| Malware name | Trojan.Spy.Banker.AATZ | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 9CF6DCDBE0F2D16822640CCDE85E6C60 | | Static file | yes | | Filesize | 976,384 Bytes | Alias names
(also known as) | | | Side effects | - Drops files
- Drops malicious files
| | Propagation | No own spreading routine |
|
Description:
Files
The following files are created:
– Non malicious files:
• %SYSDIR%\c__2303.nls
• %SYSDIR%\c__34895.nls
• %SYSDIR%\c__374.nls
• %SYSDIR%\c__0593.nls
• %SYSDIR%\c__23732.nls
• %SYSDIR%\c__10983.nls
• %SYSDIR%\c__3478.nls
• %SYSDIR%\c__3479.nls
• %SYSDIR%\c__3480.nls
• %SYSDIR%\c__3481.nls
– %SYSDIR%\amp.ini This is a non malicious text file with the following content:
• A01
– %SYSDIR%\msupdate.dll Further investigation pointed out that this file is malware, too. Detected as:
3982 – %SYSDIR%\msiesetup.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as:
3983 – %WINDIR%\setup.cmd Further investigation pointed out that this file is malware, too. Detected as: Script.Banker.AATZ
File details
Programming language:
The malware program was written in Delphi.
