{
	"id": "07370dfa-4eda-425f-ab9c-3afa2c165906",
	"created_at": "2026-04-06T01:30:43.900458Z",
	"updated_at": "2026-04-10T03:21:33.767946Z",
	"deleted_at": null,
	"sha1_hash": "03346449443a994651cace5231220fa246c85ff7",
	"title": "CARBERP - Threat Encyclopedia | Trend Micro (US)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48030,
	"plain_text": "CARBERP - Threat Encyclopedia | Trend Micro (US)\r\nArchived: 2026-04-06 00:16:22 UTC\r\nCARBERP is a Trojan family first seen in 2009. This banking Trojan is designed to steal user credentials through\r\nhooking network APIs in WININET.DLL, monitoingr user browsing activities. It has the capability to connect to\r\nits C\u0026C server to download configuration files and receive arbitrary commands, thus compromising the security\r\nof the infected systems.\r\nCARBERP logs keystrokes, spoofs websites, and drops copies of itself in locations that do not require\r\nadministrator privileges. This malware family is characterized as a plugin-dependent malware since it relies on\r\ndownloaded/embedded modules to complete its routines. Two of the known plugins it uses are the miniav and\r\nstopav modules. These modules enable CARBERP to eliminate other malware and antivirus applications running\r\non the infected computer.\r\nInstallation\r\nThis Trojan drops the following files:\r\n%System Root%\\{random folder name}\\wndsksi.inf\r\n%System%\\ieunitdrf.inf\r\n{All User's Profile\\wjver.dat\r\n(Note: %System Root% is the root folder, which is usually C:\\. It is also where the operating system is located..\r\n%System% is the Windows system folder, which is usually C:\\Windows\\System32.)\r\nIt drops the following copies of itself into the affected system:\r\n%User Startup%\\igfxtray.exe\r\n%User Startup%\\{random filename}.exe\r\n(Note: %User Startup% is the current user's Startup folder, which is usually C:\\Windows\\Profiles\\{user\r\nname}\\Start Menu\\Programs\\Startup on Windows 98 and ME, C:\\WINNT\\Profiles\\{user name}\\Start\r\nMenu\\Programs\\Startup on Windows NT, and C:\\Documents and Settings\\{User name}\\Start\r\nMenu\\Programs\\Startup.)\r\nOther System Modifications\r\nThis Trojan adds the following registry entries:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nInternet\\Explorer\\Main\r\nTabProcGrowth = \"0\"\r\nNOTES:\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/carberp\r\nPage 1 of 2\n\nIt drops the following folders:\r\n%System Root%\\{random folder name}\r\n%User Profile%\\Application Data\\MicroST\r\nIt connects to any of the following C\u0026C Servers:\r\n{BLOCKED}y.in\r\n{BLOCKED}banksystem.ru\r\nhttp://{BLOCKED}t-dbo.ru/s.dll\r\n{BLOCKED}aff.com\r\n{BLOCKED}affer.com\r\n{BLOCKED}affer321.com\r\nhttp://{BLOCKED}ystemdwersfssnk.com\r\nhttp://{BLOCKED}m-ibank2.com/s.dll\r\nhttp://{BLOCKED}ticgamers.com\r\n{BLOCKED}j894iofhweihj.com\r\nhttp://{BLOCKED}sdriverdbo.com/rt_jar\r\n{BLOCKED}e1.com\r\n{BLOCKED}it23.com\r\n{BLOCKED}bb.com\r\nSource: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/carberp\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/carberp\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/carberp"
	],
	"report_names": [
		"carberp"
	],
	"threat_actors": [],
	"ts_created_at": 1775439043,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/03346449443a994651cace5231220fa246c85ff7.pdf",
		"text": "https://archive.orkl.eu/03346449443a994651cace5231220fa246c85ff7.txt",
		"img": "https://archive.orkl.eu/03346449443a994651cace5231220fa246c85ff7.jpg"
	}
}