TrojanSpy.Win32.GRANDOREIRO.MLMA

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following mutexes to ensure that only one of its copies runs at any one time:

• IntelWassing39

It terminates itself if it finds the following processes in the affected system's memory:

• regmon.exe
• filemon.exe
• Wireshark.exe
• ProcessHacker.exe
• PCHunter64.exe
• PCHunter32.exe
• JoeTrace.exe
• ResourceHacker.exe

Information Theft

This Trojan Spy gathers the following data:

• Username
• Computer Name
• System Information
• OS Name and Version
• Hostname
• Geolocation
• IP Address
• List of Installed Applications
• List of Installed Antivirus
• Date and Time of Execution

Other Details

This Trojan Spy does the following:

• It compares the country code of the affected system before proceeding to its original routine to the following targeted countries:
  • GT - Guatemala
  • HN - Honduras
  • MX - Mexico
  • NI - Nicaragua
  • PA - Panama
  • SV - El Salvador
  • AR - Argentina
  • BO - Bolivia
  • BR - Brazil
  • EC - Ecuador
  • PE - Peru
  • PY - Paraguay
  • UY - Uruguay
  • VE - Venezuela
  • BB - Barbados
  • BS - Bahamas
  • DO - Dominican Republic
  • HT - Haiti
  • JM - Jamaica
  • KY - Cayman Islands
  • CH - Switzerland
  • IT - Italy
  • PL - Poland
  • UK - United Kingdom
  • FR - France
  • ES - Spain
  • IE - Ireland
• It compares the Hostname of the affected system before proceeding to its original routine to the following:
  • WIN-VUA6POUV5UP
  • JOHN-PC
  • WORK
• It compares the OS Name of the affected system before proceeding to its original routine to the following:
  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows 10
  • Windows 11
• This Trojan Spy connects to the following URL(s) to get the affected system's IP address:
  • http://{BLOCKED}i.com/json
• It uses Domain Genaration Algorithm (DGA) to generate its C2 Server.
• It has keylogging capabilities.
• It steals information from the following applications if found in the affected system:
  • Mail Client:
    • Microsoft Outlook
    • Software\Clients\Mail
  • Banking:
    • ACB Carribean
    • Alliance Bank
    • Allied Bank
    • Atlantic Bank
    • Banco BISA
    • Banco Unión
    • Banco de Crédito
    • Banco Nacional
    • Banco Económico
    • Banco Ganadero
    • BNamericas
    • Banco Los Andes
    • Banco Mercantil
    • Banca por Internet
    • BMSC
    • BancoSol
    • Bank of Valletta
    • BBVA
    • Belize Bank
    • Butterfield Group
    • Caja de Ahorros
    • Choice Bank
    • CIBC
    • CIBC First Carribean
    • Citibank
    • Credit Suisse
    • Davivienda
    • Doral Bank
    • e-Bandes
    • e-Bisa
    • FIMBank
    • HRCU Online Account
    • HSBC Malta
    • IIG Bank
    • Inicio
    • FISE
    • MEXC Exchange
    • Orco Bank
    • Provincia Casa Financiera
    • Raiffeisen-Gruppe
    • Republic Bank
    • RepublicOnline Corporate
    • Santander
    • Scotia Bank
    • Synchrony Bank
    • UBS E-Banking
  • Stocks:
    • Fortex
  • Cryptocurrency Wallet:
    • Armory
    • Atomic Wallet
    • Binance
    • Bisq
    • Bitbox
    • Bither
    • Blockstream
    • BTC-CORE
    • Coinomi
    • Daedalus
    • Electrum
    • Hotbit Global
    • Ledger
    • Monero
    • OPOLODesk
    • Trezor
    • Trust Wallet
    • WasabiWallet