Description
[Grandoreiro](https://attack.mitre.org/software/S0531) is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. [Grandoreiro](https://attack.mitre.org/software/S0531) has confirmed victims in Brazil, Mexico, Portugal, and Spain.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)
External References
Techniques Used by This Malware
- T1010 — Application Window Discovery
- T1016 — System Network Configuration Discovery
- T1027.001 — Binary Padding
- T1027.011 — Fileless Storage
- T1027.013 — Encrypted/Encoded File
- T1033 — System Owner/User Discovery
- T1036.005 — Match Legitimate Resource Name or Location
- T1041 — Exfiltration Over C2 Channel
- T1056.001 — Keylogging
- T1057 — Process Discovery
- T1059.005 — Visual Basic
- T1070.004 — File Deletion
- T1071.001 — Web Protocols
- T1082 — System Information Discovery
- T1087.003 — Email Account
- T1102.001 — Dead Drop Resolver
- T1102.002 — Bidirectional Communication
- T1105 — Ingress Tool Transfer
- T1106 — Native API
- T1112 — Modify Registry
- T1115 — Clipboard Data
- T1124 — System Time Discovery
- T1140 — Deobfuscate/Decode Files or Information
- T1176.001 — Browser Extensions
- T1185 — Browser Session Hijacking
- T1189 — Drive-by Compromise
- T1204.001 — Malicious Link
- T1204.002 — Malicious File
- T1218.007 — Msiexec
- T1222.001 — Windows File and Directory Permissions Modification
- T1497.001 — System Checks
- T1518.001 — Security Software Discovery
- T1539 — Steal Web Session Cookie
- T1547.001 — Registry Run Keys / Startup Folder
- T1547.009 — Shortcut Modification
- T1548.002 — Bypass User Account Control
- T1555.003 — Credentials from Web Browsers
- T1562.001 — Disable or Modify Tools
- T1562.004 — Disable or Modify System Firewall
- T1566.002 — Spearphishing Link
- T1568.002 — Domain Generation Algorithms
- T1573.002 — Asymmetric Cryptography