Betabot

Category: rat · Aliases: None known · Sample count (EMBER 2018): 3 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Trojan:Win32/Betabot (also known as Neurevt) is a sophisticated password stealer, botnet agent, and banking trojan that gained infamy for its aggressive defense evasion and ability to disable antivirus software.

What is Betabot?
For users, Betabot operates stealthily, stripping their system of defenses while quietly harvesting credentials. For security analysts, Betabot is recognized as a modular threat that evolved from a simple password stealer into a robust botnet capable of DDoS attacks, USB propagation, and web injects. Its most defining characteristic is its aggressive User Account Control (UAC) bypass and systematic disabling of over 30 different security products.

Infection Vectors & Threat Hunting
Betabot is distributed via exploit kits, malicious spam (often disguised as Skype voice messages or invoices), and drive-by downloads. Upon execution, it presents the user with a fake Windows UAC prompt to elevate its privileges. Once elevated, it actively terminates processes related to Windows Defender, Malwarebytes, and other AV solutions. Threat hunters should look for sudden gaps in EDR telemetry or unexpected termination of security services. Betabot establishes persistence by injecting into explorer.exe and modifying the registry.

Forensic Analysis & Impact
The impact is comprehensive data theft, including FTP credentials, browser passwords, and banking sessions. Betabot also intercepts form data before it is encrypted via HTTPS. Incident responders should analyze network traffic for its HTTP-based C2 communications, which are often encrypted with RC4. Memory forensics is crucial to extract the injected core module and identify the C2 domains.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1548.002Abuse Elevation Control Mechanism: Bypass User Account ControlPrivilege Escalation
T1562.001Impair Defenses: Disable or Modify ToolsDefense Evasion
T1055Process InjectionDefense Evasion
T1185Browser Session HijackingCollection
T1111Two-Factor Authentication InterceptionCredential Access

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_BETABOT {
    meta:
        description = "Detects Betabot (rat)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "betabot" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Betabot Activity
id: 64f94800138b45c5e42bba232e4c9f3d
status: experimental
description: Detects generic indicators of the betabot malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*betabot*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Immediately isolate the endpoint from the network to halt the exfiltration of passwords and banking credentials.
  2. Do not trust the local AV on the infected machine, as Betabot's primary function is to blind or permanently corrupt security software.
  3. Utilize an offline bootable AV scanner or EDR memory analysis to locate and eradicate the Betabot payload from <code>explorer.exe</code>.
  4. Force a global password reset for the user, paying special attention to FTP and VPN credentials often targeted by Betabot.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Avoid attempting to manually restart stopped AV services; Betabot uses a watchdog process to immediately terminate them again.
  2. Do not rely on standard user-level permissions to protect the system; Betabot's social engineering UAC bypass is highly effective at gaining SYSTEM privileges.

References & External Analysis

Related Families (Category: rat)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/betabot.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.