{
	"id": "dd3fc325-559a-4e0a-83dd-6eb88c373ebd",
	"created_at": "2026-04-06T00:15:39.686593Z",
	"updated_at": "2026-04-10T03:20:31.132663Z",
	"deleted_at": null,
	"sha1_hash": "a8d087cdfa122ffd74f7c4616749e835fcdd25f6",
	"title": "KBOT: sometimes they come back",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1399417,
	"plain_text": "KBOT: sometimes they come back\r\nBy Anna Malina\r\nPublished: 2020-02-10 · Archived: 2026-04-05 17:20:32 UTC\r\nAlthough by force of habit many still refer to any malware as a virus, this once extremely common class of threats\r\nis gradually becoming a thing of the past. However, there are some interesting exceptions to this trend: we\r\nrecently discovered malware that spread through injecting malicious code into Windows executable files; in other\r\nwords, a virus. It is the first “living” virus in recent years that we have spotted in the wild.\r\nWe named it KBOT, and Kaspersky solutions detect the malware and its components as Virus.Win32.Kpot.a,\r\nVirus.Win64.Kpot.a, Virus.Win32.Kpot.b, Virus.Win64.Kpot.b, and Trojan-PSW.Win32.Coins.nav.\r\nWhat does KBOT do\r\nKBOT penetrates users’ computers via the Internet or a local network, or from infected external media. After the\r\ninfected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task\r\nScheduler, and then deploys web injects to try to steal the victim’s bank and personal data. For the same purpose,\r\nKBOT can download additional stealer modules that harvest and send to the C\u0026C server almost full information\r\nabout the user: passwords/logins, cryptowallet data, lists of files and installed applications, and so on. The\r\nmalware stores all its files and collected data in a virtual file system encrypted using the RC6 algorithm, making it\r\nhard to detect.\r\nNumber of Virus.Win32.Kpot detections, March — December 2019\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 1 of 24\n\nInfection methods\r\nKBOT infects all EXE files on connected logical drives (HDD partitions, external media, network drives) and in\r\nshared network folders by adding polymorphic malicious code to the file body. To do so, the malware listens to the\r\nconnection events of local and network logical drives using the IID_IwbemObjectSink interface and a query of\r\ntype SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA\r\n‘Win32_LogicalDisk, and overrides the Indicate function of the IWbemObjectSink interface, where for each\r\ndrive it performs recursive scanning of directories and infects EXE files.\r\nThe malware retrieves paths to shared network resources using the API functions NetServerEnum and\r\nNetShareEnum, before scanning directories and infecting executable EXE files:\r\nLike many other viruses, KBOT patches the entry point code, where the switch to the polymorphic code added to\r\nthe start of the code section is implemented. As a result, the original code of the entry point and the start of the\r\ncode section are not saved. Consequently, the original functionality of the infected file is not retained.\r\nVirus code at the entry point\r\nThe jmp command makes the switch to the polymorphic code:\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 2 of 24\n\nThe virus also adds encrypted data to the end of one of the following sections: .rsrc, .data, .rdata. Data located\r\nafter the selected section is shifted. At the same time, the parameters of the relocation table directory, resources\r\ndirectory, imports directory, parameters of sections, and other PE file parameters are modified accordingly. The\r\nencrypted data contains the body of the main malware module (DLL library), as well as code for decrypting,\r\nloading into memory, and running this library. The data is encrypted using the XOR method, plus the library is\r\nadditionally encrypted with the RC4 algorithm and compressed using Aplib.\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 3 of 24\n\nExample of an infected file\r\nAt the end of the polymorphic code is a classic piece of code for obtaining the kernel32.dll base:\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 4 of 24\n\nNext, the API address of the VirtualProtect function is retrieved and used to set permissions to write and execute\r\nencrypted virus data located at the end of the above-mentioned .rsrc, .data, and .rdata sections. The data is\r\ndecrypted, and the switch to the relevant code is made:\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 5 of 24\n\nThe code decrypts the DLL library with basic bot functionality (encrypted using RC4 and compressed using\r\nAplib), maps the library headers and sections into memory, resolves the imports from the import directory, does\r\nmanual relocations using information from the relocation table directory, and executes the code at the library entry\r\npoint.\r\nKBOT functions\r\nInjects\r\nTo conceal malicious activity in the system and its ability to operate in the context of system applications, KBOT\r\nattempts to inject code into running system processes.\r\nUsing the API functions OpenProcess/OpenProcessToken and GetTokenInformation, it retrieves the SID of the\r\nprocess into whose address space the main malware module is loaded. If the SID of the process matches\r\nWinLocalSystemSid, KBOT uses the CreateProcess API with the CREATE_SUSPENDED flag to create the\r\nnew process svchost.exe, and then performs a classic inject: using the API functions\r\nNtCreateSection/NtMapViewOfSection, it allocates memory in the address space of the svchost.exe process,\r\nwhere it copies the header and sections of the main module, after which it resolves the imports from the import\r\ndirectory and does manual relocations using information from the relocation table directory. Next, KBOT calls the\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 6 of 24\n\nCreateRemoteThread/RtlCreateUserThread API with the address of the entry point. If the SID of the process\r\ndoes not match WinLocalSystemSid, the malware sets SeDebugPrivilege debug privileges and tries to perform a\r\nsimilar inject in the running processes services.exe and svchost.exe, whose SIDs match WinLocalSystemSid, as\r\nwell as in the explorer.exe process.\r\nKBOT also injects the DLLs specified in the injects.ini file (located in the virtual file storage) into the processes\r\nlisted in the same INI file. Configuration files, including injects.ini, are encrypted in one of the last sections of the\r\nmain module of the bot, from where they are read, decrypted, and moved to the virtual file storage. The sample\r\nfirst searches for the current version of the required file in its storage (it might be that the current version was\r\npreviously retrieved from the C\u0026C); in case of failure, it reads the file data from the original version, which is\r\nlocated in the body of the bot itself in encrypted form. A special bot module — JF (joined files) — handles the\r\nprocessing of such files. At the start of the encrypted data of every such file, there is a structure with a data\r\ndescription containing a JF signature.\r\nDescription of the data processing procedure of the configuration file\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 7 of 24\n\nThe structure with the description of the encrypted file data corresponds to each encrypted file attached:\r\nExample of injects.ini:\r\nThe above-mentioned JUPITER.32 and JUPITER.64 are DLLs that perform web injects that help the malware\r\nsteal users’ personal data entered in browsers: passwords, credit card/wallet numbers, etc.; such injects are carried\r\nout through spoofing web page content as a result of injecting malicious code into the HTTP traffic. For this, it is\r\nnecessary to modify the code of the browser and system functions responsible for the transmission and processing\r\nof traffic. To do so, after performing an inject in the system and browser processes, the web-injects library patches\r\nthe code of functions in popular browsers (Chrome, Firefox, Opera, Yandex.Browser) and the code of system\r\nfunctions for transmitting traffic:\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 8 of 24\n\nThe list of injects from the configuration file is stored by the malware in a global array of inject descriptors — a\r\nfunctionality analogous in many ways to the Rovnix bootkit.\r\nBelow we give an example of the configuration file kbot.ini, where Hosts is the C\u0026C list and ServerPub is the\r\npublic key for data encryption:\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 9 of 24\n\nDLL hijacking\r\nSo as to operate in the address space of a legitimate system application when the system boots, the malware\r\nperforms a DLL hijacking attack by infecting the system libraries specified in the import directory of the system\r\nexecutable file and placing them next to the system file, which is then written to Startup.\r\nIn the system folder C:\\Windows\\\\System32, the malware searches for executable EXE files suitable for attack,\r\nexcluding from consideration the following files:\r\n1. 1 Containing the strings level=”requireAdministrator” and \u003etrue in the manifest. That is, executable\r\nfiles that need administrator rights to run. Calling such applications invokes a UAC dialog box.\r\n2. 2 Containing in the import table library names starting with API-MS-WIN- and EXT-MS-WIN-. That is,\r\nfiles that contain virtual library names in imports and use the API Set redirection table in\r\nApiSetSchema.dll. For such files, DLL hijacking is impossible to implement, because virtual names are\r\ntranslated into system library names with full paths.\r\n3. 3 The names of which are contained in the stop list:\r\nHaving found an executable file that meets all the criteria, KBOT creates a folder with an arbitrary name in the\r\nsystem directory, and copies the detected EXE file to it, as well as the system DLLs located in the import directory\r\nof the executable file. To perform these operations with administrator privileges, the malware generates a\r\nshellcode (based on this code) using EIFOMoniker Elevation:Administrator!new:{3ad05575-8857-4850-9277-\r\n11b85bdb8e09}”.\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 10 of 24\n\nThe above shellcode functionality\r\nThis shellcode, along with the necessary parameters, is injected into the explorer.exe process using the\r\nCreateRemoteThread API function.\r\nAfter copying, the virus creates an arbitrarily named file in the same folder, which is an encrypted file storage;\r\nVFAT is used as the file system. Located in the storage is the current version of the main bot module,\r\nconfiguration files received from the C\u0026C, system information, and other service data.\r\nAs a result, the directory containing the system application, DLLs from the import directory, and the KBOT\r\nservice data storage looks as follows (the file name of the malware’s encrypted virtual storage is highlighted red):\r\nNext, KBOT infects the copied system libraries. The code of the DLLEntryPoint entry point is overwritten with\r\nthe following code:\r\nAs when infecting the executable file, the virus adds polymorphic code to the code section and encrypted code at\r\nthe end of one of the .rsrc, .data, or .rdata sections. Unlike the code added to the EXE file, this code does not\r\ncontain the encrypted main module of the bot, rather it reads and decrypts it from the file storage. Functions\r\nimported by the system EXE file from the created folder have their start overwritten with the code for performing\r\nthe switch to the polymorphic code:\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 11 of 24\n\nThe further operating algorithm of the malicious code is analogous to that of the malicious code in the infected\r\nEXE files, except that the main bot module is read from the encrypted storage. The original data of the infected\r\nDLLs is not saved.\r\nEncrypted code at the end of the last section of the DLL:\r\nIn this way, after the system EXE file is started, the imported DLLs located next to it are loaded into the address\r\nspace of the process. After calling the imported functions, the malicious code is executed.\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 12 of 24\n\nStartup\r\nTo run at system startup, the malware uses the following methods:\r\n1. 1 It writes itself to Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run.\r\nTo prevent a UAC window from appearing, it sets the value of the __compat_layer environment variable\r\nto RunAsInvoker. Using the CreateDesktop API, it creates a new desktop. Within the framework of this\r\ndesktop, it uses the CreateProcess API to launch the regedit.exe process. It injects into this process the\r\nshellcode, which uses API functions for working with the registry to write the full path of the system EXE\r\nto the specified registry key.\r\n2. 2 Using WMI tools, a task is created to run the system EXE file in Task Scheduler, next to which are the\r\ninfected malicious DLLs (see DLL hijacking above).\r\nKBOT performs a preliminary check of the current tasks in Task Scheduler, reads the contents of DLLs imported\r\nfrom the tasks by the EXE files, and searches for the infection signature data:\r\nIf there are no tasks with infected files, it creates a new task on behalf of the local system account (S-1-5-18)\r\nwithout a user name:\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 13 of 24\n\nTask parameters:\r\nExample of XML with the created task:\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 14 of 24\n\nRemote management\r\nTo remotely manage the victim’s computer, KBOT establishes reverse connections with the servers listed in the\r\nBC.ini file.\r\nTo create several simultaneous sessions using the RDP protocol, the malware configures the Remote Desktop\r\nServer settings:\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 15 of 24\n\n1. 1 It finds processes that have the termserv.dll library loaded in their memory.\r\n2. 2 It patches the memory section of the found process where termserv.dll is loaded. Different patching code\r\nis applied for different system versions.\r\n3. 3 During the patching process, it searches the memory of the module for specific sets of bytes, and replaces\r\nthem with those specified.\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 16 of 24\n\nNext, KBOT duly edits the values of the registry keys responsible for TermService settings (not all editable values\r\nare listed):\r\nHKLM\\SYSTEM\\ControlSet\\Control\\TerminalServer\\LicensingCore\\ EnableConcurrentSessions\r\nHKLM\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Winlogon\\EnableConcurrentSessions\r\nHKLM\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Winlogon\\ AllowMultipleTSSessions\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsNT\\TerminalServices\\MaxInstanceCount\r\nIt then restarts TermService and creates a user in the system for remote connections with the SID\r\nWinBuiltinRemoteDesktopUsersSid.\r\nC\u0026C communication\r\nThe malware, according to a timer and in a separate thread, starts a process for receiving and processing\r\ncommands from the server. The list of commands is sent in the form of a buffer. To receive commands, the\r\nwininet.dll APIs for network connections are used. The domains for receiving commands are located in the\r\nhosts.ini file, which the malware periodically updates. All configuration files with C\u0026C data and connection\r\nparameters are stored in encrypted form in one of the last sections of the main bot module; newer versions are\r\nstored in an encrypted VFAT storage, as previously mentioned. Files received from C\u0026C are placed in an\r\nencrypted storage.\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 17 of 24\n\nExample of hosts.ini configuration file\r\nBot IDs and detailed information about the infected system (computer name, domain, system language and\r\nversion, list of local users, list of installed security software, etc.) are sent to C\u0026C in advance. Traffic is encrypted\r\nusing the AES algorithm:\r\nThe malware can receive the following commands from the C\u0026C server:\r\nDeleteFile — delete the specified file from the file storage.\r\nUpdateFile — update the specified file in the file storage.\r\nUpdateInjects — update injects.ini.\r\nUpdateHosts — update hosts.ini.\r\nUpdateCore — update the main bot module and the configuration file kbot.ini.\r\nUninstall — uninstall the malware.\r\nUpdateWormConfig — update worm.ini containing information about the location of EXE files to be\r\ninfected.\r\nExample of worm.ini\r\nUpdateBackconnectConfig — update the configuration file with the list of servers for reverse\r\nconnections.\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 18 of 24\n\nExample of bc.ini\r\nLoad — load the file into the storage; it loads spyware programs for collecting user data, as well as DLLs\r\nfor web injects (saved under the names JUPITER.32 and JUPITER.64), their configuration files, etc.\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 19 of 24\n\nExample of part of the configuration file for a web inject\r\nObfuscation\r\nTo complicate the analysis of its malicious activity, KBOT uses a set of obfuscation tools. When it loads, the main\r\nbot module checks whether the imported functions are patched for breakpoints; if so, it reloads the imported DLLs\r\ninto memory, zeroes the names of the imported functions, and uses string obfuscation. The encrypted strings are\r\nstored in a special array of structures; to access them, the decryption function is called with the number of the\r\nstring structure in the array. The strings are encrypted using the RC4 algorithm, and the decryption key is stored in\r\nthe structure.\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 20 of 24\n\nExample of an array of structures with a description of the strings\r\nAccess to the string:\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 21 of 24\n\nDecryption function:\r\nObfuscation of the DLL that performs the web injects\r\nThe malware suspends threads of the well-known vendor’s security solution (like the Carberp Trojan), and in the\r\ncontext of its process finds threads whose code was run from DLLs located at the path mask\r\n*\\\\Trusteer\\\\Rapport\\\\*.dll\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 22 of 24\n\nNext, the malware scans the contents of the DLL for signatures of interest to it. If any are present, it suspends\r\nexecution of the thread, patches the context so that it performs the Sleep function, and resumes the thread:\r\nKBOT then scans the code of the imported functions for patches. If the code is patched (for example, a 0xcc\r\nbreakpoint has been added), it reloads the imported libraries into memory and resolves imports.\r\nConclusion\r\nThe KBOT virus poses a serious threat, because it is able to spread quickly in the system and on the local network\r\nby infecting executable files with no possibility of recovery. It significantly slows down the system through injects\r\ninto system processes, enables its handlers to control the compromised system through remote desktop sessions,\r\nsteals personal data, and performs web injects for the purpose of stealing users’ bank data.\r\nIOC\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 23 of 24\n\nExecutable files:\r\nInfected EXEs:\r\nx86 — 2e3a7d4cf86025f5873ebddf3dcacf72\r\nx64 — 46b3c12b44f587ae25d6f38d2a8c4e0f\r\nInfected DLLs:\r\nx86 – 5f00df73bb6e84c49b9bf33ff1d552c3\r\nx64 – 1c15c98bc57c48140558d0e8d71b4ecd\r\nStealer:\r\nc37058752b2c055ff3a3b3eac50f1350\r\nC\u0026C\r\n213.252.245.229\r\nmy-backup-club-911[.]xyz\r\n213.252.245.146/au.exe\r\nsync-time[.]info/au.exe\r\nsync-time[.]icu/au.exe\r\nsync-time[.]club/au.exe\r\nSource: https://securelist.com/kbot-sometimes-they-come-back/96157/\r\nhttps://securelist.com/kbot-sometimes-they-come-back/96157/\r\nPage 24 of 24\n\n  https://securelist.com/kbot-sometimes-they-come-back/96157/     \nExample of bc.ini       \nLoad-load the file into the storage; it loads spyware programs for collecting user data, as well as DLLs\nfor web injects (saved under the names JUPITER.32 and JUPITER.64), their configuration files, etc.\n   Page 19 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/kbot-sometimes-they-come-back/96157/"
	],
	"report_names": [
		"96157"
	],
	"threat_actors": [],
	"ts_created_at": 1775434539,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8d087cdfa122ffd74f7c4616749e835fcdd25f6.pdf",
		"text": "https://archive.orkl.eu/a8d087cdfa122ffd74f7c4616749e835fcdd25f6.txt",
		"img": "https://archive.orkl.eu/a8d087cdfa122ffd74f7c4616749e835fcdd25f6.jpg"
	}
}