Home / malware TrojanSpy:Win32/Banker
First posted on 13 June 2019.
Source: MicrosoftAliases :
There are no other names known for TrojanSpy:Win32/Banker.
Explanation :
Installation
This threat can be downloaded by other Win32/Banload malware variants.
This threat can arrive with the following file extensions:
cpl gif jpeg mp3 pif scr vxd
These files are usually built in Delphi programming language.
Variants of this threat drop copies of itself along with other configuration files. It drops the copies to various folders in the infected PC, for example:
%SystemRoot%
It changes the following registry entries so that it runs each time you start your PC or by installing itself as a Browser Helper Object with its own unique GUID:
In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "MyKB",
With data: "svchost.exe"
In subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "KB(Administrator_3245)"
With data: "application datawinupwinup.exe"
In subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{Unique GUID}
Sets value: "NoExplorer"
With data: "1"
Some variants can also try to disable security-related software such as antivirus and firewall software.
Payload
Collects your sensitive information
This threat can capture your banking credentials such as your username, account number, e-mail address, and password.
It then sends the information to malicious hackers by:
Sending an email to the malicious hacker Sending user credentials using HTTP POST Uploading credentials to a malicious hacker's FTP site
The threat can use the following methods of collecting sensitive information:
Act as a legitimate banking user interface such as an application or in a browser Inject in-process memory of internet browser to monitor banking related transactions Install a Browser Helper Object (BHO) Install key loggers to record screen shots, key strokes, and mouse clicks Install drivers Install control panel application Act as a proxy server
Last update 13 June 2019
