Trojan-Spy.Win32.Banker.em

From Total Malware Info

Jump to: navigation, search

It is a Backdoor used to steal account information of victim. The file is a Windows PE-Executable compiled using Borland Delphi. This file is packed by UPX. File has a size 280 576 bytes packed and 712 192 bytes unpacked.

Contents

Installation

After the installation it registers file in the system registry to ensure that this file will be launched each time Windows is rebooted on the victim machine: 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<Trojan_name>"="%CurrentDir%<Trojan_name>.exe"

Payload

This malware looks for data of specific sites to steal the account information using keylogging and screenshot technics. Looks for the browser window that has the listed keywords: 

bancobrasil
bradesco
itau
etronics
banparanet
safra
basa
bancoamazonia
bankboston
caixa
hsbc
sudameris
banespa
americanas
shoptime
submarino
pontofrio
real
unibanco
santander
serasa
equifax
abcbrasil
alfanet
ishop21
somlivre
mercadolivre
banerj
banestado
barclays
bancobmg
bnpparibas
citibank
sicredi
bcsul
daycoval
csfb
besc
banrisul
banese
banconordeste
bancofibra
fininvest
bancogmac
bancoindustrial
bicbanco
indusval
jsafra
lusobrasileiro
mercantildobrasil
nossacaixa
pactual
opportunity
bancopaulista
bancopine
cblc
bancoprosper
rabobank
rendimento
rural
safranet
bancosimples
portalcifra
sofisa
ubsw
tribanco
banif
banestes
us-db-directadm
deutsche-bank
dbla.net
jpmorgan
lemonbank
bancobva
bancobonsucesso
bancocedula
bancocapital
bancocnh
bancocomercial
redlink
bapro
bancomaxima
pottencial

The malware logs the user information and sends them by email over smtp protocol: 

smtp.mail.yahoo.com.br

using mail account: 

bet***ro@yahoo.com.br

And a pop3 account to update: 

drt***yx@uol.com.br
pop3.uol.com.br

Removal instructions

  1. Using Task Manager terminate the trojan process <Trojan_name>.exe
  2. Delete the following registry keys: 
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<Trojan_name>"="%CurrentDir%\<Trojan_name>.exe"
  3. Delete the executable file 
    %CurrentDir%\Trojan_name.exe
  4. Use Kaspersky Anti-Virus to delete the Trojan. Update your antivirus databases and perform a full scan of the computer.

See also

Retrieved from "http://www.totalmalwareinfo.com/eng/Trojan-Spy.Win32.Banker.em"
Language
© 2010 "Design and Test Lab", LLC. All rights reserved.