Home / malwarePDF  

TrojanDownloader:Win32/Banload


First posted on 15 February 2019.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Banload is also known as Troj/Dwnldr-HEF, Trojan.Spy.Delf.NOS, Trojan.Downloader-40206, Trojan-Downloader.Win32.Banload.ogx, Generic Downloader.ab, Downloader.Bancos.

Explanation :

TrojanDownloader:Win32/Banload is the Microsoft detection for a family of Trojans that downloads other malware. These downloaded malware are usually members of the Win32/Banker family; trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker. InstallationTrojanDownloader:Win32/Banload drops two files in the system, both of which are also detected as TrojanDownloader:Win32/Banload. Depending on the variant, the file names may vary, for example: %TEMP%drvrnet.exe 542745.dll Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32.  It then launches its dropped EXE file. It also modifies the system registry so that its dropped EXE file appears to be a legitimate Windows file, for example:
Adds value: "drvrnet"
With data: "%TEMP%drvrnet.exe"
To subkey: HKCUSoftwareMicrosoftWindowsShellNoRoamMUICache Payload Downloads and Installs Additional Malware
Files detected as TrojanDownloader:Win32/Banload can download other malware by connecting to remote servers, usually via HTTP or FTP. These downloaded malware are usually members of the Win32/Banker family; trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.  Modifies Internet Settings
TrojanDownloader:Win32/Banload modifies the system's Internet settings by modifying the system registry to bypass the network proxy setting:
Adds value: "ProxyBypass"
With value: "1"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsoneMap  Analysis by Jireh Sanico

Last update 15 February 2019

 

TOP