TrojanSpy:Win32/Bancos.AMJ (file analysis)

Malware Removal

The TrojanSpy:Win32/Bancos.AMJ is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What TrojanSpy:Win32/Bancos.AMJ virus can do?

  • Executable code extraction
  • Injection with CreateRemoteThread in a remote process
  • Creates RWX memory
  • At least one IP Address, Domain, or File Name was found in a crypto call
  • Expresses interest in specific running processes
  • Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
  • Reads data out of its own binary image
  • A process created a hidden window
  • The binary likely contains encrypted or compressed data.
  • Uses Windows utilities for basic functionality
  • Detects Sandboxie through the presence of a library
  • Detects SunBelt Sandbox through the presence of a library
  • Code injection with CreateRemoteThread in a remote process
  • Tries to unhook or modify Windows functions monitored by Cuckoo
  • A system process is generating network traffic likely as a result of process injection
  • Installs itself for autorun at Windows startup
  • Exhibits behavior characteristics of Shifu malware.
  • Attempts to identify installed analysis tools by a known file location
  • Detects Sunbelt Sandbox through the presence of a file
  • Detects VirtualBox through the presence of a file
  • Detects VMware through the presence of a file
  • Attempts to modify proxy settings
  • Attempts to modify browser security settings
  • Attempts to access Bitcoin/ALTCoin wallets
  • Attempts to create or modify system certificates
  • Creates a slightly modified copy of itself
  • Anomalous binary characteristics

How to determine TrojanSpy:Win32/Bancos.AMJ?


File Info:

crc32: E3693381
md5: d936dfade442b062da7148e96a2c0b80
name: D936DFADE442B062DA7148E96A2C0B80.mlw
sha1: 9a17c654743893095ffcf5fff129cfb27d125d68
sha256: 1d44247d3acf99bde5d440ddc94cde9fadf53f4f206c5ebcde24e97f8f04a8a6
sha512: 502b9ea7b8b24eeb7ba56601a80eb0550376ab7694661c04c8da177503d765be21c6609aad5189817e8365ef0cdfebdebfb743bc6ccd28ac32a8a712c78c04bd
ssdeep: 12288:oV42NhBh3i6CvtWpKM4S6rl3iSBRddbAdAThjdoI:OpBxiFhS6rllPddbA
type: PE32 executable (GUI) Intel 80386, for MS Windows

Version Info:

LegalCopyright: Copyright xa9 2004-2014 Procter & Gamble
InternalName: StarBought
CompanyName: Procter & Gamble
Comments: StarBought
ProductName: StarBought
ProductVersion: 2.2.3608.6943
FileDescription: StarBought
OriginalFilename: claimwarm.exe
Translation: 0x0409 0x04b0

TrojanSpy:Win32/Bancos.AMJ also known as:

BkavW32.AIDetect.malware1
K7AntiVirusSpyware ( 0055e3db1 )
Elasticmalicious (high confidence)
DrWebBackDoor.Siggen.60034
CynetMalicious (score: 100)
CAT-QuickHealRansom.Blocker.A4
ALYacGen:Variant.Mikey.17536
CylanceUnsafe
ZillyaTrojan.Blocker.Win32.29437
SangforTrojan.Win32.Save.a
CrowdStrikewin/malicious_confidence_80% (D)
AlibabaTrojanSpy:Win32/Blocker.c9d817b8
K7GWSpyware ( 0055e3db1 )
Cybereasonmalicious.de442b
SymantecML.Attribute.HighConfidence
ESET-NOD32Win32/Spy.Shiz.NCP
APEXMalicious
AvastWin32:Trojan-gen
KasperskyTrojan-Ransom.Win32.Blocker.hivu
BitDefenderGen:Variant.Mikey.17536
NANO-AntivirusTrojan.Win32.Blocker.dtoccm
MicroWorld-eScanGen:Variant.Mikey.17536
TencentMalware.Win32.Gencirc.10b6b330
Ad-AwareGen:Variant.Mikey.17536
SophosMal/Generic-S
ComodoMalware@#36d36hekz569y
BitDefenderThetaGen:NN.ZexaE.34670.Eq0@a0TT2Yji
VIPRETrojan.Win32.Generic!BT
TrendMicroTROJ_FRS.0NA103C320
McAfee-GW-EditionGenericRXFI-QT!D936DFADE442
FireEyeGeneric.mg.d936dfade442b062
EmsisoftGen:Variant.Mikey.17536 (B)
SentinelOneStatic AI – Malicious PE
JiangminTrojan/Blocker.oxt
AviraHEUR/AGEN.1126405
MicrosoftTrojanSpy:Win32/Bancos.AMJ
ArcabitTrojan.Mikey.D4480
AegisLabTrojan.Win32.Blocker.tqNX
GDataGen:Variant.Mikey.17536
TACHYONRansom/W32.Blocker.499712.B
AhnLab-V3Trojan/Win32.ZBot.C930962
Acronissuspicious
McAfeeGenericRXFI-QT!D936DFADE442
MAXmalware (ai score=100)
VBA32TrojanRansom.Blocker
MalwarebytesMachineLearning/Anomalous.100%
PandaTrj/Genetic.gen
TrendMicro-HouseCallTROJ_FRS.0NA103C320
RisingRansom.Blocker!8.12A (CLOUD)
IkarusTrojan-Spy.Agent
FortinetW32/Kryptik.EBTG!tr
AVGWin32:Trojan-gen
Paloaltogeneric.ml
Qihoo-360Win32/TrojanPSW.Bancos.HgIASOoA

How to remove TrojanSpy:Win32/Bancos.AMJ?

TrojanSpy:Win32/Bancos.AMJ removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

Leave a Comment