BANKER

BANKER variants may arrive on a system via spammed email messages, or as a file dropped by other malware or unknowingly downloaded by the user when visiting malicious sites.

BANKER malware attempt to steal sensitive information, such as banking credentials and email account details. They employ info-stealing techniques, often times, phishing pages that mimic the official banking sites, to get a user’s bank information, such as user names, passwords, or card codes. The stolen information could then be sent to a predetermined email address, to drop zones in hosted servers or to a URL via HTTP post. The stolen information could also be used to automatically transfer money to a predetermined bank account.

The BANKER malware family is known for stealing account information from users of certain financial institutions. In 2011, BANKER malware became so prevalent that law enforcement agencies have issued a bulletin warning users about its existence.

Installation

This Trojan drops the following files:

• %Windows%\wnetsock08.dll
• %Windows%\Media\AuxImgDll.dll
• %Current%\AuxImgDll.dll
• %Current%\Emails.dat
• %Current%\upset1.dat

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following copies of itself into the affected system:

• %Windows%\Media\HPMedia.exe
• %Current%\{malware filename}_OLD.jmp

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{malware filename}.exe = "{malware path and filename}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
DrvStart = "%Windows%\Media\HPMedia.exe"

Other Details

This Trojan connects to the following possibly malicious URL:

• www.{BLOCKED}opliquidation.co.za
• www. {BLOCKED}ventos.com.br
• {BLOCKED}ncaprivativa.com.br
• http:// {BLOCKED}-10. {BLOCKED}d.com/CurrVer.txt
• http:// {BLOCKED}-10. {BLOCKED}i.com/config.txt
• http:// {BLOCKED}9-10{BLOCKED}d.com/CurrVer.txt
• http:// {BLOCKED}6. {BLOCKED}1.238.89/upd/AuxImgDll.dll
• http://www. {BLOCKED}nsurf.com.ar/n/upd/AuxImgDll.dll
• http:// {BLOCKED}-10. {BLOCKED}d.com/CurrVer.txt
• htt :// {BLOCKED}6. {BLOCKED}1.238.89/upd/crss7_V855.exe
• http://www. {BLOCKED}nsurf.com.ar/n/upd/crss7_V855.exe
• http:// {BLOCKED}-10. {BLOCKED}d.com/CurrVer.txt
• http:// {BLOCKED}6. {BLOCKED}1.238.89/upd/AuxImgDll.dll
• http://www. {BLOCKED}nsurf.com.ar/n/upd/AuxImgDll.dll
• http:// {BLOCKED}10. {BLOCKED}e.com/config.txt
• http:// {BLOCKED}teinformatica1. {BLOCKED}ecity.com/configs.jpg
• {BLOCKED}toneagles.net
• {BLOCKED}br.teliumhosting.com.br
• {BLOCKED}iadopovo.inf.br
• {BLOCKED}s-order.ru
• {BLOCKED}orldgames.com.br
• {BLOCKED}77. {BLOCKED}-oficial.ws
• {BLOCKED}s.net
• {BLOCKED}tphp.com
• {BLOCKED}fyuz.net
• {BLOCKED}logische-praxis-schuler.de
• {BLOCKED}emas.com
• {BLOCKED}ncaprivativa.com.br
• {BLOCKED}wopen.sitepessoal.com
• {BLOCKED}i.lycos.it
• {BLOCKED}unicaobr.com
• www. {BLOCKED}b. {BLOCKED}s.it
• www. {BLOCKED}ergy.com
• www. {BLOCKED}-book.ru
• www. {BLOCKED}fredericosp.com
• www. {BLOCKED}uca.net
• www. {BLOCKED}juridicovivo.adv.br
• www. {BLOCKED}a.com
• www. {BLOCKED}u.hu
• www. {BLOCKED}ventos.com.br
• www. {BLOCKED}l.com.br
• www. {BLOCKED}goforex.com
• www. {BLOCKED}video.nl
• www. {BLOCKED}taanet.com.br
• www. {BLOCKED}set.com
• www. {BLOCKED}t.fr
• www. {BLOCKED}-pictures.ch
• www. {BLOCKED}arwebmotorsltda.com
• www. {BLOCKED}ly.com
• www. {BLOCKED}decidadania.org
• www. {BLOCKED}i.com.br
• www. {BLOCKED}ndo.info
• www. {BLOCKED}obirindelli.com.br
• www. {BLOCKED}ferre.pessoal.ws
• www. {BLOCKED}design.co.kr
• www. {BLOCKED}ejomusicas.com
• www. {BLOCKED}x.com.br
• www. {BLOCKED}zz.com
• www. {BLOCKED}k.com
• www. {BLOCKED}wushu.at
• www. {BLOCKED}floralameda.com
• www. {BLOCKED}cartao766.web.br.com
• www. {BLOCKED}fdance.msk.ru
• www. {BLOCKED}e.com