Malware

About “Troj/Atbot-B” infection

Malware Removal

The Troj/Atbot-B is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
6-day free trial available.

What Troj/Atbot-B virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • Sample contains Overlay data
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Uses Windows utilities to create a scheduled task
  • Behavioural detection: Injection (Process Hollowing)
  • Behavioural detection: Injection (inter-process)
  • Behavioural detection: Injection with CreateRemoteThread in a remote process
  • Deletes executed files from disk
  • Attempts to interact with an Alternate Data Stream (ADS)
  • Anomalous binary characteristics
  • Uses suspicious command line tools or Windows utilities
  • Yara rule detections observed from a process memory dump/dropped files/CAPE

How to determine Troj/Atbot-B?


File Info:

name: 5AB2523087C74EA2D78F.mlw
path: /opt/CAPEv2/storage/binaries/c98961bed829442aede8b346aa863e7bed5f9cc6c58a112f0be29b3f16e4023e
crc32: E369648C
md5: 5ab2523087c74ea2d78f2fe3c7f122e5
sha1: bc8385085d0ba760f4644ba1a0fbaff4c210b949
sha256: c98961bed829442aede8b346aa863e7bed5f9cc6c58a112f0be29b3f16e4023e
sha512: 325069ff16a7bb29681257258443d67972508296869335d72f0696444ad6d77aefab5c6825ee4b13b06a5e81e3a0c246cfd7dad6353b7e3aa3cf056dfc053641
ssdeep: 24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4e+:ObCjPKNqQEfsw43qtmVfq4N
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T142C5D0C5F2AA40E2DC123FF5582567C78B344E364B3840597BAB3D498F335E6C11AAB6
sha3_384: 9be225a4f0a863e527eb1a3a2a0222367b6350cb91d8e48b88632b3c454fbeaa8a62eca2a61543b0af5c5e92572e7bed
ep_bytes: e837c20000e979feffffcccccccccccc
timestamp: 2010-01-15 16:09:54

Version Info:

Translation: 0x0409 0x04b0
CompanyName: Neil Hodgson neilh@scintilla.org
FileDescription: SciTE - a Scintilla based Text Editor
FileVersion: 1.75
InternalName: SciTE
LegalCopyright: Copyright 1998-2007 by Neil Hodgson
OriginalFilename: SciTE.EXE
ProductName: SciTE
ProductVersion: 1.75

Troj/Atbot-B also known as:

MicroWorld-eScanTrojan.GenericKD.65207131
ClamAVWin.Trojan.Autoit-6996111-0
FireEyeGeneric.mg.5ab2523087c74ea2
McAfeeGenericRXAA-FA!5AB2523087C7
MalwarebytesBackdoor.Bladabindi
SangforVirus.Win32.Save.a
K7AntiVirusTrojan ( 005936091 )
K7GWTrojan ( 005936091 )
CrowdStrikewin/malicious_confidence_100% (D)
VirITTrojan.Win32.AutoIt.GD
CyrenW32/Autoit.JFHF-9022
SymantecBloodhound.Malautoit
Elasticmalicious (high confidence)
ESET-NOD32MSIL/Spy.Agent.AGJ
APEXMalicious
CynetMalicious (score: 100)
KasperskyHEUR:Trojan.Win32.Generic
BitDefenderTrojan.GenericKD.65207131
AvastWin32:Evo-gen [Trj]
TencentTrojan.Win32.Sabsik.haq
EmsisoftTrojan.GenericKD.65207131 (B)
F-SecureTrojan.TR/Agent.odipt
DrWebTrojan.Siggen17.49996
VIPRETrojan.GenericKD.65207131
TrendMicroTSPY_ATBOT.SMAR5
McAfee-GW-EditionBehavesLike.Win32.Generic.vm
SophosTroj/Atbot-B
IkarusTrojan.MSIL.Spy
JiangminTrojan.Script.aawu
AviraTR/Agent.odipt
Antiy-AVLTrojan/Autoit.Winmgr.a
ArcabitTrojan.Generic.D3E2FB5B
ZoneAlarmVHO:Trojan-Spy.MSIL.BitCoin.gen
GDataTrojan.GenericKD.65207131
GoogleDetected
AhnLab-V3Spyware/Win.Atbot.R531437
VBA32Trojan.Autoit.Obfus
ALYacTrojan.GenericKD.65207131
MAXmalware (ai score=89)
Cylanceunsafe
TrendMicro-HouseCallTSPY_ATBOT.SMAR5
RisingTrojan.Obfus/Autoit!1.E083 (CLASSIC)
SentinelOneStatic AI – Suspicious PE
FortinetAutoIt/Packed.RN!tr
AVGWin32:Evo-gen [Trj]
DeepInstinctMALICIOUS

How to remove Troj/Atbot-B?

Troj/Atbot-B removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment