Home / malware Infostealer.Corebot
First posted on 09 September 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Corebot.
Explanation :
When the Trojan is executed, it injects itself into the following process: svchost.exe
The Trojan then drops the following copy of itself: %UserProfile%\Application Data\Microsoft\[GUID]\[GUID].exe
The Trojan then deletes the initial executable.
The Trojan then creates the following registry entry so that it runs every time Windows starts:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[GUID]" = "%UserProfile%\Application Data\Microsoft\[GUID]\[GUID].exe"
Next, the Trojan connects to the following remote locations: [http://]vincenzo-sorelli.com/cli[REMOVED]http://[GENERATED BY DOMAIN GENERATION ALGORITHM].ddns.net
The Trojan then steals the following information from the compromised computer: Email credentialsFTP credentialsWeb money wallets
The Trojan can also download and execute additional plugins.Last update 09 September 2015
