Win64/GoBot2 [Threat Name]

Detection created2019-06-14
Short description

Win64/GoBot2 serves as a backdoor. It can be controlled remotely.


The trojan copies itself into the %windir%, %appdata% folder with variable name.

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­%variable1%]
    • "ID"
    • "INSTALL"
    • "NAME"
    • "VERSION"
    • "REMASTER""
    • "LAST"
    • "WATCHDOC"

The trojan schedules a task that causes the following file to be executed on every system start:

  • %malwarefilepath%

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • %variable2% = %malwarefilepath%

A string with variable content is used instead of %variable1-2% .


Win64/GoBot2 is a trojan that is spread via torrent files.

The trojan copies itself into the root folders of removable drives with variable name. The trojan creates the following files:

  • %removabledrive%\­AUTORUN.INF

The AUTORUN.INF file contains the path to the malware executable.

Information stealing

The trojan collects the following information:

  • computer IP address
  • network adapter information
  • user name
  • operating system version
  • CPU information
  • hardware information
  • installed software
  • installed antivirus software
  • screenshots
Payload information

Win64/GoBot2 attempts to gain administrative privileges on the system.

Trojan is able to bypass User Account Control (UAC).

The trojan may execute the following commands:

  • ipconfig
  • netsh
  • shutdown
  • systeminfo
  • ver
  • whoami
  • wmic

The trojan executes the following files:

  • uTorrent.exe
  • BitTorrent.exe

It may perform the following actions:

  • terminating processes
  • execute shell commands
  • install and execute applications
  • change the home page of web browser
  • shut down/restart the computer
  • show/hide application windows
  • set up a proxy server
  • set up an HTTP server
  • update itself to a newer version
  • remove itself from the infected computer
  • perform DoS/DDoS attacks
  • open a specific URL address
  • spread via removable drives
Other information

The HTTP, HTTPS protocol is used.

The trojan contains a URL address.

The trojan interferes with the operation of some security applications to avoid detection.

Trojan can detect presence of virtual environments and sandboxes.

The trojan terminates its execution if it detects that it's running in a specific virtual environment.

Threat Variants with Description

Threat Variant Name Date Added Threat Type
Win64/GoBot2 2019-06-14 trojan

Please enable Javascript to ensure correct displaying of this content and refresh this page.