Trojan-Banker.Win32.Banbra

Bookmark and Share

1. What is the Trojan-Banker.Win32.Banbra

Trojan-Banker.Win32.Banbra is a malicious Trojan designed to steal banking details. Trojan-Banker.Win32.Banbra uses stealth tactics to enter the PC before downloading other harmful files from the Internet. Trojan-Banker.Win32.Banbra steals financial data like credit card numbers and online banking login details by taking screen snapshots of user activity. Trojan-Banker.Win32.Banbra also downloads additional components and poses a severe security risk to computer safety.

 

a. File System Modifications

         %AppData%\36383.js

         %AppData%\hotfix.exe [file and pathname of the sample #1]

         %AppData%\srsf.bat 

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

.

b. Memory Modifications

       There were new processes created in the system:

Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 3,796,992  bytes
hotfix.exe %AppData%\hotfix.exe 3,796,992 bytes

c. Registry Modifications

  •  The following Registry Key was created:
    o HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

     
  • The newly created Registry Values are:
    o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    + WarnOnPost = 0x00000000
    + WarnOnZoneCrossing = 0x00000000
    + WarnOnPostRedirect = 0x00000000
    + WarnonBadCertRecving = 0x00000000
    o [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    + Shell = "%AppData%\hotfix.exe"

    so that hotfix.exe runs every time Windows starts

     
  •  The following Registry Value was deleted:
    o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    + WarnOnPost = 01 00 00 00
     

d. Other details

  • The following port was open in the system:

Port Protocol Process
1053 UDP [file and pathname of the sample #1]

  • There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host Port Number
85.234.191.174 80

  • The data identified by the following URL was then requested from the remote web server:

    • http://85.234.191.174/zz.php?id=t_a_d_01

 

2. How-to's

a. Please update the policy basic knowledge of Sax2  in time, Once  sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

b. How to Remove the Trojan-Banker.Win32.Banbra  Manually?

Step 1 : The associated files of Trojan-Banker.Win32.Banbra.ukb to be deleted are listed below:
%ProgramFiles%\Bulk Image Downloader\locale\zh_CHT\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\zh_CHT
%ProgramFiles%\Bulk Image Downloader\locale\zh_CHS\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\zh_CHS
%ProgramFiles%\Bulk Image Downloader\locale\uk\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\uk
%ProgramFiles%\Bulk Image Downloader\locale\tr\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\tr
%ProgramFiles%\Bulk Image Downloader\locale\sv\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\sv
%ProgramFiles%\Bulk Image Downloader\locale\sr\lc_messages
%ProgramFiles%\Bulk Image Downloader\locale\sr
%ProgramFiles%\Bulk Image Downloader\locale\sk\LC_MESSAGES
%ProgramFiles%\Bulk Image Downloader\locale\sk

Step 2 : The registry entries of Trojan-Banker.Win32.Banbra.ukb that need to be removed are listed as follows:
HKEY_CURRENT_USER\Software\Javasoft\Ex
HKEY_CURRENT_USER\Software\Javasoft
HKEY_CURRENT_USER\Software\Antibody Software\Bulk Image Downloader
HKEY_CURRENT_USER\Software\Antibody Software
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open current page with BID Link E&xplorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open current page with BI&D
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open &link target with BID
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Enqueue link tar&get with BID
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\En&queue current page with BID
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\Old_Current
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bulk Image Downloader_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloader\shell\open\command

c. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

 

3. Appendix

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm