{
	"id": "9e6b6aa7-1739-4f94-9f1b-7b624c1d8e1f",
	"created_at": "2026-04-06T00:16:20.270198Z",
	"updated_at": "2026-04-10T03:21:32.6249Z",
	"deleted_at": null,
	"sha1_hash": "a0a7c2a22c211b1caf88f5d127bd2bc8bac221da",
	"title": "Bebloh – a well-known banking Trojan with noteworthy innovations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37583,
	"plain_text": "Bebloh – a well-known banking Trojan with noteworthy\r\ninnovations\r\nBy RM, TS\r\nPublished: 2019-05-02 · Archived: 2026-04-05 18:50:57 UTC\r\nThe banking Trojan Bebloh has been known about and studied for a number of years. But even new developments\r\nin the malware have not produced any notable innovations – until recently. The observed infection rates with\r\nBebloh in the first half of 2013 were comparatively small – with a share of just 6.3% among all banking Trojans\r\nobserved by G Data, Bebloh was lagging far behind competitors such as ZeuS. However, an update appeared\r\nrecently that contains noteworthy changes.\r\nLarge increase in infection count following update\r\nIn recent months we started seeing alarming new figures: Bebloh started steadily climbing up the statistics ladder\r\nand secured a place for itself among the top three banking Trojans in November.\r\nRecently, the malware was distributed as an email attachment, as spam containing fake flight information. Taken\r\neverything into consideration, this was more than reason enough to look into what was going on.\r\nAn initial comparison between a newer example and the familiar version shows that Bebloh has clearly undergone\r\nan update. Only about 75% of the functions in the two versions are the same. Almost 4.5% of the functions in the\r\nold version have been deleted or replaced. 20.9% of the functions are exclusively found in the new version. The\r\nfunctional scope has therefore been significantly enhanced.\r\n \r\nMalware undergoing change: AV evasion \r\nThe interesting innovation in this variant concerns the persistence, or the issue of: how does the malware survive a\r\nrestart?\r\nAs soon as the system is infected by Bebloh, the malware is injected into explorer.exe and the original executable\r\nfile that contains Bebloh is deleted. In principle this is a perfectly normal procedure for concealing the malware's\r\nentry point into the system. However, what is interesting is the fact that the malware is not then moved to another\r\nfolder and no autostart entry is generated. The malware is no longer found on the hard disk. Therefore, a\r\nconventional signature-based virus scanner would fail to find any infection by scanning the hard disk. As the\r\nmalware is running hidden in the explorer.exe memory, not even a malicious process is detected. However, to\r\nsurvive a system restart, Bebloh uses an interesting trick.\r\nAn invisible window is generated from the explorer.exe process to receive the “Window Messages”, a specific\r\nmessage type generated by Windows.\r\nhttps://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations\r\nPage 1 of 2\n\nThis means that windows concerning an impending computer shutdown are also issued by Windows.\r\nAs soon as Bebloh receives such a message, the malware writes its executable file out of the explorer.exe memory\r\nto the hard disk, and an autostart pointing to the executable is generated. Hence throughout the time the system is\r\nrunning, there is virtually no visible clue in the registry or on the hard disk that suggests an infection.\r\nTo exacerbate the cat-and-mouse game between AV providers and Bebloh even more, the autostart entry doesn't\r\ndirectly reference the executable file – it relies on a link (.lnk). In addition, the file name used by Bebloh is\r\ngenerated randomly each time, so Bebloh has a different name each time the system is started.\r\nOutlook\r\nThe above-mentioned comparison of the program code for the two versions studied proves the hypothesis that\r\nBebloh has not changed much in its basic function as a banking Trojan and still tries to spy on user data. However,\r\nthe AV evasion updates are something new in the banking Trojan arena, demonstrating that malware authors are\r\ncontinuing to find new ways to prey on their victims even more silently and effectively.\r\nG Data detects the new variant as Trojan.GenericKD.1367361 using the DoubleScan technology. G Data\r\nBankGuard also detects and removes the new variant of this malware.\r\nOlder Bebloh version, SHA256: 01af2a82eddbfc4dc4720c8e8a483ff91d3b12df792928a435d1fc618055db46\r\nNewer Bebloh version, SHA256: d4f6a12ffe35a8b39e047d35bedb2860e622580df8d66c68abaad4c8d8162c6a\r\nSource: https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations\r\nhttps://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations"
	],
	"report_names": [
		"23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations"
	],
	"threat_actors": [],
	"ts_created_at": 1775434580,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0a7c2a22c211b1caf88f5d127bd2bc8bac221da.pdf",
		"text": "https://archive.orkl.eu/a0a7c2a22c211b1caf88f5d127bd2bc8bac221da.txt",
		"img": "https://archive.orkl.eu/a0a7c2a22c211b1caf88f5d127bd2bc8bac221da.jpg"
	}
}