{
	"id": "0aea1bd5-2c73-40a4-93f8-9aed96d66cc9",
	"created_at": "2026-04-06T00:17:49.25998Z",
	"updated_at": "2026-04-10T13:12:52.062011Z",
	"deleted_at": null,
	"sha1_hash": "8648a638a01c9fca5b8c1d9c394757f4e124e64f",
	"title": "Gheg: Marshal8e6",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42329,
	"plain_text": "Gheg: Marshal8e6\r\nArchived: 2026-04-05 22:54:42 UTC\r\nMarch 17, 2009\r\nAliases\r\nTofsee\r\nMondera\r\nComments\r\nGheg, also known as Tofsee or Mondera, came across our radar in October 2008. It is not as  sophisticated as\r\nsome of the other bots like Rustock or Srizbi, for example it does not use a rootkit to hide itself.  But it does a\r\nreasonable job sending spam at approximately 7000 messages per hour per bot using a template-based spamming\r\nengine.  Gheg tends to concentrate on pharmeceutical spam, using an Outlook Express template formatted in\r\neither plaintext or HTML.\r\nFeatures\r\nTemplate Based spamming engine\r\nUses port 443 (SSL) to send and receive encrypted commands, spam templates and download executable\r\nfiles.\r\nSpamming Rate\r\n7,000 msgs per hour per bot\r\nCommand and Control\r\nThe Gheg bot connects to its control server using a non-standard SSL connection on port 443. Samples we have\r\nanalyzed connect to 208.72.168.140, establishing a connection to its control server using the HTTP request like\r\nthe one below:\r\nGET /1464 HTTP/1.0\r\nHost: \u003cC\u0026C server IP Address\u003e\r\nGET /3164 HTTP/1.0\r\nHost: \u003cC\u0026C server IP Address\u003e\r\nAfter a successful connection, Gheg receives encrypted commands and spam templates from the control server.\r\nMalware Behavior on Host\r\nhttps://web.archive.org/web/20090428005953/http://www.marshal8e6.com/trace/i/Gheg,spambot.897~.asp\r\nPage 1 of 2\n\nGheg drops a copy of itself in the following folder:\r\n%userprofile% (C:\\Documents and Settings\\\u003cusername\u003e)\r\n%SystemRoot%\\system32\\ (C:\\Windows\\System32)\r\nThe malware filename format is 4-6 random characters with .EXE extension, for example:\r\n%UserProfile%\\rkux.exe\r\n%SystemRoot%\\system32\\cvfjt.exe\r\nA batch file was temporarily created to delete the main executable, it uses the following format:\r\n%temp%\\removeme\u003c4 random digit\u003e.bat (where %temp% is Windows default temporary folder).\r\nTo automatically execute the trojan in the system start-up, it adds the following registry entries: \r\nHKEY_Local_Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\n\"Userinit\" = \"%SystemRoot%\\system32\\userinit.exe, %userprofile%\\\u003crandom filename of\r\nmalware.exe\u003e\" \r\nHKEY_Local_Machine\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\"\u003cRandom\u003e.exe\"  = \" %SystemRoot%\\system32\\\u003crandom\u003e.exe\"\r\nGheg also lowers Internet Explorer Security settings by modifying the following registry entries:   \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\r\nWarnOnPost =  hex:00,00,00,00,\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2\r\nMinLevel = dword:00000000\r\nRecommendedLevel = dword:0000000 \r\n1004 = dword:00000000\r\n1201 = dword:00000000\r\n1609 = dword:00000000\r\nGheg also sets itself to bypass the Windows firewall by using NETSH command (netsh firewall set\r\nallowedprogram \"\u003cname of malware\u003e\") and to identify itself in the infected machine, Gheg creates a mutex\r\nnamed \"ghegdjf\" - from which its name derives.\r\nLast Reviewed: April 20, 2009 by Rodel Mendrez\r\nSource: https://web.archive.org/web/20090428005953/http://www.marshal8e6.com/trace/i/Gheg,spambot.897~.asp\r\nhttps://web.archive.org/web/20090428005953/http://www.marshal8e6.com/trace/i/Gheg,spambot.897~.asp\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20090428005953/http://www.marshal8e6.com/trace/i/Gheg,spambot.897~.asp"
	],
	"report_names": [
		"Gheg,spambot.897~.asp"
	],
	"threat_actors": [],
	"ts_created_at": 1775434669,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8648a638a01c9fca5b8c1d9c394757f4e124e64f.pdf",
		"text": "https://archive.orkl.eu/8648a638a01c9fca5b8c1d9c394757f4e124e64f.txt",
		"img": "https://archive.orkl.eu/8648a638a01c9fca5b8c1d9c394757f4e124e64f.jpg"
	}
}