banload | 64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f

General

Target

64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Size

2.4MB
MD5

f0fcd34f0b20e4ab5113e0820153589f
SHA1

ed78c8645ac97fc72988b002a33d179ec3cdf09b
SHA256

64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f
SHA512

7d743736e21a62003ff1506e72bd6f46636cffc6236f66653cb990f9d5e774e420534c9e69beb97a457b7d819a4733581542f5111a7b84a91b96d0d5f275c733
SSDEEP

49152:4cv0srYX2TOm4paX1shQPF0q5VWy7EeNDzkIiqdCpSCR9mIvFCtUKhF8:4cvRjCaX1shQdPtQAUIiqcpSCR4ItCiK

Score

10^/10

banload discovery downloader dropper evasion trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\AppID = "{03837503-098b-11d8-9414-505054503030}"	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe"	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\TypeLib	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\ = "LegacyTraceSessionCollection"	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll"	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\Version	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\VersionIndependentProgID	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\VersionIndependentProgID\ = "PLA.LegacyTraceSessionCollection"	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\InprocServer32	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\InprocServer32\ThreadingModel = "both"	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\LocalServer32	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\ProgID\ = "PLA.LegacyTraceSessionCollection.1"	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}"	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\ProgID	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0F00270-BB60-31EF-A977-234757940DF4}\Version\ = "1.0"	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2548	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
Token: SeIncBasePriorityPrivilege	2548	64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe

C:\Users\Admin\AppData\Local\Temp\64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe
"C:\Users\Admin\AppData\Local\Temp\64c31a4c6ddca654976c551127bc2f81e9359df7809af6725db895d010b6e62f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2548-0-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/2548-8-0x00000000025A0000-0x00000000027AC000-memory.dmp

Filesize
2.0MB

Download
memory/2548-1-0x00000000025A0000-0x00000000027AC000-memory.dmp

Filesize
2.0MB

Download
memory/2548-11-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/2548-12-0x0000000000400000-0x000000000071D000-memory.dmp

Filesize
3.1MB

Download
memory/2548-13-0x00000000025A0000-0x00000000027AC000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads