Home / malware Infostealer.Kronbank
First posted on 18 January 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Kronbank.
Explanation :
When the Trojan is executed, it creates the following file:
%AppData%/Microsoft/[RANDOM CHARACTERS]/[RANDOM CHARACTERS].exe
The Trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"[RANDOM CHARACTERS]" = "[RANDOM CHARACTERS]"
The Trojan creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"[RANDOM CHARACTERS]" = "[RANDOM CHARACTERS]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%AppData%\Microsoft\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"{Random name}" = "%AppData%\Microsoft\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe"
The Trojan injects malicious code into popular web browsers in order to steal banking-related information from web pages.
The Trojan then sends the stolen information to the following remote locations:
[http://]managejave.myftp.org/upfornow/conne[REMOVED][http://]update43x.myvnc.com/upfornow/conne[REMOVED][http://]nonstop.serveminecraft.net/upfornow/conne[REMOVED]Last update 18 January 2015
