\\System\\\\BIOS [SystemManufacturer] - VMWARE\r\nHARDWARE\\\\DESCRIPTION\\\\System [SystemBiosVersion] - Virtual Box\r\nDrivers list: vboxvideo.sys, vboxguest.sys, vmhgfs.sys, prl_boot.sys.\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 14 of 23\n\nAnother trick used to determine if the environment is virtual is to obtain a handle to \\\\Device\\\\Harddisk0\\\\Partition\r\nand \\\\??\\\\PHYSICALDRIVE0. This is usually done to calculate the size of the hard drive:\r\nSandbox Detection\r\nBetabot will check for the presence of Wine, which is often an indication of a sandbox environment:\r\nThen it will proceed to search for product IDs of common sandbox vendors in the Windows registry by\r\nenumerating “SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion”:\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 15 of 23\n\nProduct IDs of common sandbox vendors (Anubis, CWSandbox, Joe SandBox, GFI, Kaspersky):\r\n76487-640-1457236-23837, 76487-337-8429955-22614, 76487-644-3177037-23510, 76497-640-6308873-23835,\r\n55274-640-2673064-23950, 76487-640-8834005-23195, 76487-640-0716662-23535, 76487-644-8648466-23106,\r\n00426-293-8170032-85146, 76487-341-5883812-22420, 76487-OEM-0027453-63796\r\nIn addition, Betabot checks to see if the username matches any of the blacklisted common sandbox usernames,\r\nincluding “sandbox”, “sand box”, “malware”, “maltest” and “test user”.\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 16 of 23\n\nAdditional Sandbox DLL check will look for known DLLs:\r\nSbieDll.dll (Sandboxie), api_log.dll and dir_watch.dll (iDefense Labs):\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 17 of 23\n\nAnti-debugging\r\nBetabot uses several techniques to ensure that it’s not being debugged and to prevent debuggers from attaching to\r\nits process, such as:  \r\nCalling ZwQueryInformationProcess / NtQueryInformationProcess with ProcessDebugPort flag (0x07):\r\nInstead of using the obvious IsDebuggerPresent API, Betabot will use the segment register to query the PEB\r\nstructure (Process Environment Block) by calling “fs:[30h]” and then looking for the BeingDebugged flag (0x02).\r\nPreventing debuggers to attach to the Betabot process by patching NTDLL.DLL’s DbgBreakPoint, by\r\nreplacing the INT3 interrupt instruction (0x0CC) with NOP (0x90):\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 18 of 23\n\nDetection of antivirus vendors\r\nBetabot will attempt to detect (and in some cases disable or remove) 30 different security products by looking for\r\nprocess names, specific files, folders, registry keys and services. Those products and vendors are:\r\nAhnlab v3 Lite, ArcaVir, Avast!, AVG, Avira, BitDefender (on minimal configuration), BKAV, BullGuard,\r\nEmsisoft Anti-Malware, ESET NOD32 / Smart Security, F-PROT, F-Secure IS, GData IS, Ikarus AV, K7\r\nAntiVirus, Kaspersky AV/IS (older versions only), Lavasoft Adaware AV, MalwareBytes Anti-Malware, McAfee,\r\nMicrosoft Security Essentials, Norman AntiVirus, Norton AntiVirus (Vista+ only), Outpost Firewall Pro, Panda\r\nAV/IS, Panda Cloud AV (free version), PC Tools AntiVirus, Rising AV/IS, Sophos Endpoint AntiVirus, Total\r\nDefense, Trend Micro, Vipre,Webroot SecureAnywhere AV, Windows Defender, ZoneAlarm IS\r\nExample of one of the functions that checks for the presence of antivirus vendors.\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 19 of 23\n\nExample of Betabot’s detection of Trend Micro artifacts on an infected host:  \r\nExample of Betabot’s detection of IBM’s Trusteer artifacts:\r\nNetwork antivirus checks (DNS blocking)\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 20 of 23\n\nBetabot will attempt to block DNS requests to the following security vendors to prevent updates and other Web-related features that the products rely on:\r\nEliminating competition (BotKiller)\r\nIn addition to it’s AVKiller module, Betabot will attempt to detect other bots and malware on the infected host by\r\nlooking for common malware persistence patterns and other heuristic features. For example, Betabot will\r\nenumerate registry autorun keys in to look for suspicious-looking persistence indicators that are common in\r\nmalware:\r\nEnumerating Autorun keys:\r\nChecking for script-based fileless malware persistence pattern:\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 21 of 23\n\nMeasures to Prevent Betabot Infections\r\nHere are some best practices to minimize the risk of infection:\r\n1. Avoid clicking links and downloading or opening attachments from unknown senders.\r\n2. Look for misspellings, typos and other suspicious content in emails and attachments and report any\r\nabnormalities to IT or information security.\r\n3. Keep your software up-to-date and install Microsoft security patches, especially \r\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882\r\n4. Consider disabling the Equation Editor feature in Microsoft Office by editing the following registry entries:\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Office\\Common\\COM Compatibility\\{0002CE02-\r\n0000-0000-C000-000000000046}]\r\n\"Compatibility Flags\"=dword:00000400\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Office\\Common\\COM\r\nCompatibility\\{0002CE02-0000-0000-C000-000000000046}] \r\n\"Compatibility Flags\"=dword:00000400\r\nWant to prevent these kinds of attacks? Read how to create a closed-loop security process with MITRE ATT\u0026CK.\r\nIOCs\r\nHashes\r\nB4EEF8F14871FB3891C864602AEE75FE2513064A\r\nCD46BD187F35EA782309B373866DEA1B6311FAD9\r\nCA7E8C9AA7F63133BC37958A6AA3A59CFD014465\r\nE23BED29C6D64AD80504331A9E87EB8C8ED59B8A\r\nC61C5E61C6B80878245E2837DF949318A5831D85\r\n48F2C9DC9FA41BAD9D1EA6C01DA034110AA9D4A0\r\nFE1B51FE46BDAD6EA051110AB0D1B788A54331E4\r\nF241F55480D54590D37C64916BC7B595DA7571A0\r\n6B19C85B6A28C2EDCC1784CD3465F6AA665107C3\r\n4FF2175B663750BA0CE9433A85069BA5FD6B78EC\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 22 of 23\n\n7DA2408369F566BA9DB80DF857E6BFE818BEF525\r\nF1DD50ED248D6EEA5620D59F15A39FB9E7226F27\r\n8C15081B1615144F69A4B1784B43BBB84A79D13B\r\nA45CF65FC4E4D7BC64CBC7CFB02367316881BE87\r\n081D11E4FDECD0CA70E6EF57156C06454EBA02C2\r\n11D04C2AFCA86718D2C8856301D5D55F73B7A344\r\n22C35AEF70D708AA791AFC4FC8097C3C0B6DC0C1\r\n25499BE38A3430DB8AEBA091D051EAC2A7C08133\r\n566154DADB304019A8B035D883C9E32CA95CD64E\r\n5DB5EB3CB52C5503B98DB4883366D52AC8B2FD13\r\n792ECBC513246315306D81464D2A5714B3CD6E34\r\n8212450A90AF9061B1DDE92ED79290225DF022CE\r\n86B5058C89231C691655306E12E1E4640D23ED19\r\n92F2515828C77056AE04696FD207783DFF8F778D\r\n9A2B31B5B9BC99CBA49D64B3EBDDDC7F027FEADD\r\nB7599AF48FC3124BE65856012A7C2DCB18BE579A\r\nFE1B51FE46BDAD6EA051110AB0D1B788A54331E4\r\nSource: https://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nhttps://www.cybereason.com/blog/betabot-banking-trojan-neurevt\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cybereason.com/blog/betabot-banking-trojan-neurevt" ], "report_names": [ "betabot-banking-trojan-neurevt" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434586, "ts_updated_at": 1775826742, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7f52ecfb66f0969bd3e0d8663eb15b8d32ed966.pdf", "text": "https://archive.orkl.eu/e7f52ecfb66f0969bd3e0d8663eb15b8d32ed966.txt", "img": "https://archive.orkl.eu/e7f52ecfb66f0969bd3e0d8663eb15b8d32ed966.jpg" } }