Trojan:Win32/Betabot (also known as Neurevt) is a sophisticated password stealer, botnet agent, and banking trojan that gained infamy for its aggressive defense evasion and ability to disable antivirus software.
What is Betabot?
For users, Betabot operates stealthily, stripping their system of defenses while quietly harvesting credentials. For security analysts, Betabot is recognized as a modular threat that evolved from a simple password stealer into a robust botnet capable of DDoS attacks, USB propagation, and web injects. Its most defining characteristic is its aggressive User Account Control (UAC) bypass and systematic disabling of over 30 different security products.
Infection Vectors & Threat Hunting
Betabot is distributed via exploit kits, malicious spam (often disguised as Skype voice messages or invoices), and drive-by downloads. Upon execution, it presents the user with a fake Windows UAC prompt to elevate its privileges. Once elevated, it actively terminates processes related to Windows Defender, Malwarebytes, and other AV solutions. Threat hunters should look for sudden gaps in EDR telemetry or unexpected termination of security services. Betabot establishes persistence by injecting into explorer.exe and modifying the registry.
Forensic Analysis & Impact
The impact is comprehensive data theft, including FTP credentials, browser passwords, and banking sessions. Betabot also intercepts form data before it is encrypted via HTTPS. Incident responders should analyze network traffic for its HTTP-based C2 communications, which are often encrypted with RC4. Memory forensics is crucial to extract the injected core module and identify the C2 domains.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1548.002 | Abuse Elevation Control Mechanism: Bypass User Account Control | Privilege Escalation |
T1562.001 | Impair Defenses: Disable or Modify Tools | Defense Evasion |
T1055 | Process Injection | Defense Evasion |
T1185 | Browser Session Hijacking | Collection |
T1111 | Two-Factor Authentication Interception | Credential Access |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_BETABOT {
meta:
description = "Detects Betabot (rat)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "betabot" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Betabot Activity
id: 64f94800138b45c5e42bba232e4c9f3d
status: experimental
description: Detects generic indicators of the betabot malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*betabot*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/betabot.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.