{"id":2632,"date":"2024-09-25T19:07:53","date_gmt":"2024-09-25T19:07:53","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2632"},"modified":"2025-07-29T05:56:12","modified_gmt":"2025-07-29T05:56:12","slug":"spybanker-downloader-congratulations-you-just-pwned-yourself","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/spybanker-downloader-congratulations-you-just-pwned-yourself\/","title":{"rendered":"SpyBanker Downloader \u2013 congratulations, you just pwned yourself"},"content":{"rendered":"
\n
\"SpyBanker<\/figure>\n<\/div>\n\n\n

Overview<\/strong>

While most of the malware campaigns we\u2019ve covered rely on \u2018spray-and-pray\u2019 phishing campaigns to exploit known vulnerabilities, some attackers prefer the human touch \u2013 social engineering. At a high level, this involves manipulating a victim\u2019s behaivour so they take a certain course of action or divulge a particular piece of information. 

One such campaign involves the SpyBanker downloader. This is a banking trojan which steals personal data like computer name, OS installed, antivirus, and banking details then aims to download further malware on the victim\u2019s device. 

Delivery<\/strong>

In past SpyBanker campaigns, such as a particularly successful 2015 foray into Brazil<\/a>, the downloader spread through social media platforms, offering people coupons or other free products if they clicked on a bit[.]ly URL. It should come as no surprise that instead of free stuff, the other side of these URLs offered only the SpyBanker payload. This reliance on exploiting human behaivour means the attackers didn’t need to rely on specific system vulnerabilities \u2013 once SpyBanker Downloader is on a victim\u2019s computer, the hackers can just about do as they please.

File Details<\/strong><\/p>\n\n\n\n

File Name<\/td>doc_boleto_9876245138.exe<\/td><\/tr>
File Type  <\/td>PE (Portable Executable) file<\/td><\/tr>
MD5 hash<\/td>ac33bb9b18a9980e8e7a5e275a98ba42<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Static Analysis <\/strong>

SpyBanker has the ability to get command line access using \u201cGetCommandLineW\u201d, check all file attributes 

(permissions surrounding read, write, and execute) using \u201cGetFilesAttributesW\u201d, check file size using \u201cGetFileSize\u201d, and obtain startup information using \u201cGetStartupInfoW\u201d.

Static analysis also uncovered the malware’s ability to access the internet using \u201cInternetOpenUrlW\u201d, \u201cInternetOpenW\u201d, and \u201cInternetReadFile\u201d, its file dropping properties using \u201cWriteFile\u201d, and its ability to scan the target system for virtual machines using \u201cvirtualAlloc\u201d. 

ts full attributes are shown below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

    

Dynamic Analysis <\/strong>        
<\/p>\n\n\n\n

Upon execution, SpyBanker Downloader establishes a connection with the IP address \u201c138.197.179.85:80\u201d \u2013 as shown below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u00a0This IP is known to host malware content:
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

When the above IP is contacted, another file (\u201c01.zip\u201d) is dropped onto the system. In this instance, the malware is a variant of the Zusy banking trojan. \u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The zip file is installed in the following location: C:\\Documents and Settings\\Administrator\\Application Data\\rAmyK16tYN\\01.zip

This sample made the following registry entries:

HKU\\S-1-5-21-1614895754-1767777339-1801674531-500\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\f: “%appdata%\\1”

HKU\\S-1-5-21-1614895754-1767777339-1801674531-500\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache\\C:\\Documents and Settings\\Administrator\\Desktop\\doc_boleto_9876245138.exe: “doc_boleto_9876245138”

HKU\\S-1-5-21-1614895754-1767777339-1801674531-500\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache\\@shell32.dll,-21765: “Application Data”

Indicators of Compromise (IOCs)<\/strong>

In this SpyBanker sample, the IP address \u201c138.197.179.85:80\u201d was responsible for downloading the actual spyware, indicating the location of its Command and Control server.

Other indicators include:<\/p>\n\n\n\n

File Name<\/td>01.zip<\/td><\/tr>
MD5 hash<\/td>7f59a29694ab2e718fe2b65cf6ce9ada<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Conclusion<\/strong>

Inboxes aren\u2019t the only avenue through which attackers will try to infect you. SpyBanker downloader most frequently spreads via social media<\/a> posts offering either free stuff or vouchers. Once the downloader is installed on the device, the attacker is free to do as they please. Because this relies on the victim installing it on their computer, even if you\u2019re completely patched you\u2019ve just handed over total access to your computer. 

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Overview While most of the malware campaigns we’ve covered rely on ‘spray-and-pray’ phishing campaigns to exploit known vulnerabilities, some attackers prefer the human touch – social engineering. At a high level, this involves manipulating a victim’s behaivour so they take a certain course of action or divulge a particular piece of information.  One such campaign […]<\/p>\n","protected":false},"author":1,"featured_media":2640,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2632","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2632"}],"version-history":[{"count":6,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2632\/revisions"}],"predecessor-version":[{"id":4299,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2632\/revisions\/4299"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2640"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}