Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bancos


Destructivity Unknown UNKNOWN
Payload Steal information
Detection files published
Description created 10 Mar 2010 01:36:00
Description updated 10 Mar 2010 01:36:00
Malware type TROJAN
Alias Trojan-Banker.Win32.Bancos (Kaspersky)
PWS-Banker.gen (McAfee)
Infostealer.Bancos (Symantec)
Trojan Spy: Win32/Bancos (Microsoft)
Spreading mechanism EMAIL



The trojan might disguise itself as a Browser Helper Object by injecting into the browser, and might have the capability of intercepting information that is entered on a web page before it is encrypted by SSL and sent out. A Bancos trojan running a layered service provider (LSP) for monitoring all network traffic can result in disclosure of private information, which in turn can even lead to identity theft. Scripts running on browsers can redirect the user to ’bait’ or impersonated web pages feigning to be real (phishing), and trick the user into revealing valuable credentials. Other possibilities are keylogging, screen captures, spoofing and harvesting.
After execution the malware runs in memory. It also creates a run entry in the registry to start when the host system is restarted. There are variants that hook the browsers and monitor URLs accessed by the user, after which the collected information is passed on to the hacker. They also access SMTP to send/receive information and create mutex JhonsonVIP or Ha3ud9Y3.

Payload Details

Bancos is a family of trojans which captures and steals the user’s online banking credentials such as account numbers and passwords. The trojan primarily monitors accessed URLs and keystrokes.


[ DetectionInfo ] * Sandbox name: W32/Malware * Signature name: NOT_SCANNED * Compressed: YES * TLS hooks: YES * Executable type: Application * Executable file structure: OK * Filetype: PE_I386 [ General information ] * Drops files in %WINSYS% folder. * File length: 2292878 bytes. * MD5 hash: 2c54d75d7aaba4d3cd5d427d019ca5e2. [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM32\Exec32.exe. [ Changes to registry ] * Accesses Registry key "HKCU\Software\Borland\Locales". * Accesses Registry key "HKLM\Software\Borland\Locales". * Accesses Registry key "HKCU\Software\Borland\Delphi\Locales". * Creates value "Exec32"="C:\WINDOWS\SYSTEM32\Exec32.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". * Accesses Registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion". [ Network services ] * Looks for an Internet connection. * Connects to "" on port 25 (IP). * **Connects SMTP server. [ Spreading through EMail ] * To : <REMOVED>. * From : <REMOVED> * Subject: =?I. * Mass-mailer; spreads through SMTP. [ Process/window information ] * Creates a mutex JhonsonVIP. * Will automatically restart after boot (I"ll be back...). Or * Creates a mutex Ha3ud9Y3. * Creates a COM object with CLSID {FCFB3D23-A0FA-1068-A738-08002B3371B5} : VBRuntime. * Creates a COM object with CLSID {E93AD7C1-C347-11D1-A3E2-00A0C90AEA82} : VBRuntime6.



Last Updated: 12 Nov 2015 11:06:15