Grandoreiro can bypass UAC by registering as the default handler for .MSC files.^[2]

Grandoreiro can parse Outlook .pst files to extract e-mail addresses.^[2]

Grandoreiro has the ability to use HTTP in C2 communications.^[3][2]

Grandoreiro can identify installed security tools based on window names.^[2]

Grandoreiro can use run keys and create link files in the startup folder for persistence.^[3][2]

Grandoreiro can write or modify browser shortcuts to enable launching of malicious browser extensions.^[3]

Grandoreiro can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.^[1][3][2]

Grandoreiro can capture clipboard data from a compromised host.^[3]

Grandoreiro can use VBScript to execute malicious code.^[1][2]

Grandoreiro can steal cookie data and credentials from Google Chrome.^[3][2]

Grandoreiro can decrypt its encrypted internal strings.^[2]

Grandoreiro has used compromised websites and Google Ads to bait victims into downloading its installer.^[1][3]

Grandoreiro can use a DGA for hiding C2 addresses, including use of an algorithm with a user-specific key that changes daily.^[1][2]

Grandoreiro can use SSL in C2 communication.^[3]

Grandoreiro can send data it retrieves to the C2 server.^[2]

Grandoreiro can modify the binary ACL to prevent security tools from running.^[2]

Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running.^[2]

Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.^[2]

Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.^[2]

Grandoreiro can delete .LNK files created in the Startup folder.^[2]

Grandoreiro can download its second stage from a hardcoded URL within the loader's code.^[3][2]

Grandoreiro can log keystrokes on the victim's machine.^[2]

Grandoreiro has named malicious browser extensions and update files to appear legitimate.^[3][2]

Grandoreiro can modify the Registry to store its configuration atHKCU\Software\ under frequently changing names including%USERNAME% andToolTech-RM.^[2]

Grandoreiro can execute through theWinExec API.^[2]

Grandoreiro has added BMP images to the resources section of its Portable Executable (PE) file increasing each binary to at least 300MB in size.^[2]

Grandoreiro can store its configuration in the Registry atHKCU\Software\ under frequently changing names including%USERNAME% andToolTech-RM.^[2]

TheGrandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.^[1][2][2]

Grandoreiro has been spread via malicious links embedded in e-mails.^[3][2]

Grandoreiro can identify installed security tools based on process names.^[2]

Grandoreiro can list installed security products including the Trusteer and Diebold Warsaw GAS Tecnologia online banking protections.^[2][2]

Grandoreiro can use malicious browser extensions to steal cookies and other user information.^[3]

Grandoreiro can steal the victim's cookies to use for duplicating the active session from another device.^[3]

Grandoreiro can use MSI files to execute DLLs.^[1]

Grandoreiro can collect the computer name and OS version from a compromised host.^[2]

Grandoreiro can determine the IP and physical location of the compromised host via IPinfo.^[2]

Grandoreiro can collect the username from the victim's machine.^[2]

Grandoreiro can determine the time on the victim machine via IPinfo.^[2]

Grandoreiro has used malicious links to gain execution on victim machines.^[3][2]

Grandoreiro has infected victims via malicious attachments.^[3]

Grandoreiro can detect VMWare via its I/O port and Virtual PC via thevpcext instruction.^[2]

Grandoreiro can obtain C2 information from Google Docs.^[1]

Grandoreiro can utilize web services including Google sites to send and receive C2 data.^[3][2]