banload | b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06

General

Target

b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe
Size

15.7MB
MD5

21d88dc3265c802a0c214a5946bdd88a
SHA1

3a304f2e5c5d86092d92a438d2ad2179a6dee349
SHA256

b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06
SHA512

56a0dedf2620c1c9f093f33de3db828c08f1caf5ec373ce4cf48af0a6e5dde5f76e1093c767a983e2c5ea0322979953b465fba1f6aeb6be1559f1c0e1d2761a3
SSDEEP

98304:RF8QUitE4iLqaPWGnEvK7RkOEEo+A7mOk3oaCVA7m2St29Ejzh9oEuF8QUitE4i1:RFQWEPnPBnEXPEtFQWEPnPBnEXPE8Q

Score

10^/10

banload discovery downloader dropper evasion trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment"	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "PersistentZoneIdentifier"	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Elevation	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Elevation\Enabled = "1"	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\urlmon.dll"	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppId = "{0968e258-16c7-4dba-aa86-462dd61e31a3}"	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalizedString = "@%SystemRoot%\\System32\\urlmon.dll,-4200"	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2380	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe
Token: SeIncBasePriorityPrivilege	2380	b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe

C:\Users\Admin\AppData\Local\Temp\b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe
"C:\Users\Admin\AppData\Local\Temp\b66429cf4aef8350c484fdab30a29a0a800ec9e32812725e0fcb26790edcbf06.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

Filesize
15.8MB

MD5
39d167c9237e627f504f55791ae463e4

SHA1
be3036b46f9cd7b067d18dd83f9960b7e03d24fb

SHA256
80d642e6dea48714cf1898ec2b6923fe558724faeea4e0d161a70468ff9360dd

SHA512
672d4e13a47443f3237697319850f5de908120ce6f81d90c03653555b370c6b23b01ab16239bb5b0f6a9db6da48cfcc651aed9c28ad4aa145a008855818f8c12

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
15.8MB

MD5
b0ddfacdcdbc87869e29b7a8270f27d2

SHA1
562c0055b27a12df69b9e805653d102b3d82ac9d

SHA256
6b0c41d137460aa4b6ad307dd2ae8ee3a88f4b6165cadd85a81b6c867823cf79

SHA512
237f135060c23566c1e57ef2b9e59cbb8cb89705a3ebbafcabcb731e0383c3d2cba68c03675c11c2d5eef2eace2aebd801b96d31ee89001335bd892b9e81623e

Download Submit
memory/2380-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2380-8-0x0000000003020000-0x000000000322C000-memory.dmp

Filesize
2.0MB

Download
memory/2380-1-0x0000000003020000-0x000000000322C000-memory.dmp

Filesize
2.0MB

Download
memory/2380-11-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2380-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2380-13-0x0000000003020000-0x000000000322C000-memory.dmp

Filesize
2.0MB

Download
memory/2380-17-0x0000000003020000-0x000000000322C000-memory.dmp

Filesize
2.0MB

Download
memory/2380-18-0x0000000003020000-0x000000000322C000-memory.dmp

Filesize
2.0MB

Download
memory/2380-23-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2380-25-0x0000000003020000-0x000000000322C000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads