Trojan-Banker.Win32.Banz.cri

Technical Details
Payload

Technical Details

This malicious program is designed to steal user data that has to do with banking systems, e-money and plastic cards issued by Brazilian banks. It is a Windows PE EXE file. It is 942047 bytes in size. It is written in Delphi.

Installation

In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:

Where "%filepath%" is the full path to the malicious file.

The program also modifies the following system registry key value:

Payload

When launched, the malicious program downloads a configuration file from

http://juliana9090v.dominiotemporario.com/configex.txt

The program reads settings needed for its operation from the configuration file.

The program then monitors the active browser and, when the user visits certain pages, intercepts all the information entered into web form fields. Specifically, it monitors the following addresses:

www.bradesco.com.br
https://www2.realsecureweb.com.br

The malicious program also intercepts credit card numbers entered by the user on various websites.

All the information collected is sent to the attacker’s address as well as to email addresses specified in the configuration file.

The following SMTP server is used to send mail:

smtp.tutopia.com.br

Summary

• Trojan-Banker. Steals confidential information from banks, financial institutions and payment systems

• Implements network activity

• Performs potentially dangerous activity

Technical details

File size of 942047 bytes.

Installation

Creates the following files on an infected computer:

• Windows system directory (usually, C:\Windows\System32) %System%\configex.dll

Ensures Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of the following installed files:

by adding values to autorun keys in the system registry:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ] "wscntfx" = "<­path to source program­><­file of source program ­>"

Malicious activity

Steals confidential user information from A malicious program designed to steal user information related to banking and electronic payment systems and bank cards. The information is sent to a cybercriminal via email, ftp, the web or other methods.
Read more details here: http://www.viruslist.com/en/analysis?pubid=204792037the following banks, financial institutions, payment systems:

• ABN AMRO banking group

Connects to to the following Internet addresses:

• ***.61.128.204:6400

Communicates with the following Internet addresses:

• http://***iana9090v.dominiotemporario.com/configex.txt

Other activities

Modifies the system registry keys:

[ System registry hive HKEY_CURRENT_USERHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ] "Embedded Web Browser from: http://bsalsa.com/" = ""

Deletes the following system registry keys:

[ HKEY_CLASSES_ROOT\CLSID\{2E3C3651-B19C-4DD9-A979-901EC3E930AF} ]

[ HKEY_CLASSES_ROOT\CLSID\{3F888695-9B41-4B29-9F44-6B560E464A16} ]

[ HKEY_CLASSES_ROOT\CLSID\{9EC30204-384D-11D3-9CA3-00A024F0AF03} ]