Home / malware

PDF

Infostealer.Bancos.BE

First posted on 04 July 2015.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Bancos.BE.

Explanation :

When the Trojan is executed, it creates the following files:
%Temp%\Google Chome.exe%Temp%\google chrome
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Temp% = "%Temp%:*:Enabled:google_chrome"HKEY_CURRENT_USER\"Google Chome"="%Temp%\Google Chome.exe"
The Trojan will check the name of any open window on the computer for the following strings:
[bb.com.br]Serviþos Financeiros Pessoa FÝsica | HSBC BrasilCaixa - A vida pede mais que um bancoEntrarBem-vindo ao Facebook - acesse, cadastre-se ou saiba mais.PagSeguro: Venda pela internet e receba pagamentos online facilmenteAcesse Brasil - PayPal
The Trojan will log keys pressed inside any window with a name that matches the strings in an attempt to steal login credentials.

The Trojan will display fake login windows for the following banking websites:
CaixaBanco do BrasilHSBC Brasil
The Trojan will terminate the following process:
GbpSV.exe
The Trojan will attempt to load the following DLL component:
HookTeclado.DLL
Note: This DLL component is in the same location as the Trojan.

The Trojan send the stolen information to the following locations:
www.pinpe.com.brwww.europetrip.besaba.com

Last update 04 July 2015

 

TOP