Threat behavior
TrojanSpy:Win32/Banker.VB is a trojan that captures user-entered sensitive information such as online banking account credentials and access codes, personal information and other sensitive data. The trojan may monitor incoming e-mail messages.
Installation
This trojan may be installed by other malware and may be present as a file named "winnt7.exe" or similar. Once run, it will remain resident in memory and wait for the user to connect to an online payment website using a Brazilian software application.
Payload
Downloads data
The trojan connects to the domain "captx01.hpg.com.br" to download instructions that can include attacker e-mail address or other details for use by the trojan. In the wild, this trojan was observed also connecting to the domain "re2.voegol.com.br".
Sends captured sensitive information
The trojan may send captured sensitive information to a remote attacker. Captured information can include online banking account credentials and access codes, personal information and other sensitive data as well as files from the local computer. The trojan may monitor incoming e-mail messages.
Analysis by Patrik Vicol
Prevention