Win32/Spy.Banker [Threat Name] go to Threat

Win32/Spy.Banker.ADYV [Threat Variant Name]

Category trojan
Size 835584 B
Detection created Jul 05, 2017
Detection database version 15696
Short description

Win32/Spy.Banker.ADYV is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

The trojan does not create any copies of itself.


The trojan is usually a part of other malware.


The trojan may install the following system drivers (path, name):

  • %windir%\­system32\­drivers\­%variable1%.sys, %variable2%

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­avast! Antivirus]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­avgwd]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­AVG Antivirus]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­BavSvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­WinDefend]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­AntiVirService]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center]
    • "AntiVirusDisableNotify" = 1
  • [HKEY_CURRENT_USER\­SOFTWARE\­Policies\­Microsoft\­Windows\­Explorer]
    • "DisableNotificationCenter" = 1

The trojan may delete the following files:

  • %windir%\­system32\­drivers\­%variable1%.sys
  • %startup%\­%variable3%.lnk
  • %appdata%\­%variable4%

The trojan may delete the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion]
    • "%variable5%" = "%existingrecord%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%existingrecord%"

A string with variable content is used instead of %variable1-5% .


The trojan may execute the following commands:

  • bcdedit.exe /set testsigning Yes
  • schtasks.exe /Create /SC ONLOGON /TN "jFEs7TM3" /TR "%malwarecmdline%" /F /RL HIGHEST
  • schtasks.exe /Delete /TN "jFEs7TM3" /F
  • shutdown.exe -r -f -t 0
Information stealing

Win32/Spy.Banker.ADYV is a trojan that steals sensitive information.


The trojan tries to appear to be legitimate application.


The goal of the malware is to persuade the user to fill in/send sensitive personal information.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • user name
  • computer name
  • volume serial number
  • operating system version
  • installed program components under [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID] Registry subkeys
  • installed software
  • malware version

The trojan attempts to send gathered information to a remote machine. The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The TCP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • capture screenshots
  • shut down/restart the computer
  • simulate user's input (clicks, taps)
  • simulate mouse activity
  • manipulate application windows
  • send gathered information

The trojan may hook selected Windows APIs.


The trojan hooks the following Windows APIs:

  • LdrLoadDll (ntdll.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.