Corebot Modular Trojan: Malware Analysis

Goal: Dissect modular Corebot banking Trojan with its DGA, rootkit, Powershell, runas, screenshot, process injection into svchost in SUSPENDED_MODE, and other modules.

SHA-1: f923923e7af017e77e80d57578cfd88b990ce1e5
SHA-256: 0ce3290ed92979a5f13fbb799d7128e9dbc579e3f1bea3b560551a73f482de8f
imphash: 63c53219cb193f80ff22f173a8ffef05
Size: 640.0 KB (655361 bytes)

Static Analysis: Corebot 
PDB: .rdata:00D14278 C:\\work\\itco\\core\\bin\\x86\\Release\\core[.]pdb\
Timestamp: Wed Oct 14 07:56:42 2015

Inject functions:

Powershell module (powershell[.]exe -NonInteractive -NoProfile -NoLogo -ExecutionPolicy Unrestricted -File “%s” via “cmd mode con cols=4000 line s=1000”):

Self-deletion batch script:

Runas as explorer[.]exe module:

User-mode rootkit module -> “\\\\.\\PhysicalDrive0”:

Xfer from the user-mode rootkit module routine:

DGA seed algorithm:

Create a process %WINDIR%\System32\svchost[.]exe with the CREATE_SUSPENDED flag. The primary thread of the new process is created in a suspended state, and does not run until the ResumeThread function is called.

Red Flags:
  • The file modifies the registry
  • The file references Alternate Data Stream (ADS)
  • The file is scored (40/54) by VirusTotal
  • The file references the Remote Desktop Session Host Server
  • The file references the Windows Native API
  • The file references the Security Descriptor Definition Language (SDDL)
  • The file references the Service Control Manager (SCM)
  • The file references the Desktop window
  • The file references the Windows Cryptographic interface
  • The file references the Windows Debug Helper interface
  • The file queries for files and streams
  • The file references the Event Log
  • The file references Inter-Process Communication (IPC)
  • The file references the Domain Name System (DNS) API 
  • The file references data on a Socket
  • The file references the RPC Network Data Representation (NDR) Engine
  • The file opts for Address Space Layout Randomization (ASLR)
  • The file opts for cookies on the stack (GS)
  • The file imports 2 decorated symbol(s)
  • The file has no Version
  • The file does not contain a digital certificate
  • The file checksum (0x00000000) is invalid
  • The debug file name (core[.]pdb) is different than the file name (corebot[.]exe)
Dynamic Analysis: Corebot


  • ::62DFDF4F-C9F7-4416-9688-41C7791D0C33  
  • {F4EE296B-9B08-4B04-8443-7E76A45FE740}

Process Analysis Log:
  • Process: svchost[.]exe
  • Size: 14336 Bytes
  • MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18


Monitored RegKeys
Path -> Value *
Path: HKCU\Software\Microsoft\Windows\CurrentVersion\Run –> Value: 1932a393-6ee2-a084-05de-868ddc92d287=C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\46604e10-2147-a135-0a93-c63f477cff8d\272f38ca-8023-4abc-a8f7-91009ce205a7[.]exe

Domain Generation Algorithm (DGA) resolution ending in *ddns[.]net:

Other bot information collector procedure forming request:
  • os_version
  • version
  • process_name
  • os_version_short
  • volume_sn
  • country_name
  • lang_name
  • default_browser
  • os_arch
  • is_admin
  • is_admin_group

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 20.0px; font: 13.0px ‘Helvetica Neue’; color: #333333; -webkit-text-stroke: #333333} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 20.0px; font: 13.0px ‘Helvetica Neue’; color: #777777; -webkit-text-stroke: #777777} p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 20.0px; font: 13.0px ‘Helvetica Neue’; color: #333333; -webkit-text-stroke: #333333; min-height: 15.0px} p.p4 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Helvetica; color: #000000; -webkit-text-stroke: #000000; min-height: 13.0px} p.p5 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Helvetica; color: #000000; -webkit-text-stroke: #000000} span.s1 {font-kerning: none} span.s2 {text-decoration: underline ; font-kerning: none} span.Apple-tab-span {white-space:pre}

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: