Labs - Malware Analysis

VADOKRIST: Banking malware targeting brazilian entities

Written by David García | Feb 17, 2021 11:55:48 AM

Vadokrist is a banking trojan designed to steal banking credentials from mainly Brazilian entities. As such, it shares some of its functionalities with other families such as Grandoreiro or Mekoito, which also target Latin America in particular.


Drawing our focus to this region, especially to Mexico and Chile, we find that these banking trojans have several characteristics in common, such as the language with which they have been programmed, their backdoor functionalities or the fact that they target countries where Spanish or Portuguese are spoken.

Source: VirusTotal. SHA256: 5876b241f601badc8e4cabda303b5b0be3116ceeeb92bbfb0ccb0424bf416990


Written in Delphi, a popular language among Brazilian malware, it contains a large amount of binary code that is not executed or invoked at any time. Its purpose, quite possibly, is to discourage it from being analyzed, or to slow down or evade its detection by antivirus engines or analysts themselves.

As for the collection of data from the victim's computer, Vadokrist, unlike other Latin American banking trojans, only takes the victim's username, and does so after starting the attack on the corresponding bank, instead of at the time of installation, which is usually what happens in these cases.

Continuing with its backdoor capabilities, they are the typical ones we might expect. This banking trojan is capable of manipulating the mouse, simulating and logging keystrokes, taking screenshots, preventing access to certain websites, and even restarting the affected computer.

Source: VirusTotal. SHA256: 5876b241f601badc8e4cabda303b5b0be3116ceeeb92bbfb0ccb0424bf416990

As for storing strings, in some recent versions multiple lists of strings have been found, which have different purposes. Among them we find the general configuration, lists of entities to attack or command names for the backdoor functionality.

Finally, also worth highlighting is its method of maintaining persistence. In this case, it uses a Run Key or an LNK file, which are Windows shortcut files, which it places in the Startup folder.



It's common for it to be distributed through spam emails that attach files to achieve its objective. In fact, the most recent campaigns included two nested compressed files with .zip extension, containing an MSI installer and a .CAB file.

The way it basically operates is as follows: when the victim executes the MSI (Windows Installer) file, it locates the CAB files and extracts an MSI loader to disk. After this step, a JavaScript-type embedded file is executed that will ensure persistence by adding a Run key entry, so that the MSI loader is executed when the system is restarted. After performing this configuration for persistence, the computer restarts.

Source: ESET.

When the computer is turned on again, the MSI loader is ready to execute a DLL that it incorporates, which is precisely the Vadokrist banking trojan.

This trojan and other banking trojans that affect Latin American entities share similarities in the implementation of the distribution chain, though there are slight differences.

A method used by them and that is quite common is to implement the distribution chain in several layers of downloaders, which can be written in different scripting languages such as JavaScript, as in the case of the Vadokrist version discussed above, PowerShell or even Visual Basic Script.

In this scenario, it is common to find at least three layers. The final payload often comes in the .zip it contains. Although, for the trojan at hand, it should be noted that there is no downloader since, as we mentioned earlier, in the most recently found versions it is distributed directly in spam.



Vadokrist is a banking trojan that mainly affects Brazilian entities, and that shares several characteristics with Latin American banking trojans, such as Grandoreiro, also known as Delephant, mostly targeting Brazil, Spain, Mexico and Peru, and Mekotio or Pazera, trojans that in addition to affecting financial institutions in Latin America are also written in Delphi.

Regarding the characteristics of this trojan, what really draws our attention is the fact that it doesn't collect information from its victims when it is installed on the computer, as do the vast majority of banking trojans that affect Latin American entities, but rather it does so just after starting its attack on the financial institution.