Win64/GoBot2 [Threat Name]
| Detection created | 2019-06-14 |
Short description
Win64/GoBot2 serves as a backdoor. It can be controlled remotely.
Installation
The trojan copies itself into the %windir%, %appdata% folder with variable name.
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\%variable1%]
- "ID"
- "INSTALL"
- "NAME"
- "VERSION"
- "REMASTER""
- "LAST"
- "WATCHDOC"
The trojan schedules a task that causes the following file to be executed on every system start:
- %malwarefilepath%
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- %variable2% = %malwarefilepath%
A string with variable content is used instead of %variable1-2% .
Spreading
Win64/GoBot2 is a trojan that is spread via torrent files.
The trojan copies itself into the root folders of removable drives with variable name. The trojan creates the following files:
- %removabledrive%\AUTORUN.INF
The AUTORUN.INF file contains the path to the malware executable.
Information stealing
The trojan collects the following information:
- computer IP address
- network adapter information
- user name
- operating system version
- CPU information
- hardware information
- installed software
- installed antivirus software
- screenshots
Payload information
Win64/GoBot2 attempts to gain administrative privileges on the system.
Trojan is able to bypass User Account Control (UAC).
The trojan may execute the following commands:
- ipconfig
- netsh
- shutdown
- systeminfo
- ver
- whoami
- wmic
The trojan executes the following files:
- uTorrent.exe
- BitTorrent.exe
It may perform the following actions:
- terminating processes
- execute shell commands
- install and execute applications
- change the home page of web browser
- shut down/restart the computer
- show/hide application windows
- set up a proxy server
- set up an HTTP server
- update itself to a newer version
- remove itself from the infected computer
- perform DoS/DDoS attacks
- open a specific URL address
- spread via removable drives
Other information
The HTTP, HTTPS protocol is used.
The trojan contains a URL address.
The trojan interferes with the operation of some security applications to avoid detection.
Trojan can detect presence of virtual environments and sandboxes.
The trojan terminates its execution if it detects that it's running in a specific virtual environment.
Threat Variants with Description
| Threat Variant Name | Date Added | Threat Type | |
| Win64/GoBot2 | 2019-06-14 | trojan |