Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Grandoreiro

100
Global rank
75 infographic chevron month
Month rank
56 infographic chevron week
Week rank
0
IOCs

Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.

Trojan
Type
Unknown
Origin
1 August, 2017
First seen
22 October, 2025
Last seen

How to analyze Grandoreiro with ANY.RUN

Type
Unknown
Origin
1 August, 2017
First seen
22 October, 2025
Last seen

IOCs

IP addresses
15.229.47.198
18.231.154.55
167.114.88.99
94.154.35.25
191.96.5.221
20.70.3.186
192.95.55.50
192.95.6.196
130.185.238.32
142.11.213.42
167.114.43.27
18.231.179.202
191.96.4.160
185.191.228.227
167.114.217.220
20.187.91.219
173.0.54.19
15.188.63.127
20.10.3.196
24.152.38.130
Hashes
8bc723119b3059c4c9f7f671dc74d779af074c0fc4e7feae08ffb1438df044c1
Domains
chjjhjmomaoheoojjbynnyjiidfcncc.cable-modem.org
mymodulop2pcar.servehttp.com
cortafogoempresarial.shop
dextelmacwordsx.top
empresarialkutsni.com
pcbbcrjcgbcghjpbcgkccbjorkhhjcjj.fantasyleague.cc
beacocosmasterx.top
fastcomerciouniverso.com
jmllmedvhgmhldjgmhvmmlljhvgdzvzz.dynns.com
ifnnfnmcmacfdccnnjynnyjiidfcncc.collegefan.org
odbbdbmgmagdfggbbnynnyjiidfcncc.blogsyte.com
centroempresarialkutsni.com
mantersaols.com
pizzacircusbarcelona.com
atlasassessorcontabilidade.com
facturaxml.hopp.to
factura-mail.hopp.to
thylachatmarcamarketin.com
java-update.online
empresarialkutsnicorp.com
Last Seen at

Recent blog posts

post image
No Threats Left Behind: SOC Analyst’s Guide t...
watchers 235
comments 0
post image
Tykit Analysis: New Phishing Kit Stealing Hun...
watchers 4500
comments 0
post image
5 Ways Threat Intelligence Saves Businesses M...
watchers 894
comments 0

What is Grandoreiro malware?

Grandoreiro is a sophisticated banking trojan first observed in 2016, primarily targeting users in Latin America, including countries like Brazil, Mexico, and Argentina.

Grandoreiro is known for its advanced evasion techniques, including various string encryption methods, and the use of a domain generation algorithm (DGA) that enables it to communicate with multiple command-and-control (C2) servers.

In March 2024, the Grandoreiro banking trojan launched a massive attack targeting over 1,500 banks' applications worldwide, expanding beyond its usual Latin American focus to regions in Central and South America, Europe, Africa, and the Indo-Pacific.

Attacks usually begin with phishing campaigns impersonating government entities, tricking recipients into downloading the malware. Once deployed, Grandoreiro targets specific banking applications, allowing attackers to steal credentials and execute fraudulent transactions.

Key technical features of Grandoreiro include its ability to evade detection, verify victims to avoid sandbox environments, and more. The malware’s sophisticated structure and its ability to adapt to different regions and targets make it a significant threat in financial cybercrime.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Grandoreiro malware technical details

The main functionality of Grandoreiro malware is to steal sensitive financial information of users by targeting banking applications.

Some of the key capabilities of the Grandoreiro malware include:

  • Initiating attacks through sophisticated phishing campaigns impersonating government and financial institutions.
  • Utilizing a loader that verifies targets, collects data, and downloads the main banking trojan payload.
  • Employing techniques such as file bloating, CAPTCHA pop-ups, and environmental checks to avoid detection by security tools.
  • Targeting banking applications to steal credentials and perform fraudulent transactions.
  • Using a reworked Domain Generation Algorithm (DGA) to connect with multiple command-and-control servers, enabling efficient management of large-scale attacks.
  • Harvesting email addresses from infected hosts and uses Microsoft Outlook to send additional phishing emails, spreading the malware further.
  • Establishing persistence through registry modifications and the creation of configuration files on the victim's machine.

Grandoreiro is a complex malware with over 10,000 strings, which would be easily detectable if left unencrypted. To avoid detection, it uses a sophisticated multi-step decryption process. This involves custom encoding and decryption using the same key as the loader, followed by AES decryption, and then further decoding to finally reveal the plaintext strings, making the malware harder to detect and analyze.

Grandoreiro execution process

To see how Grandoreiro operates, let’s upload its sample to the ANY.RUN sandbox for analysis.

Grandoreiro is typically delivered through phishing emails containing malicious links or attachments. These emails often impersonate legitimate organizations, such as government agencies, to deceive victims. Clicking on the link or opening the attachment downloads a malicious ZIP file containing the Grandoreiro loader, disguised as a PDF or another benign file.

Grandoreiro report in ANY.RUN Grandoreiro process graph displayed in ANY.RUN sandbox

Once executed, the loader performs anti-analysis checks to detect sandboxes and virtual environments. It collects victim information, including IP address, operating system details, installed software, and more. The loader then decrypts a URL using XOR-based decryption and sends a GET request to retrieve the final payload download URL.

The loader downloads the final Grandoreiro payload from the retrieved URL as a large ZIP file. This ZIP file contains a massive executable disguised as an image or PDF file. Then, the loader extracts and renames the executable to a random name with an .exe extension. This renamed executable is the full Grandoreiro banking trojan payload, often signed with a legitimate digital certificate to appear trustworthy and evade detection.

Grandoreiro process in ANY.RUN Malicious process related to Grandoreiro analyzed in ANY.RUN sandbox

Grandoreiro establishes persistence via the Windows registry, ensuring it launches upon user login. It collects more detailed information and sends a POST "check-in" request to the command and control (C2) server with the gathered data. The trojan then proceeds to carry out a range of malicious activities, including browser session hijacking, credential theft, and banking fraud.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Grandoreiro malware distribution methods

Grandoreiro malware is primarily distributed through phishing campaigns.

Attackers often send emails that impersonate legitimate government entities or financial institutions, tricking recipients into clicking on malicious links or downloading infected attachments. These emails may claim to contain important documents, such as tax notices or account statements, which, when opened, initiate the download of the malware.

In addition to phishing emails, Grandoreiro may also be spread through malicious websites that prompt users to download fake software updates or security tools, which actually install the malware.

Conclusion

The impact of the Grandoreiro campaign has been devastating, leading to widespread financial fraud and significant monetary losses. This malware has infiltrated multiple sectors, including banking, finance, manufacturing, public administration, telecommunications, and energy. Its ability to steal sensitive financial information and perform fraudulent transactions has caused severe disruption and harm to countless organizations and individuals, making it one of the most dangerous banking trojans in recent years.

ANY.RUN is a cloud-based service that allows anyone to safely analyze suspicious files and URLs. It enables you to observe malware behavior and collect indicators of compromise in a secure environment. By using ANY.RUN, you can gain valuable insights into Grandoreiro's tactics and improve your defenses against it.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

DarkVision screenshot
DarkVision
darkvision
DarkVision RAT is a low-cost, modular Remote Access Trojan that gives attackers remote control of infected Windows hosts. Initially observed around 2020 and sold in underground marketplaces, DarkVision has become notable for its full feature set (keylogging, screen capture, file theft, remote command execution and plugin support) and for being distributed via multi-stage loaders in recent campaigns.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Akira Ransomware screenshot
Akira Ransomware emerged in March 2023 and compromised over 250 organizations by January 2024 with approximately $42 million in ransom payments. It employs double extortion tactics exfiltrating data before encryption and threatening to publish it on a dedicated website.
Read More
Salty 2FA screenshot
Salty 2FA
salty2fa
Salty 2FA is a sophisticated Phishing-as-a-Service (PhaaS) framework tailored to hijack user sessions, steal credentials, and gain unauthorized access to corporate systems. Delivered primarily via targeted emails, this kit employs multi-stage evasion tactics, making it a stealthy tool for cybercriminals aiming at high-value enterprise accounts.
Read More
Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Bert Ransomware screenshot
Bert Ransomware is a newly emerged ransomware group that has been active since April 2025. It deploys variants targeting both Windows and Linux systems, focusing on critical sectors like healthcare, technology, and event services across the US, Asia, and Europe.
Read More