banload | d8679f0fcc66ff39635d0dc94a4246fb96bb898c4f9a0dc40e4f4d490f4b2e3d

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

#@!~OPEN_Fiile_9091_ṔḁṨṨCṏḌḙ$$/Setup.exe
Size

8.5MB
MD5

98169506fec94c2b12ba9930ad704515
SHA1

bce662a9fb94551f648ba2d7e29659957fd6a428
SHA256

9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363
SHA512

7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30
SSDEEP

196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK

Score

10^/10

banload vidar 103d649c56bb88ab1c068fc5f04f3422 downloader dropper evasion persistence stealer trojan

Malware Config

Extracted

Family

vidar

Botnet

103d649c56bb88ab1c068fc5f04f3422

https://hypaton.xyz

https://steamcommunity.com/profiles/76561199677575543

https://t.me/snsb82

Attributes

profile_id_v2
103d649c56bb88ab1c068fc5f04f3422
user_agent
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/4500-45-0x0000000000430000-0x0000000000B83000-memory.dmp	family_vidar_v7
behavioral1/memory/4500-54-0x0000000000430000-0x0000000000B83000-memory.dmp	family_vidar_v7
behavioral1/memory/4500-55-0x0000000000430000-0x0000000000B83000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Setup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4340 set thread context of 2376	4340	Setup.exe	88

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\LocalServer32	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE"	Setup.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3260	4500	WerFault.exe	95

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\3	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\3\ = "HTML Format,1,1,3"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\AuxUserType\2\ = "Picture"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\AuxUserType\3	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\AuxUserType\3\ = "Microsoft Word"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Conversion\Readable\Main	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\1	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Conversion\Readable	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocHandler32\ = "ole32.dll"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Verb\0	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID\ = "Word.Picture"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\TypeLib	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\AuxUserType	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\DefaultFile\ = "MSWordDoc"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\2\ = "3,1,32,3"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\4\ = "Rich Text Format,1,1,3"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Verb	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\AuxUserType\2	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\0	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\1\ = "1,1,1,3"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\MiscStatus\ = "0"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\NotInsertable\	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Version\ = "9"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\DefaultFile	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\0\ = "Embed_Source,1,8,1"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\LocalServer32	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\MiscStatus	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Version	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DefaultIcon	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\TypeLib\ = "{00020905-0000-0000-C000-000000000046}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Verb\1	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\2	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\wordicon.exe,1"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocHandler32	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\NotInsertable	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID\ = "Word.Picture.8"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Verb\0\ = "&Edit,0,2"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "Microsoft Word Picture"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Conversion	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Conversion\Readable\Main\ = "MSDraw,Word.Picture.6,1"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\4	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Verb\1\ = "&Open,0,2"	Setup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4340	Setup.exe
4340	Setup.exe
2376	netsh.exe
2376	netsh.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4340	Setup.exe
2376	netsh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 2376	4340	Setup.exe	88
PID 4340 wrote to memory of 2376	4340	Setup.exe	88
PID 4340 wrote to memory of 2376	4340	Setup.exe	88
PID 4340 wrote to memory of 2376	4340	Setup.exe	88
PID 2376 wrote to memory of 4500	2376	netsh.exe	95
PID 2376 wrote to memory of 4500	2376	netsh.exe	95
PID 2376 wrote to memory of 4500	2376	netsh.exe	95
PID 2376 wrote to memory of 4500	2376	netsh.exe	95
PID 2376 wrote to memory of 4500	2376	netsh.exe	95

C:\Users\Admin\AppData\Local\Temp\#@!~OPEN_Fiile_9091_ṔḁṨṨCṏḌḙ$$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#@!~OPEN_Fiile_9091_ṔḁṨṨCṏḌḙ$$\Setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:4500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1620
      4⤵
      Program crash
      PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4500 -ip 4500
1⤵
PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bc0ab3f6

Filesize
5.9MB

MD5
e8279b01376ba21658f0d22e4257ba2d

SHA1
e896a9228c51e804cd19443941cec7378fef5da7

SHA256
4bbb8cf038094e5db0054c5b34ec9cbac1d581ec7d01c0c223f0883020f6b27d

SHA512
89e6d34bc0deb094375b5f4174f032a6749c5ef765ff44b9ebecef4dff218be69e289d045d4c0a3b9deaa652e95635b198c18356f81b08522c2e9fbbb04b2ec8

Download Submit
memory/2376-44-0x0000000074631000-0x000000007463F000-memory.dmp

Filesize
56KB

Download
memory/2376-41-0x0000000074631000-0x000000007463F000-memory.dmp

Filesize
56KB

Download
memory/2376-40-0x000000007463E000-0x0000000074640000-memory.dmp

Filesize
8KB

Download
memory/2376-39-0x00007FF8F4450000-0x00007FF8F4645000-memory.dmp

Filesize
2.0MB

Download
memory/4340-17-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4340-1-0x0000000003FB0000-0x0000000004198000-memory.dmp

Filesize
1.9MB

Download
memory/4340-16-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4340-20-0x00007FF8D5E00000-0x00007FF8D5F72000-memory.dmp

Filesize
1.4MB

Download
memory/4340-35-0x00007FF8D5E00000-0x00007FF8D5F72000-memory.dmp

Filesize
1.4MB

Download
memory/4340-34-0x00007FF8D5E18000-0x00007FF8D5E19000-memory.dmp

Filesize
4KB

Download
memory/4340-36-0x00007FF8D5E00000-0x00007FF8D5F72000-memory.dmp

Filesize
1.4MB

Download
memory/4340-19-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4340-12-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4340-15-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4340-14-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4340-10-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4500-45-0x0000000000430000-0x0000000000B83000-memory.dmp

Filesize
7.3MB

Download
memory/4500-47-0x00007FF8F4450000-0x00007FF8F4645000-memory.dmp

Filesize
2.0MB

Download
memory/4500-54-0x0000000000430000-0x0000000000B83000-memory.dmp

Filesize
7.3MB

Download
memory/4500-55-0x0000000000430000-0x0000000000B83000-memory.dmp

Filesize
7.3MB

Download