Win64/Yebot [Threat Name] go to Threat

Win64/Yebot.AB [Threat Variant Name]

Category trojan
Size 141312 B
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.

Installation

The trojan does not create any copies of itself.


The trojan may create the following files:

  • %userprofile%\­%variable1%.exe

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%userprofile%\­%variable1%.exe"

This causes the trojan to be executed on every system start.


The trojan modifies the following file:

  • %windir%\­System32\­ActionQueue.dll

Malicious code is executed every time an infected DLL is loaded.


The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • csrss.exe
  • firefox.exe
  • iexplore.exe
  • java.exe
  • jusched.exe
  • lsass.exe
  • opera.exe
  • safari.exe
  • svchost.exe

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0
    • "ConsentPromptBehaviorAdmin" = 5
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "AllowMultipleTSSessions" = 1
    • "AutoAdminLogon" = "1"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server]
    • "fDenyTSConnections" = 0
    • "fEnableSalem" = 0
    • "AllowTSConnections" = 1
    • "AllowRemoteRPC" = 1
    • "fSingleSessionPerUser" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server\­WinStations\­RDP-Tcp]
    • "MaxInstanceCount" = 4294967295
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Terminal Server\­Licensing Core]
    • "EnableConcurrentSessions" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "NoProtectedModeBanner" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­1]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­2]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­4]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­0]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­1]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­2]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­3]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones\­4]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Lockdown_Zones]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­MedLow]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Medium]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Low]
    • "1208" = 0
    • "1406" = 0
    • "1609" = 0
    • "2103" = 0
    • "2500" = 3
  • [HKEY_CURRENT_USER\­AppEvents\­Schemes\­Apps\­Explorer\­Navigating\­.Current]
    • "(Default)" = "."
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­SpecialAccounts\­UserList\­%variable2%]

The following services are disabled:

  • MsMpSvc
  • WinDefend

A string with variable content is used instead of %variable1-2% .

Other information

The trojan serves as a backdoor. It can be controlled remotely.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • capture screenshots

The trojan opens TCP port 8000 . A proxy is listening there.


The trojan keeps various information in the following Registry key:

  • [HKEY_USERS\­Registry\­User\­%user%\­SOFTWARE\­Classes\­CLSID\­{%variable%}

A string with variable content is used instead of %variable% .


The trojan hooks the following Windows APIs:

  • BaseSetProcessCreateNotify (basesrv.dll)
  • CreateProcessInternalW (kernel32.dll)
  • CreateProcessInternalW (kernel32.dll)
  • ExitWindowsEx (user32.dll)
  • MessageBoxTimeoutW (user32.dll)
  • RegisterServiceCtrlHandlerW (advapi32.dll)
  • RegisterServiceCtrlHandlerW (sechost.dll)
  • TranslateMessage (user32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.