Home / malware Infostealer.Banprox.B
First posted on 16 February 2016.
Source: SymantecAliases :
There are no other names known for Infostealer.Banprox.B.
Explanation :
When the Trojan is executed, it creates the following files:
%Temp%\emsjapan.png%Temp%\sreda_02102016.exe
The Trojan may modify the following files:
%SystemDrive%\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bcfh5tat.default\preferences\greprefs.js%SystemDrive%\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bcfh5tat.default\preferences\nixpref.js%SystemDrive%\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bcfh5tat.default\preferences\prefcalls.js%SystemDrive%\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bcfh5tat.default\preferences\winpref.js
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A9753DC515D30D1D048F33765B95C105EB58A403HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A9753DC515D30D1D048F33765B95C105EB58A403\Blob: Hex BlobHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL: "http://mssinfosys.com/9jyIc8/7lqm.rui"HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Internet Explorer\Privacy\ClearBrowsingHistoryOnExit: 0x00000001HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Internet Explorer\Privacy\CleanTIF: 0x00000001HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Internet Explorer\Privacy\UseAllowList: 0x00000000HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL: "http://mssinfosys.com/9jyIc8/7lqm.rui"HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving: 0x00000000
The Trojan installs a root certificate and changes proxy settings for the following browsers:
Internet ExplorerMozilla Firefox
The Trojan downloads a configuration script from the following location:
[http://]mssinfosys.com/[SIX RANDOM CHARACTERS]/[FIVE RANDOM C[REMOVED]
The Trojan monitors browser activity for connections to the following banking websites and may inject code into them:
https://online.sberbank.ruhttps://online.vtb24.ruhttps://online.rsb.ru
The Trojan steals banking information from the previously mentioned websites and sends it to the following location:
[http://]infomcheck.comLast update 16 February 2016