Home / malware TrojanDownloader:Win32/Banload.AGN
First posted on 13 January 2012.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Banload.AGN.
Explanation :
TrojanDownloader:Win32/Banload.AGN is a member of Win32/Banload - a family of trojans that downloads other malware. Banload is usually used to download and install members of the Win32/Banker and Win32/Bancos families onto affected computers. Win32/Banker and Win32/Bancos are trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.
Top
TrojanDownloader:Win32/Banload.AGN is a member of Win32/Banload - a family of trojans that downloads other malware. Banload is usually used to download and install members of the Win32/Banker and Win32/Bancos families onto affected computers. Win32/Banker and Win32/Bancos are trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.
Installation
TrojanDownloader:Win32/Banload.AGN drops the following files to the affected computer:
- %windir%\miniman.bat
- %windir%\sexojaebomeassim.exe
- %windir%\sexojaebomeassim.pps
Payload
Downloads arbitrary files
TrojanDownloader:Win32/Banload.AGN connects to the following URL:
sn.im/218cift
which then redirects to download the following file:
config.txt
The downloaded file is a malware downloader configuration file that instructs TrojanDownloader:Win32/Banload.AGN to download additional malware, usually variants of the Win32/Banker family. In the wild, we have observed the malware connecting to €˜scheringhp.com' to download the following files:
- mecum.exe
- Helper.dll
- snipttrid.exe
- schotxy.exe
- scholook.exe
- Live.exe
Displays a PowerPoint presentation
TrojanDownloader:Win32/Banload.AGN displays a PowerPoint presentation as part of its payload, as seen in the example below:
Analysis by Edgardo Diaz
Last update 13 January 2012
