Adware Reports malware removal guides and threat research Updated security instructions for Windows users
Home/Malware
Threat report

Troj/Atbot-B removal guide

Published Mar 7, 2023 Malware category 3 min read
Report context

What to verify before removal

This report keeps Troj/Atbot-B removal guide in the active library because the detection has enough technical context to support a careful second-opinion scan and cleanup decision.

Start by comparing the local file name with 1573450571C365F06947.mlw, then review the behavior notes for persistence entries, dropped files, unusual processes, and browser or network changes. This helps separate a matching detection from a different file that only shares a similar alert name.

Observed file
1573450571C365F06947.mlw
  • Compare the suspicious file name with 1573450571C365F06947.mlw.
  • Confirm the detection name matches Troj/Atbot-B removal guide before removing related files.
  • Review the report for persistence entries, dropped files, unusual processes, and browser or network changes so the cleanup is based on observed behavior, not only the label.
  • Run a full scan, quarantine confirmed detections, and restart before signing back in to sensitive accounts.

The Troj/Atbot-B is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

What Troj/Atbot-B virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • Sample contains Overlay data
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Uses Windows utilities to create a scheduled task
  • Behavioural detection: Injection (Process Hollowing)
  • Behavioural detection: Injection (inter-process)
  • Behavioural detection: Injection with CreateRemoteThread in a remote process
  • Deletes executed files from disk
  • Harvests cookies for information gathering
  • Attempts to interact with an Alternate Data Stream (ADS)
  • Anomalous binary characteristics
  • Uses suspicious command line tools or Windows utilities
  • Yara rule detections observed from a process memory dump/dropped files/CAPE

How to determine Troj/Atbot-B?



File Info:

name: 1573450571C365F06947.mlw
path: /opt/CAPEv2/storage/binaries/bbd29a175c3f954ea90552a9e0d18beb6366fd7613d9610c8b75660086128e2c
crc32: 363C5BD0
md5: 1573450571c365f06947839e4b795aee
sha1: 5f4cc123e6d95b4967623d80f2852abaa6eb710d
sha256: bbd29a175c3f954ea90552a9e0d18beb6366fd7613d9610c8b75660086128e2c
sha512: 5545ef5baebece23cd94ce8d8c2b0e59db6a24ebe338a82f7c6af8a416773b5003208343bba0a306cab891836cf85ca7989e326af787e5267ff720238869d7d7
ssdeep: 24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4ew:ObCjPKNqQEfsw43qtmVfq4F
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T146C5D0C5F2AA40E2DC123FF5582567C78B344E364B3840597BAB3D498F335E6C11AAB6
sha3_384: c130ad4f11d819b72908cf48cceb531dafecaf30d69c7e7b632b4cabc63f6a92220fe1679d600730c3564e7ceec56d09
ep_bytes: e837c20000e979feffffcccccccccccc
timestamp: 2010-01-15 16:09:54


Version Info:

Translation: 0x0409 0x04b0
CompanyName: Neil Hodgson neilh@scintilla.org
FileDescription: SciTE - a Scintilla based Text Editor
FileVersion: 1.75
InternalName: SciTE
LegalCopyright: Copyright 1998-2007 by Neil Hodgson
OriginalFilename: SciTE.EXE
ProductName: SciTE
ProductVersion: 1.75

Troj/Atbot-B also known as:

Lionic Trojan.Win32.Generic.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.65207131
FireEye Generic.mg.1573450571c365f0
McAfee GenericRXAA-FA!1573450571C3
Cylance unsafe
Sangfor Virus.Win32.Save.a
K7AntiVirus Trojan ( 005936091 )
Alibaba Trojan:Win32/autoit.ali2000008
K7GW Trojan ( 005936091 )
Cybereason malicious.571c36
VirIT Trojan.Win32.AutoIt.GD
Cyren W32/Autoit.JFHF-9022
Symantec ML.Attribute.HighConfidence
ESET-NOD32 MSIL/Spy.Agent.AGJ
APEX Malicious
Paloalto generic.ml
ClamAV Win.Trojan.Autoit-6996111-0
Kaspersky UDS:Trojan.Win32.Generic
BitDefender Trojan.GenericKD.65207131
Avast Win32:Evo-gen [Trj]
Tencent Trojan.Win32.Sabsik.haq
Sophos Troj/Atbot-B
F-Secure Trojan.TR/Agent.odipt
DrWeb Trojan.Siggen17.49996
VIPRE Trojan.GenericKD.65207131
TrendMicro TSPY_ATBOT.SMAR5
McAfee-GW-Edition BehavesLike.Win32.Generic.vm
Emsisoft Trojan.GenericKD.65207131 (B)
Ikarus Trojan.MSIL.Spy
GData Trojan.GenericKD.65207131
Jiangmin TrojanSpy.MSIL.cvgn
Google Detected
Avira TR/Agent.odipt
MAX malware (ai score=85)
Antiy-AVL Trojan/Autoit.Winmgr.a
Arcabit Trojan.Generic.D3E2FB5B
ZoneAlarm UDS:Trojan.Win32.Generic
Microsoft Trojan:Win32/Wacatac.B!ml
Cynet Malicious (score: 100)
AhnLab-V3 Spyware/Win.Atbot.R531437
Acronis suspicious
VBA32 Trojan.Autoit.Obfus
ALYac Trojan.GenericKD.65207131
Malwarebytes Backdoor.Bladabindi
TrendMicro-HouseCall TSPY_ATBOT.SMAR5
Rising Trojan.Obfus/Autoit!1.E083 (CLASSIC)
SentinelOne Static AI – Suspicious PE
MaxSecure Trojan.Malware.121218.susgen
Fortinet AutoIt/Packed.RN!tr
AVG Win32:Evo-gen [Trj]
Panda Trj/Genetic.gen
CrowdStrike win/malicious_confidence_100% (W)

How to remove Troj/Atbot-B?

Recommended second-opinion scan

Verify the infection before changing system settings

Use GridinSoft Anti-Malware to run a full scan, review detected persistence entries, and quarantine confirmed threats before restarting Windows.

Download GridinSoft Anti-Malware
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.