Trojan-Banker.Win32.Brasil_b9c21ff7ad

by malwarelabrobot on April 15th, 2017 in Malware Descriptions.

Trojan.Win32.Delf.abt (fs) (VIPRE), Trojan-Banker.Win32.Brasil.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b9c21ff7ad4180f71e07e293b7fc1e0a
SHA1: 0eb4114ae4d16d23e84fa607a1e6c033e9bddfa7
SHA256: d80310025c4ae04b22b3c60f3d1d5170a7f1f79848b8907209c1d227528f5e4d
SSDeep: 12288:BEDi/pjXb8KWvvPtSeMvleMEWzihphThg4vVNcAwSuOSKtPY3:BmGG7v3wvjEpPAOsFn73
Size: 814858 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: InstallShield Software Corporation
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan-Banker creates the following process(es):
No processes have been created.
The Trojan-Banker injects its code into the following process(es):

%original file name%.exe:3628

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3628 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3628-0.jpg (80 bytes)

The Trojan-Banker deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3628-0.jpg (0 bytes)

Registry activity

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.2
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name: Cheat Engine Trainer
File Version: 1.8.0.0
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 607768 608256 4.53753 fcba1dfc4874dc9f659de6d703ec659c
DATA 614400 24464 24576 3.13319 15d9f678a700b204ab596362ed5d7773
BSS 638976 78637 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 720896 10014 10240 3.45124 dc9ee194ab8e0b4f0111836580d89e3e
.tls 733184 16 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 737280 24 512 0.143426 d69ea39a402aa00d8d09fd6a18a6b47a
.reloc 741376 38468 38912 4.6146 9b496131e325c12f81f74a6196189c59
.rsrc 782336 43072 43520 3.13817 281e14474e6e8c4ce9f3b4ef9fa5a5d2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
teredo.ipv6.microsoft.com 157.56.106.189
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan-Banker connects to the servers at the folowing location(s):

%original file name%.exe_3628:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
PasswordChar
OnKeyDown
OnKeyPresslHC
OnKeyUp
ssHorizontal
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
AutoHotkeysTvD
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState8xD
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
There was an error while trying to read the trainer. Or the file got changed(like a exe-compresser), or you're using an old unpatched version of win 95 or earlier
.undo
undefined hotkey
Kernel32.dll
PSAPI.dll
TProcessHandlerU
No kernel32.dll loaded
Failed to execute the dll loader
The injection thread took longer than 10 seconds to execute. Injection routine not freed
Failed executing the function of the dll
Addresses.TMP
Memory.TMP
variableType=%d
variablesize=%d
fastscanalignsize=%d
TScanController.firstScan
threadcount=%d
startaddress=%x
memRegionPos=%d
i: %d B=%x S=%x SA=%p
totalProcessMemorySize=%x (%d)
Allocating %xKB for previousMemoryBuffer
Splitting up the workload between %d threads
Blocksize = %x
Creating scanner %d
startregion = %d
stopregion = %d
startaddress = %x
stopaddress = %x
j = %d
leftfromprevious = %x
offsetincurrentregion = %x
maxregionsize = %x
TScanController.execute
Addresses.UNDO
Memory.UNDO
ScanController: Have set AddressFile.size to %d
ScanController: Writing results from scanner %d
ScanController: Freeing scanner %d
Wrong syntax. Include(filename.cea)
00000000
HotkeyHandler
ThotkeythreadS
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetWindowsDirectoryA
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
shell32.dll
ShellExecuteA
comdlg32.dll
IMAGEHLP.DLL
winmm.dll
;&>/>6???
=!=*=6===
4!4%4)4-4145494K4c4y6}6
3 3$3(3,3034383<3@3
01T1a1
? ?$?(?,?0?4?
1-1P1X1u1}1
? ?,?8?<?[?
9-9O9l9}9
6}7K7
%1S1a1
= =$=(=,=0=
11S1~1
;);?;`;|;
=#='= =/=3=7=;=?=
6(6>6]6|6
8 8$8(8,8084888
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
,ProcessHandlerUnit
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Hotkey:
Lines.Strings
Mr_Gamer@HotMail.com
54875678
version="1.0.0.0"
<requestedExecutionLevel level="requireAdministrator"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
No help keyword specified.&Cannot change the size of a JPEG image
JPEG error #%d
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Value must be between %d and %d Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
!Cannot change the size of an icon$Unknown picture file extension (.%s)
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
ECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Ancestor for '%s' not found
Cannot assign a %s to a %s
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation
1.8.0.0
hXXp://VVV.cheatengine.org/


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan-Banker file.
  3. Delete or disinfect the following files created/modified by the Trojan-Banker:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3628-0.jpg (80 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now