Home / malware TrojanSpy:Win32/Tinbanker.A
First posted on 05 February 2013.
Source: MicrosoftAliases :
TrojanSpy:Win32/Tinbanker.A is also known as PSW.Banker6.AMLT (AVG), TR/Barys.626.27 (Avira), Gen:Variant.Barys.626 (BitDefender), Win32/Spy.Banker.YWY trojan (ESET), PWS-Banker!hgs (McAfee).
Explanation :
Installation
TrojanSpy:Win32/Tinbanker.A arrives in your computer as a DLL file. It is installed as a Browser Helper Object (BHO) and may be installed by other malware, such as TrojanDownloader:Win32/Tinbanker.A.
When installed, TrojanSpy:Win32/Tinbanker.A creates the following registry keys and its associated entries to install itself as a BHO:
- HKLM\SOFTWARE\Classes\CLSID\{269CFC17-4C29-426B-850B-F05141EC531B}
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{269CFC17-4C29-426B-850B-F05141EC531B}
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\EXT\CLSID\{269CFC17-4C29-426B-850B-F05141EC531B}
- HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT\iexplorer.exe
- HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Blackberry
Payload
Steals banking credentials
TrojanSpy:Win32/Tinbanker.A monitors your online activities for visits to the Banco do Brasil websites. If you visit any of these websites, TrojanSpy:Win32/Tinbanker.A steals your login credentials.
The following webpages have been found monitored by this malware:
- https://www2.bancobrasil.com.br/aapf/login.jsp
- https://aapj.bb.com.br/aapj/loginpfe.bb
- https://aapj.bb.com.br/aapj/logincor.bb
- https://www2.bancobrasil.com.br/aapf/principal.jsp
- https://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim&perfil=1
- https://www2.bancobrasil.com.br/aapf/relacionamento/909-00.jsp
- https://www2.bancobrasil.com.br/aapf/relacionamento/909-00.jsp?operacao=4
- https://www2.bancobrasil.com.br/aapf/saldo/006-00.jsp?
- https://www2.bancobrasil.com.br/aapf/pagamento/867-00.jsp?codT=01
- https://www2.bancobrasil.com.br/aapf/transferencia/818-00.jsp?
- https://www2.bancobrasil.com.br/aapf/transferencia/862-00.jsp?
- https://www2.bancobrasil.com.br/aapf/pagamento/892.jsp?codT=03
- https://www2.bancobrasil.com.br/aapf/emprestimo/simulacao/839.jsp?tipoEmprestimo=13
- https://aapj.bb.com.br/aapf/templates/Ajuda.jsp?codigo=COCJ
In addition, TrojanSpy:Win32/Tinbanker.A may run commands as instructed by a remote attacker. The commands it can do include taking snapshots of your screen, remove itself from your computer, and others.
Analysis by Steven Zhou
Last update 05 February 2013