Home Malware Programs Trojans CoreBot


Posted: September 1, 2015

Threat Metric

Ranking: 17,207
Threat Level: 8/10
Infected PCs: 8,588
First Seen: September 1, 2015
Last Seen: August 26, 2023
OS(es) Affected: Windows

CoreBot is a backdoor Trojan responsible for attacks collecting information, such as data for logging into your online accounts. Recently spotted targeting systems in the business sector, CoreBot may be distributing itself through disguised e-mail attachments or Web links. Deleting CoreBot is a high-priority task for any PC owner, and always should be undergone with assistance from reliable anti-malware products or a PC security professional.

Getting to the Core of Why You've Lost Passwords

Recently intercepted for analysis by IBM security features, CoreBot is another threat that supplements its attacks with an expandable, modular structure, similar to the Dyranges banking Trojan or the Uroburos rootkit. Unlike these threats, CoreBot is a relatively down to earth, unsophisticated backdoor Trojan that lacks any specialized features. However, this categorization doesn't reduce the degree of danger from CoreBot infections, which represent all of the usual hazards of a backdoor Trojan campaign.

CoreBot samples originally were caught during attempted attacks against corporate targets, most likely transmitted via misleading e-mail messages. A standard Trojan dropper tried to enable CoreBot's installation routine. Svchost.exe, a standard Windows component, was exploited for installing CoreBot, which modified the Registry for enabling its automatic startup. CoreBot then initiates contact with a Command & Control server, using a semi-randomized domain list to confuse its communications while acquiring new commands.

CoreBot structures itself on modules that allow itself to broaden its feature set on a case-by-case basis. The attacks known thus far have used the Stealer module, which may collect passwords from Web browsers, FTP managers, digital currency wallets and other applications. Unlike a dedicated banking Trojan, CoreBot's Stealer module has shown itself incapable of collecting data from your browser during the time of the data's transmission (AKA, real-time data interception). However, CoreBot does scan for saved passwords in standard locations.

Dismantling the Latest Trojan Bot

Blocking CoreBot's Internet accessibility is one recommended step on the way to removing this threat from your system. Besides downloading other threats, including modules for its personal use, CoreBot also may update its capabilities. As with its installation, CoreBot subverts a standard Windows component for these activities: the PowerShell automated task app. Removing CoreBot shouldn't entail removing all Windows tools exploited by CoreBot, but you should scan your Registry, as well as your hard drive, for unwanted modifications related to this Trojan.

Although, ideally, PC security solutions should detect CoreBot by a specific threat entry, some anti-malware products may identify CoreBot by a heuristic (or generic, behavior-based) name. Any possibility of a CoreBot infection always should be resolved with thorough anti-malware scans of the affected system, along with any other systems exposed via local networks or vulnerable storage devices. However, proper attention to security at common infection vectors, such as e-mail traffic should let your anti-malware tools catch all associated threats so that removing CoreBot never is needed.

Finally, proper precautions should be taken for cleaning up any protected information leaks resulting from CoreBot infections, which may harvest anything from customer profiles to confidential insider trading records.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe File name: file.exe
Size: 163.84 KB (163840 bytes)
MD5: a85495108f27c122c3922db8ba27fa21
Detection count: 98
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: July 2, 2017
file.exe File name: file.exe
Size: 284.51 KB (284514 bytes)
MD5: 89464e2f384c5d96d052b398ad3ae7b4
Detection count: 75
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: June 6, 2017
file.exe File name: file.exe
Size: 164.35 KB (164352 bytes)
MD5: 33ddcae9c1db266101b9e12fec97ec38
Detection count: 55
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: June 27, 2017
file.exe File name: file.exe
Size: 138.75 KB (138752 bytes)
MD5: ce890607d0f0581a1afc9b3a8f6e012d
Detection count: 45
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 17, 2016
%LOCALAPPDATA%\Microsoft\20f65a9b-736a-3b6d-bcdb-a7569e5e7a28\1a77e22e-90bd-4ff2-9f8f-842f00727c5f.exe File name: 1a77e22e-90bd-4ff2-9f8f-842f00727c5f.exe
Size: 337.92 KB (337920 bytes)
MD5: 067ef28f3f65d287701062ae63e8411d
Detection count: 39
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\Microsoft\20f65a9b-736a-3b6d-bcdb-a7569e5e7a28
Group: Malware file
Last Updated: March 17, 2016

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%WINDIR%\System32\drivers\butldsk.sysHKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}{4A83FAC8-C8C2-416C-BDB9-91ABA9467A2E}

Additional Information

The following directories were created: