banload | a8d8760c87b1a9f76c193207a1c3d74479ced6a91f07139f582687d89ec00372

General

Target

2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
Size

21.1MB
MD5

be9e4cfe416c5d90f4c2f78dd2acc9e3
SHA1

170a12100ef7dcee69b5e22a07c3d65a5372c8da
SHA256

a8d8760c87b1a9f76c193207a1c3d74479ced6a91f07139f582687d89ec00372
SHA512

b19a4d891ddc28ee2423cc29a999c6f65ef7989008ac667db690d486889265aae1bb98e53984195892dc9301dd957c8ef66c79a86853173f005c2c8418aced54
SSDEEP

393216:jh0gBOBtWbjDtr+xcK0PMRWDLJ8eZJhjdTR0kkBvE4v5SurkQD56f6RQk0+pZYIC:igBOvavxJtZjFRz6s44uLDmsQk0IZYT

Score

10^/10

banload defense_evasion discovery downloader dropper trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe = "11000"	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Internet Explorer\IESettingSync	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InProcServer32\ = "C:\\Windows\\SysWOW64\\HdcpHandler.dll"	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InProcServer32\ThreadingModel = "Both"	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\ = "HDCP Decryptor MFT"	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InProcServer32	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2876	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
Token: SeIncBasePriorityPrivilege	2876	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2876	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2876	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
2876	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
2876	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
2876	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
2876	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
2876	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
2876	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2300	2876	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe	91
PID 2876 wrote to memory of 2300	2876	2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe	91

C:\Users\Admin\AppData\Local\Temp\2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-24_be9e4cfe416c5d90f4c2f78dd2acc9e3_hijackloader_magniber.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDBEA.mht

Filesize
49KB

MD5
51865db79391650fe286c176a0327aec

SHA1
daa03c99aa52abf165e555f49f90c70a0c25eb87

SHA256
f3efd8e39d62f23ad8e08002efa818067bff7f8a540e5540264edefc76dc47b3

SHA512
44d3b60f23772e1f0f7b92f33104ebdcafc9dfc2974d3d4678e6d50eef18f79f82f00c35643a6ce2744063ea5aba15ec791dc677a4c94ce238b6ef8eb1a2d508

Download Submit
memory/2876-19-0x0000000000400000-0x000000000507A000-memory.dmp

Filesize
76.5MB

Download
memory/2876-21-0x0000000000400000-0x000000000507A000-memory.dmp

Filesize
76.5MB

Download
memory/2876-11-0x0000000000400000-0x000000000507A000-memory.dmp

Filesize
76.5MB

Download
memory/2876-12-0x0000000000400000-0x000000000507A000-memory.dmp

Filesize
76.5MB

Download
memory/2876-14-0x0000000000400000-0x000000000507A000-memory.dmp

Filesize
76.5MB

Download
memory/2876-16-0x0000000000400000-0x000000000507A000-memory.dmp

Filesize
76.5MB

Download
memory/2876-9-0x0000000000400000-0x000000000507A000-memory.dmp

Filesize
76.5MB

Download
memory/2876-18-0x0000000000400000-0x000000000507A000-memory.dmp

Filesize
76.5MB

Download
memory/2876-20-0x0000000000400000-0x000000000507A000-memory.dmp

Filesize
76.5MB

Download
memory/2876-1-0x00000000072E0000-0x00000000074E0000-memory.dmp

Filesize
2.0MB

Download
memory/2876-22-0x0000000000400000-0x000000000507A000-memory.dmp

Filesize
76.5MB

Download
memory/2876-23-0x00000000072E0000-0x00000000074E0000-memory.dmp

Filesize
2.0MB

Download
memory/2876-25-0x00000000072E0000-0x00000000074E0000-memory.dmp

Filesize
2.0MB

Download
memory/2876-26-0x0000000000400000-0x000000000507A000-memory.dmp

Filesize
76.5MB

Download
memory/2876-7-0x00000000072E0000-0x00000000074E0000-memory.dmp

Filesize
2.0MB

Download
memory/2876-73-0x0000000000400000-0x000000000507A000-memory.dmp

Filesize
76.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads