Home / malwarePDF  

TrojanSpy:Win32/Tinbanker.A


First posted on 05 February 2013.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Tinbanker.A is also known as PSW.Banker6.AMLT (AVG), TR/Barys.626.27 (Avira), Gen:Variant.Barys.626 (BitDefender), Win32/Spy.Banker.YWY trojan (ESET), PWS-Banker!hgs (McAfee).

Explanation :



Installation

TrojanSpy:Win32/Tinbanker.A arrives in your computer as a DLL file. It is installed as a Browser Helper Object (BHO) and may be installed by other malware, such as TrojanDownloader:Win32/Tinbanker.A.

When installed, TrojanSpy:Win32/Tinbanker.A creates the following registry keys and its associated entries to install itself as a BHO:

  • HKLM\SOFTWARE\Classes\CLSID\{269CFC17-4C29-426B-850B-F05141EC531B}
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{269CFC17-4C29-426B-850B-F05141EC531B}
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\EXT\CLSID\{269CFC17-4C29-426B-850B-F05141EC531B}
  • HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT\iexplorer.exe
  • HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Blackberry


Payload

Steals banking credentials

TrojanSpy:Win32/Tinbanker.A monitors your online activities for visits to the Banco do Brasil websites. If you visit any of these websites, TrojanSpy:Win32/Tinbanker.A steals your login credentials.

The following webpages have been found monitored by this malware:

  • https://www2.bancobrasil.com.br/aapf/login.jsp
  • https://aapj.bb.com.br/aapj/loginpfe.bb
  • https://aapj.bb.com.br/aapj/logincor.bb
  • https://www2.bancobrasil.com.br/aapf/principal.jsp
  • https://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim&perfil=1
  • https://www2.bancobrasil.com.br/aapf/relacionamento/909-00.jsp
  • https://www2.bancobrasil.com.br/aapf/relacionamento/909-00.jsp?operacao=4
  • https://www2.bancobrasil.com.br/aapf/saldo/006-00.jsp?
  • https://www2.bancobrasil.com.br/aapf/pagamento/867-00.jsp?codT=01
  • https://www2.bancobrasil.com.br/aapf/transferencia/818-00.jsp?
  • https://www2.bancobrasil.com.br/aapf/transferencia/862-00.jsp?
  • https://www2.bancobrasil.com.br/aapf/pagamento/892.jsp?codT=03
  • https://www2.bancobrasil.com.br/aapf/emprestimo/simulacao/839.jsp?tipoEmprestimo=13
  • https://aapj.bb.com.br/aapf/templates/Ajuda.jsp?codigo=COCJ


In addition, TrojanSpy:Win32/Tinbanker.A may run commands as instructed by a remote attacker. The commands it can do include taking snapshots of your screen, remove itself from your computer, and others.



Analysis by Steven Zhou

Last update 05 February 2013

 

TOP

Malware :

Family: