Win32/Spy.Banker [Threat Name] go to Threat

Win32/Spy.Banker.ACYH [Threat Variant Name]

Category trojan
Size 1572864 B
Detection created Apr 01, 2016
Detection database version 13269
Aliases Trojan:Win32/Dynamer!ac (Microsoft)
Short description

Win32/Spy.Banker.ACYH is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. The file is run-time compressed using UPX .

Installation

When executed the trojan copies itself in the following locations:

  • %temp%\­jpg.exe
  • C:\­Documents and Settings\­All Users\­Menu Iniciar\­Programa\­Inicializar\­jpg.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Mircosoft\­Windows\­CurrentVersion\­Run]
    • "jpg" = "%temp%\­jpg.exe"

The trojan creates the following files:

  • %temp%\­c
Information stealing

The trojan collects sensitive information when the user browses certain web sites.


The following information is collected:

  • credit card information

The trojan collects various information when the user is accessing the following sites:

  • http://www.hsbc.com.br/
  • https://www.hipercard.com.br/pf/index.html
  • https://www.itau.com.br/

It also monitors windows with any of the following strings in the name:

  • Serviços Financeiros Pessoa Física | HSBC Brasil
  • Home PF - Hipercard
  • Banco Itaú - Feito Para Você

The trojan attempts to send gathered information to a remote machine.


The trojan sends the information via e-mail.


The trojan may display the following fake dialog boxes:

Other information

The following programs are terminated:

  • taskmgr.exe
  • aplicativoitau.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.