Win32/Corebot [Threat Name] go to Threat

Win32/Corebot.F [Threat Variant Name]

Category trojan
Size 516096 B
Aliases Trojan.Win32.Refinka.pbs (Kaspersky)
Short description

Win32/Corebot.F serves as a backdoor. It can be controlled remotely. The trojan collects various sensitive information.


The trojan does not create any copies of itself.

The trojan can create and run a new thread with its own program code within the following processes:

  • %system%\­svchost.exe
  • %system%\­dllhost.exe

The trojan may delete the following files:

  • %malwarefilepath%
Information stealing

Win32/Corebot.F is a trojan that steals sensitive information.

The trojan collects the following information:

  • user name
  • operating system version
  • country
  • language settings
  • computer name
  • display resolution
  • volume serial number
  • CPU information
  • amount of operating memory
  • malware version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) IP addresses. The TCP, SSL protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send gathered information

The trojan keeps various information in the following files:

  • %localappdata%\­%variable1%\­container.dat
  • %localappdata%\­%variable1%\­container.dat.tmp
  • %localappdata%\­%variable1%\­transport
  • %localappdata%\­%variable1%\­%variable2%\­38e5d161-f6c8-43ba-9fe8-f1301b7b08b6
  • %localappdata%\­%variable1%\­%variable2%\­%variable3%

A string with variable content is used instead of %variable1-3% .

The trojan may display a fake error message:

Message is intended to deceive user to approve elevation of privileges and allow trojan to bypass User Account Control (UAC).

Please enable Javascript to ensure correct displaying of this content and refresh this page.