File source: http://eugeniagreco.sites.uol.com.br/71.jpg
MD5 :
e8e39e0942ecfb36f7596059a959cfff
SHA1 : 8a19042485802635bd5f0d82ad4d5dd92eb04fe9
SHA256:
08f22da1804956a01bdfc0ce9a4857004b52be6e2236f3b4a126a7ed9422cbd7
This Trojan targets the famous Spain Financial service
Provider ‘Santander’. It gets downloaded into the system like a jpg image. Once
triggered it gets loaded in the memory and waits until user search for the keyword "Internet Banking" in any of the search engine or access the site https://www.santandernet.com.br/default.asp
Once user access the above link or search for the mentioned keyword in their search engine it will spawns up a fake login page like seen below.
It asks you to enter your agency and account
information for Santander Internet Banking Service. I have entered continuous '1' as agency and account number check below.
Actually it should say “Invalid account information” since
it is a fake log in page you will see a page like above as if you have logged into a correct account. Then, it asks you to enter your user name and password using the virtual keyboard.
Here also I have entered continuous '1' as user name and password, check above.
In the background it contacts the remote ip "216.246.46.234" and sends all the login credentials.
In the background it contacts the remote ip "216.246.46.234" and sends all the login credentials.
Since I have used continuous '1' for all input you can see only '1' for all those data (agency, account, user and password). It sends system MAC address and OS information along with login credentials to the remote server.
No comments:
Post a Comment