Home / malware Infostealer.Bebloh
First posted on 25 September 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Bebloh.
Explanation :
When the Trojan is executed, it creates the following file: %UserProfile%\Application Data\Mp2web\wiabrowse.exe
Next, the Trojan creates the following registry entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Shst" = "%UserProfile%\Application Data\Mp2web\wiabrowse.exe"
The Trojan then gathers a list of installed applications and sends it to any of the following remote locations: pannogen.com/link.phpfanera-distribution.com/link.phpopilki-limited.com/link.phpsuperzhopper.com/link.phpbecadogale.com/link.phpduteraneh.com/link.phpxezikalanre.com/link.phpnuratrben.com/link.phpliopnret.com/link.php
The Trojan may also connect to the following remote locations to obtain additional scripts: [https://]ditdll1.com/ooh0wahnae3o/scri[REMOVED][https://]ditdll1.com/ahza8rei8mei/scri[REMOVED][https://]ditdll1.com/ahsh7gah7ree/scri[REMOVED]
These scripts may redirect the user to the following remote locations: bancsabadell.com/txbbva.es/BBVANet/particulares
The Trojan may then perform the following actions: Update itselfDownload an additional component and inject it into a processInject a script into a web browser to interact with targeted banking websites (such as transferring money from one bank account to another)Last update 25 September 2015
