“PWS-Banker!h2e” is a family of data-stealing Trojans that captures banking credentials such as account numbers and passwords from computer users. It then relays the captured information to the attacker. Most PWS-Banker!h2e variant target customers of Brazilian banks; some variants target customers of other banks.
Many PWS-Banker!h2e variant monitor open Web-browser windows for bank names in the title bar or bank URLs in the address bar. Many variants log keystrokes to record credentials that a user enters at banking Web sites. To assist in capturing banking credentials, Banker may also replace or supplement legitimate bank Web pages with illegitimate Web pages.
PWS-Banker!h2e variant use various means of sending captured banking credentials to the attacker, including sending an e-mail to the attacker, uploading credentials to an attacker's FTP site, and posting credentials to an attacker's HTTP site.
Many variants of PWS-Banker!h2e copy themselves to various folders on the infected computer, such as <Windows folder> and <system folder>, and also drop other files there.
Banker may also configure itself to run automatically each time Windows starts, for example by creating entries in registry keys such as HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
The below are the commands used to get the Host name, Locale Information, Server name, Server port no and Host IP from the infected machine
The below mentioned commands are used to get the keyboard layout and to capture the key events
The below memory strings confirms that the Trojan may send information to the remote attacker