Amavaldo Description

Amavaldo banking Trojan is a hacking tool that has been pretty much used to target users based in Brazil exclusively. However, since June 2019 it would appear that its operators have decided to expand their reach and begin launching campaigns in Chile and Mexico as well.


The authors of Amavaldo Trojan stick to the tried and tested propagation method of spam email campaigns. The emails would contain an attachment, and the message would urge the user to open it because it is 'important.' In some of the campaigns, the creators of the Amavaldo disguised the attachment as a seemingly legitimate Microsoft Office Document, while in others there will be a '.MSI' file attached that poses as an update for an Adobe tool. The final malicious payload of Amavaldo arrives as a ZIP archive that contains three components - a copy of a legit application, an injector, and the encrypted Trojan itself. The injector self-injects Windows Media Player or Internet Explorer processes through DLL sideloading.

A malicious MSI installer with an embedded file containing a VBS downloader was used in the campaign that targeted Brazil. The VBS downloader produced a second VBS downloader, which abused the Windows Management Instrumentation Command-line (WMIC) to push an XSL containing PowerShell, which in turn, downloaded Amavaldo as a final step. The campaigns targeting Mexican banking websites used a different MSI installer that had an embedded Windows executable file that acted as a downloader. In these cases, users also through they were downloading Acrobat Reader DC, while the malicious attachments to the spam emails were disguised as CV documents.


As a self-preservation technique, the Amavaldo banking Trojan's code is heavily obfuscated. Malware authors often do this so that their creations may bypass the checks anti-malware applications and make it more difficult for cybersecurity researchers to dissect their threat. The Amavaldo Trojan also scans the infected host for any potential presence of banking security tools, which may prevent them from executing their plan.


Once Amavaldo Trojan has ensured that nothing stands in its way, it will get to work. This threat is able to scan the opened windows and tabs of the user looking for certain online banking portals. If Amavaldo detects that the victim is browsing one of the banking portals that the Trojan is meant to target, it will take a screenshot of the active Web browser tab. The screenshot is then set as a wallpaper, and the Web browser is minimized. In the meantime, the Amavaldo malware will disable commonly used keyboard shortcuts and display a bogus pop-up window that contains a tailored login prompt that uses the styling and interface of the banking portal that the user was trying to access.

Apart from this, Amavaldo banking Trojan also can:

  • Use the webcam
  • Download and execute files
  • Launch a keylogger
  • Control the cursor
  • Modify the keyboard's input
  • Take screenshots
  • Restrict access to legitimate banking websites

Unless you are tech-savvy or have had dealings with banking Trojans before, it is likely that you may not notice the trickery of the Amavaldo Trojan. Therefore, it is crucial to have a reputable anti-virus software suite installed on your system, which will likely sniff out threats like the Amavaldo banking Trojan and remove them swiftly.

Do You Suspect Your PC May Be Infected with Amavaldo & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Amavaldo as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.