Home / malwarePDF  

Infostealer.Kronbank


First posted on 18 January 2015.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Kronbank.

Explanation :

When the Trojan is executed, it creates the following file:
%AppData%/Microsoft/[RANDOM CHARACTERS]/[RANDOM CHARACTERS].exe

The Trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"[RANDOM CHARACTERS]" = "[RANDOM CHARACTERS]"

The Trojan creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"[RANDOM CHARACTERS]" = "[RANDOM CHARACTERS]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%AppData%\Microsoft\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"{Random name}" = "%AppData%\Microsoft\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe"
The Trojan injects malicious code into popular web browsers in order to steal banking-related information from web pages.

The Trojan then sends the stolen information to the following remote locations:
[http://]managejave.myftp.org/upfornow/conne[REMOVED][http://]update43x.myvnc.com/upfornow/conne[REMOVED][http://]nonstop.serveminecraft.net/upfornow/conne[REMOVED]

Last update 18 January 2015

 

TOP