Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Downloader.Banload.XB

Trojan.Downloader.Banload.XB

By CagedTech in Trojans

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 15
First Seen: May 9, 2011
OS(es) Affected: Windows

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor Detection
AVG OneStepSearcher.M
AntiVir TR/Boigy.2
Sophos Zwangi
Panda Malicious Packer
AVG OneStepSearcher.S
Fortinet Adware/OneStep
Ikarus BHO.Win32.Zwangi
AntiVir TR/Crypt.XPACK.Gen
BitDefender Application.Generic.359752
NOD32 a variant of Win32/Adware.OneStep.Z
McAfee Adware-OneStep.ae
Panda Trj/CI.A
AVG Downloader.Delf.FBH
Ikarus Trojan-Downloader
AhnLab-V3 Trojan/Win32.Lukicsel

File System Details

Trojan.Downloader.Banload.XB may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. questbrowse145.exe ff4da3fb36f79be06bc8f807edec358c 8
2. cryptnet32.dll 3fd4a953abcfbf163b90c1750d3e4e20 3
3. dadlif.exe d06034372988992f1b5f4910774ef3b8 2
4. winfast.exe 483f2d8e8f1ccbccce588cb46e01ae9c 2

Analysis Report

General information

Family Name: Trojan.Banload.XB
Signature status: No Signature

Known Samples

MD5: a506c6f042a15920be9abf32dc8b3524
SHA1: fa5d9e48752488e121cba4a4f69ca7de9645a92d
File Size: 1.12 MB, 1119232 bytes
MD5: 1dda97cdaf996b1f9773d02287dc8675
SHA1: a0c351225bd33f4d66a83b5d0f621cf29410993f
SHA256: 9C377EC26B669773A2BD9D9299ACB436FCE4578F64C445E57FF5D78AD059564E
File Size: 750.59 KB, 750592 bytes
MD5: 4cf8526c3c37937929b5adfa7fad7e27
SHA1: 6a6abaeb96968a2d7b592afa4ab8dfadbac06047
SHA256: 57E56D95CFB3459CCAE34B20FAE9D8D89F5B423091E6F610A47080501F60F62B
File Size: 1.69 MB, 1687575 bytes
MD5: 1662f1b10e621d241cf8af092fa6f6d6
SHA1: 5fe5ce1cb4705517061209fcec18114fef52e57f
SHA256: 7552B61BA4D921B2E1D401538023C276672AE544F30CAB43CA7058AD45A80EBA
File Size: 644.03 KB, 644032 bytes
MD5: d66be91e34b15ea189c01d869ec5961c
SHA1: ec827a9fa382401ba94fa31dec602fac1dacc875
SHA256: EE4541A440FFD139FC3B7706354BCAFDCABBB9814CF7AE6AC1E4F8386D47BC47
File Size: 666.62 KB, 666624 bytes
Show More
MD5: 9b65e71f1665ba89976710f32c919592
SHA1: 517c1dd2a8d26c6bd58c0849badf30ba7525b839
SHA256: 32AA8E387DD5C0ADAEAF844E4B55F42003FA108588950FFDEA4CCA1DC9F80CAA
File Size: 1.17 MB, 1170432 bytes
MD5: 9229993352f7750195c7d3c36d692eb4
SHA1: 33a8291e3651ae19355cbd47e642d48cb2540e68
SHA256: DA676EA6F5D6DFC34EABCDB9A0D50464B4EE9A9E98E5A948D9886161E4ACB976
File Size: 1.08 MB, 1081856 bytes
MD5: fc2fe5816ea1a9d188dbc115ec0bf2ff
SHA1: bbcb3c1d5cd7c39d85b16e588f8a1ef3a0fe4b59
SHA256: 0777C4D25CBBCE407E0B9D9E1BAA949747136F781E8261092BE554C7431C6785
File Size: 994.82 KB, 994816 bytes
MD5: 7e358cd67ab53d39203a92cb7a121c6c
SHA1: 938f76b528de31a5f287f80453a8ecb8d0019988
SHA256: 47FB13C75C73638BB73F56095C98CFF573F5ED13D51FD35E6F2C1A9088D756F4
File Size: 644.31 KB, 644312 bytes
MD5: 46c0f0a4f72e12616b961ef29c301fa6
SHA1: 50ba7197b7e794e78bc4c042879127bd8e9d89f1
SHA256: 44774CDCDC4924B747B52D9E30FCFCEB2D8530F220B7F4D3EF4DD3006AF28B86
File Size: 947.20 KB, 947200 bytes
MD5: d506d4bb08a1bd604274275387237f97
SHA1: 248b17f89563d3125b4474ff11c8a65e8400fe87
SHA256: 87B580D57581E60177906B53CFF8558DDA38223C2C1024BA87F75E884F5A7839
File Size: 1.04 MB, 1036050 bytes
MD5: 8d07fa9124981c6114248a0388c1eb0b
SHA1: 8c57cd8d92c13fe6ca77a86248f4512b5a2fbbc5
SHA256: B21DF0B22ED63D7BAD1CF286C7DCA60DA566248E8A483AA74010847490D22184
File Size: 1.36 MB, 1359872 bytes
MD5: 1ea470a5415aa694cebfe299a2108104
SHA1: 5fd373ada4a9543d3892d29da70168c00b086257
SHA256: 9EA3E06D841BDE7C955BCAB75086050FF1EE975F72F7C16D6087C2BB374D433B
File Size: 1.23 MB, 1234944 bytes
MD5: bcb2b268400ad9fa91702d7bb9c65856
SHA1: aba508594fdfee881f1696cf331664fcf5eab6cd
SHA256: 7A4D8867BAE858E6AFC4E71BD30739B6D96263679EC5CE4E22F64A0FFC34821B
File Size: 740.86 KB, 740864 bytes
MD5: b0578a9222ee78210f810960ef42bd9c
SHA1: 5f58b278fd9295c98882c2366bfec536d7e48abb
SHA256: 47C32FF40868B0965AD55F46D373C1F8312CB820BEEBE15E2B2888BB49CBC8AF
File Size: 936.09 KB, 936085 bytes
MD5: 389eb4a81038fbc627e05d6a9eef5b2b
SHA1: 6018adb7ba295d05168c658db4518dd7bc82ddbf
SHA256: 9DA8B6375216343B81A8082E40D15D2A984414F96410C5CD4BDE936B47A2600C
File Size: 1.16 MB, 1157632 bytes
MD5: a14aa3d2891276d8cecf9b445da39d38
SHA1: 99f3b94cd0d4a729935b5987e437e37c748e6268
SHA256: 50EE19A78305F8A812665E7646365CAB74A0287FBB4A26B19940CD879B59B21C
File Size: 922.11 KB, 922112 bytes
MD5: 22077441324075fdebe9f316a5f44ce3
SHA1: 3c374636f57811957f868d19b1bf839b9045874c
SHA256: 8A3B8B0A6202F6A7C22C5FC9033F184B9189E240771B5A1CF57E2AF693F5465A
File Size: 918.53 KB, 918528 bytes
MD5: 678d4adb680dd00efb5f701c70d28ab0
SHA1: 186fa0783dc9cf8e2d8d1dedb5dbd097d1918e7d
SHA256: A1EDDD6A74F49F0F48FF0A53E0D961634EB2C21A82302973053F20A8AF93A5AE
File Size: 732.13 KB, 732133 bytes
MD5: eb1edf056c9e8d265af0ea5fc98b0ae8
SHA1: 8ccdd39ba76bc5957176f76633e1a2661224a396
SHA256: 04A1B46A9B906CE2186F25FED04F67653187085C61FC5C2C6475E7887B83046D
File Size: 2.43 MB, 2427513 bytes
MD5: 7ea4825ccb74f7a98db6a5ca2bb12034
SHA1: 9f7444fd9d35cc8476f1cb7837b3bad561107305
SHA256: EC268BEB12A8C3C4EB71383D19AF075F3A3CFCC24AA122954151E3D6A9D4B3FD
File Size: 1.02 MB, 1020070 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Name Value
Comments
  • http://www.weaverslave.ws/
  • This installation was built with Inno Setup.
  • 数据库配置工具
Company Name
  • Android-Sync.com
  • GASTROdat
  • glodon
  • Grimed, s.r.o.
  • Nikolay Kalmykov, CHAS Company
  • SmileW.com
  • subjective reality
  • Terra Virtual
  • www.helpware.net
  • ООО "Профессиональные правовые системы"
File Description
  • Android-Sync (PRE-ALPHA) Setup
  • ECG for small animals
  • Free Emoticons Set 2 Setup
  • SCARABAY Setup
  • SelfCare neuf telecom
  • VS 2010 Help Viewer
  • Weaverslave - free flexible webeditor
  • Сравнение текстов Бизнес-Инфо
  • 数据库配置工具 for HealthOne
  • 浏览器兼容工具辅助
File Version
  • 9.4.0.54
  • 6.3.3.2
  • 4.1.0.99
  • 3.9.15.1
  • 3.1.4.1
  • 2.1.0.4
  • 1.21.0.119
  • 1.0.1.238
  • 1.0.0.22
  • 1.0.0.0
Internal Name
  • EKG_V
  • SelfCare neuf telecom
  • Textcmp
  • Weberknecht
Legal Copyright
  • 1999-2003 Thomas Weinert
  • Copyright (c) 2009, The Helpware Group
  • Copyright (c) 2014 Glodon Software Co.Ltd.
  • Copyright © 1999-2007, Grimed, s.r.o.
  • Copyright © 2003 - 2013 Nick Kalmykov, CHAS Company, Inc.
  • GASTROdat
  • minREC
  • © Terra Virtual
  • ООО "Профессиональные правовые системы"
Legal Trademarks GASTROdat
Original Filename
  • EKG_V.exe
  • GTPClientUpdateLib.dll
  • SelfCare neuf telecom
  • Textcmp.exe
  • weaversl.exe
Product Name
  • Android-Sync (PRE-ALPHA)
  • EKG_2000
  • Free Emoticons Set 2
  • minRec
  • SCARABAY
  • SelfCare neuf telecom
  • Weaverslave
  • Сравнение текстов Бизнес-Инфо
  • 浏览器兼容工具
Product Version
  • 6.3.01.20
  • 3.9
  • 3.1.4.1
  • 2.01
  • 1.0.0.0

Digital Signatures

Signer Root Status
Spacial Audio Solutions LLC SSL.com EV Code Signing Intermediate CA ECC R2 Self Signed
Spacial Audio Solutions LLC SSL.com EV Code Signing Intermediate CA RSA R3 Self Signed

File Traits

  • .adata
  • .aspack
  • 2+ executable sections
  • ASPack v2.12
  • dll
  • HighEntropy
  • MPRESS
  • MPRESS Win32
  • Native MPRESS x86
  • No Version Info
Show More
  • packed
  • PEC2
  • PECompact v2.20
  • x86

Block Information

Similar Families

  • AutoHotkey.A
  • Bitcoinminer.R
  • CobaltStrike.XAA
  • Delf.XB
  • FareIt.LA
Show More
  • Injector.DFF
  • Injector.DGB
  • Injector.FGSA
  • Injector.FHBB
  • Injector.FHBC
  • Injector.FHBD
  • Injector.GDSA
  • Injector.GPB
  • Injector.GSD
  • Injector.KDF
  • Injector.KKF
  • Injector.KS
  • Kryptik.GSG
  • Kryptik.RA
  • MPRESS Packer
  • Malex.D
  • Strictor.A

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\programdata\microsoft\network\connections\pbk\rasphone.pbk Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.blf Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-3m0l1.tmp\6a6abaeb96968a2d7b592afa4ab8dfadbac06047_0001687575.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsfa2d3.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsu65d0.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\roaming\microsoft\network\connections\pbk\rasphone.pbk Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\users\user\downloads\$_temp_$.$$$ Generic Write,Read Attributes
c:\users\user\downloads\media.mcs Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\software\terravirtual::version 1.0.1.238 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::failed_count RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state  RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes (NULL) RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes  RegNtPreCreateKey
HKCU\software\microsoft\edge\elfbeacon::version 142.0.3595.53 RegNtPreCreateKey
Show More
HKCU\software\microsoft\edge\blbeacon::state  RegNtPreCreateKey
HKCU\software\helpware\h3viewer::installpath c:\users\user\downloads\aba508594fdfee881f1696cf331664fcf5eab6cd_0000740864 RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
User Data Access
  • GetComputerName
  • GetUserName
  • GetUserObjectInformation
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
  • ShellExecute
Network Winsock2
  • WSAStartup
Network Winsock
  • bind
  • closesocket
  • getsockname
  • setsockopt
  • socket
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeleteValueKey
Show More
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetValueKey
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Keyboard Access
  • GetKeyboardState
  • GetKeyState

Shell Command Execution

"C:\Users\Zycbshkt\AppData\Local\Temp\is-3M0L1.tmp\6a6abaeb96968a2d7b592afa4ab8dfadbac06047_0001687575.tmp" /SL5="$40062,1446612,54272,c:\users\user\downloads\6a6abaeb96968a2d7b592afa4ab8dfadbac06047_0001687575"
Open http://localhost:80/
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5fd373ada4a9543d3892d29da70168c00b086257_0001234944.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\3c374636f57811957f868d19b1bf839b9045874c_0000918528.,LiQMAxHB

Trending

Most Viewed

Loading...