A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27336  by hexlax
 Sun Nov 29, 2015 6:23 pm
Hi, newbie here! I'd thought I would share this recent campaign regarding Bancos banking trojan. I was first alerted to this campaign from @malware_traffic
https://twitter.com/malware_traffic/sta ... 5954755584

The spammed links were geo sensitive, that is they would only download a ZIP archive containing malware if you were visiting from a Brazilian source IP address. The malware dropped was this "C0RREIO-ANEX0-0030560897000833025520000.zip":
https://www.virustotal.com/en/file/a462 ... /analysis/
This ZIP archive contains a win32 executable which downloads the 2nd stage malware from:

hXXp://54.233.124_202/documentos/foxbr_zip

The 2nd stage ZIP archive also contains a win32 executable "cent.exe" which is the Bancos trojan malware.
https://www.virustotal.com/en/file/e795 ... /analysis/

I noticed a C2 check-in for this malware (might also be geo-restricted?)
hXXp://54.152.32_227/enoses/notify_php