TCLBANKER Propose Change

According to Elastic Security Labs, TCLBANKER is a Brazilian banking trojan comprised of a native code loader and .NET-based payloads that targets financial institutions in Brazil. Its core capabilities include monitoring browser addresses via UI Automation to trigger WPF full-screen overlays for credential harvesting and operator-driven social engineering, as well as self-propagating worm modules that hijack WhatsApp Web sessions and abuse Outlook through COM automation to send phishing messages. The malware employs robust anti-analysis techniques, such as environment-gated payload decryption that silently fails in sandboxes or incorrect environments, and a comprehensive watchdog subsystem that actively monitors for debuggers, analysis tools, and instrumentation frameworks throughout execution.

References

There is no Yara-Signature yet.