Dreambot Banking Trojan Malware – Detect and Remove It - How to, Technology and PC Security Forum | SensorsTechForum.com

Dreambot Banking Trojan Malware – Detect and Remove It

This post has been created to show you what is Dreambot banking malware, how to remove it completely from your computer after detecting it.

If you remember the Gozi banking trojan, chances are you may be familiar with the Dreambot malware as well, even though it just came out in the wild. This is because Dreambot is basically a modified version of the Gozi banking malware. The malware is spread via the RIG exploit kit which is basically Gozi. This virus is actively evolving and it’s latest infection is via the HookAds campaign, which is basically malicious advertising. Since there are no symptoms of this malware on your computer and it may steal your financial information, we advise you to read this article if you want to detect if it has been installed on your computer and remove it completely.

Threat Summary

TypeBanking Trojan
Short DescriptionAims to collect financial or personal information and stay undetected for as long as possible.
SymptomsModified registry entries and malicious files dropped in Windows system folders. Hidden processes.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Dreambot


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Dreambot.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Dreambot – How Does It Infect

Researcher at Malware-Traffic-Analysis.net has detected the malicious advertising campaign to be spread only on adult websites that are often visited and well known. What happens is users who visit those adult websites and lack the proper ad-blocking software also get a pop-up or a redirect to another website form the HookAds malvertising chain. This web link may not only get information from your computer but may push the malware onto your computer via executing a malicious script that is interconnected with RIG exploit kit. This results in successfully infecting your computer, without you even noticing.

The worst part of this is that the IP addresses and host websites for infection connected to this advertising campaign are continuing to increase in numbers.

But this is not the only method of distributing the Dreambot malware. The virus can also be seen in e-mail, like the previously detected spam campaign of an older version of the malware, claiming the victim has been subpoenaed in court. The e-mails have malicious web link accompanied with the following message:

Dreambot Banking Malware – Analysis

The payload files of the Dreambot banking Trojan consist of a malicious executable file, combined with a flash exploit and few support files:

  • {random}.exe – main payload file.
  • {random}.tmp – RIG EK temporary file.
  • {random}.swf – the flash exploit.
  • {random}.php.txt – support php file of the exploit kit.

The Dreambot Trojan has multiple different types of functions in it’s malicious payload. For starters, the malware uses the onion network (TOR) to connect and perform numerous actions. The communication with the cyber-criminals behind Dreambot however has been identified by Proofpoint to be conducted via HTTP request which the bot makes once already infecting a computer. The bot also downloads the Tor client on the infected computer and somehow communicates via the onion network as well.

Among other activities of Dreambot are to create a random value string in the Windows registry sub-key Microsoft:

→ HKCU\Software\AppDataLow\Software\Microsoft\

The primary activity of this banking Trojan, just like any other banking malware out there is to gather financial information from your computer and send it to the cyber-criminals. For this purpose, it may even display phishing pages, for example:

Detect and Remove Dreambot Completely from Your Computer

If you want to detect and remove this malware, advices are to use a malware-specific software, since there are no symptoms that Dreambot is on your computer. You could go for manual removal by booting into safe mode and looking for the files by yourself, but there is no guarantee that this will completely remove the malware. Instead an advanced anti-malware tool should be used to scan for all objects and protect your computer by fully removing Dreambot, according to experts.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share