PowerShell/Spy.Banker [Threat Name] go to Threat

PowerShell/Spy.Banker.E [Threat Variant Name]

Category trojan
Size 15887 B
Detection created May 10, 2017
Detection database version 15392
Short description

Powershell/Spy.Banker.E is a trojan which tries to download other malware from the Internet.

Installation

The trojan does not create any copies of itself.

Information stealing

The trojan collects the following information:

  • computer name
  • operating system version
  • installed antivirus software
  • disk serial number (without spaces)
  • Microsoft .NET framework version
  • URLs visited

The trojan collects information related to the following applications:

  • G-Buster
  • Aplicativo Bradesco
  • Aplicativo Ita├║
  • Trusteer Rapport

The collected information is stored in the following file:

  • %appdata%\­Microsoft\­Windows\­Templates\­log1.txt
Other information

The trojan runs the default Internet browser.


The trojan opens the following URLs:

  • https://www.bet365.com/

The trojan interferes with the operation of some security applications to avoid detection.


The trojan may execute the following commands:

  • msiexec.exe /x %AVGfolder%  /qn /norestart

Trojan is able to bypass User Account Control (UAC).


The trojan may create the following files:

  • %appdata%\­Microsoft\­Windows\­Templates\­logg.txt

The trojan contains a URL address.


It tries to download a file from the address.


The file is stored in the following location:

  • %programdata%\­filea.dat

The file is then executed. The HTTP protocol is used in the communication.

Please enable Javascript to ensure correct displaying of this content and refresh this page.