Threat Database Trojans Trojan.Rbot

Trojan.Rbot

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 4,998
Threat Level: 90 % (High)
Infected Computers: 5,498
First Seen: July 24, 2009
Last Seen: October 10, 2025
OS(es) Affected: Windows

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor Detection
Symantec Suspicious.Insight
Sophos Mal/Generic-L
McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.H!93
Ikarus Win32.SuspectCrc
eSafe Suspicious File
AVG Generic17.FPL
AntiVir Worm/Rbot.ilt
a-squared Win32.SuspectCrc!IK
Sophos Mal/VB-M
Prevx1 Cloaked Malware
McAfee potentially unwanted program Adware-Alexa
eSafe AdWare.Win32.AlexaBa
ClamAV Adware.Agent-1525
BitDefender BehavesLike:Win32.Malware
Avast Win32:Alexabar

File System Details

Trojan.Rbot may create the following file(s):
# File Name MD5 Detections
1. beifen.exe, fonts.exe, activex[1].exe ba81e990576001dc850590cab210fd17 0
2. CLADD 7ef4e74b68d156202418d4ee3a4db75f 0
3. setup18[1].exe,swchost.exe f4ffa38e7ca8060451bfc41c355eec40 0
4. regscan.exe f2ef52716791bc8696f95b57d15189eb 0
5. scvhost.exe bbed56ab574bfc7ee80dbee0700c3f25 0
More files

Registry Details

Trojan.Rbot may create the following registry entry or registry entries:
Run keys
StormCodec_Helper

Analysis Report

General information

Family Name: Trojan.Rbot
Signature status: Root Not Trusted

Known Samples

MD5: c0d7542ca87de3c5ab1aa2939ec81a32
SHA1: a81fff1b699ece66baa480a34aa7455ba7b3c05d
SHA256: 8A2B37C69D0563F8CAE330FA0E699F9497DB5D42CAC922CDF9B4E49834FF5DAE
File Size: 178.11 KB, 178112 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Digital Signatures

Signer Root Status
Firefly Global, LLC AddTrust External CA Root Root Not Trusted
Firefly Global, LLC AddTrust External CA Root Root Not Trusted

File Traits

  • x64

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\devmanview.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\devmanview64.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\driveruninstall_combined.cmd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsge542.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\uninstall.iss Generic Write,Read Attributes
c:\users\user\appdata\local\temp\uninstall_twain.iss Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 蟝囝㙕ǜ RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Shell Execute
  • CreateProcess
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
Show More
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtGdiAnyLinkedFonts
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateRectRgn
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiDoPalette
  • win32u.dll!NtGdiDrawStream
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiExtTextOutW
  • win32u.dll!NtGdiFontIsLinked
  • win32u.dll!NtGdiGetCharABCWidthsW
  • win32u.dll!NtGdiGetDCDword
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiGetDeviceCaps
  • win32u.dll!NtGdiGetDIBitsInternal
  • win32u.dll!NtGdiGetEntry
  • win32u.dll!NtGdiGetFontData
  • win32u.dll!NtGdiGetGlyphIndicesW
  • win32u.dll!NtGdiGetOutlineTextMetricsInternalW
  • win32u.dll!NtGdiGetRandomRgn
  • win32u.dll!NtGdiGetRealizationInfo
  • win32u.dll!NtGdiGetTextFaceW
  • win32u.dll!NtGdiGetTextMetricsW
  • win32u.dll!NtGdiGetWidthTable
  • win32u.dll!NtGdiHfontCreate
  • win32u.dll!NtGdiIntersectClipRect
  • win32u.dll!NtGdiQueryFontAssocInfo
  • win32u.dll!NtGdiRestoreDC
  • win32u.dll!NtGdiSaveDC
  • win32u.dll!NtGdiSelectBitmap
  • win32u.dll!NtGdiSetDIBitsToDeviceInternal
  • win32u.dll!NtGdiSetLayout

63 additional items are not displayed above.

Other Suspicious
  • AdjustTokenPrivileges

Shell Command Execution

"C:\Users\Ztfecmdq\AppData\Local\Temp\DriverUninstall_Combined.cmd"
C:\WINDOWS\system32\reg.exe reg Query "HKLM\Hardware\Description\System\CentralProcessor\0"
C:\WINDOWS\system32\find.exe find /i "x86"
C:\Users\Ztfecmdq\AppData\Local\Temp\devmanview64.exe "DevManView64.exe" /disable "Wireless Digital Microscope"

Related Posts

Trending

Most Viewed

Loading...