MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41da210f64e2b009aaf03e96b2de701a30222faee25e38c6fbbaf958c84f680b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Banload


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41da210f64e2b009aaf03e96b2de701a30222faee25e38c6fbbaf958c84f680b
SHA3-384 hash: 225b5e2d7b9fb9907ba412c7df595b39e0ac8191ca996fb33a6cf721279f1f4ecf8e3e227bc7ce92f17770dce9672593
SHA1 hash: 32ae2122d3abeacd656b146c68d010d88de0feb6
MD5 hash: 876bfa1afe9ee6eb56b981bfcb0627b1
humanhash: mike-white-speaker-alpha
File name:banload.msi
Download: download sample
Signature Banload
Create hunting rule
File size:282'624 bytes
First seen:2021-07-30 18:29:29 UTC
Last seen:2021-07-30 19:52:14 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 6144:4QtOIiRQYpgjpjew5LLyGx1qo8oBTfQ/:4QtMRQ+gjpjegLyo8oBc/
Threatray 6 similar samples on MalwareBazaar
TLSH T18D547B513BC9C13AE2AF163789BA97662A367C350B30C0CF6790796D5E307D2E939712
Reporter warz_s
Tags:Astaroth Banload brazil guildma msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'803
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175335/
Detection(s):
SecuriteInfo.com.Trojan.OLE2.Alien.gen.4158.29261.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/41da210f64e2b009aaf03e96b2de701a30222faee25e38c6fbbaf958c84f680b
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/824637
Signature
Obfuscated command line found
Uses Atom Bombing / ProGate to inject into other processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 457049 Sample: banload.msi Startdate: 30/07/2021 Architecture: WINDOWS Score: 48 7 msiexec.exe 5 2->7         started        10 msiexec.exe 5 2->10         started        signatures3 48 Obfuscated command line found 7->48 12 cmd.exe 1 7->12         started        14 expand.exe 4 7->14         started        17 icacls.exe 1 7->17         started        19 3 other processes 7->19 50 Uses Atom Bombing / ProGate to inject into other processes 10->50 process4 file5 21 powershell.exe 2 10 12->21         started        23 conhost.exe 12->23         started        25 cmd.exe 2 12->25         started        40 C:\Users\user\...\WSManHTTPConfig.exe (copy), PE32+ 14->40 dropped 42 C:\...\fd36e5b96890fd4f80615e426b3b6b0d.tmp, PE32+ 14->42 dropped 27 conhost.exe 14->27         started        29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 19->33         started        35 conhost.exe 19->35         started        process6 process7 37 mshta.exe 26 21->37         started        dnsIp8 44 4ueoer.topmil.cloud 104.21.35.248, 49754, 80 CLOUDFLARENETUS United States 37->44 46 www.cloudflare.com 104.16.124.96, 443, 49755 CLOUDFLARENETUS United States 37->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41da210f64e2b009aaf03e96b2de701a30222faee25e38c6fbbaf958c84f680b/
Threat name:
Document-OLE.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 18:30:07 UTC
AV detection:
2 of 46 (4.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ihnccd3e4kyatkxqh2llfxtqdiycel5o4jpdrrx3xl4vrscpnafq._file
Verdict:
unknown
Similar samples:
7d9ab1a869c3a874b19fbc8c98bfa40dab39e97cbfaeb4d057912c3549124f4d
Banload
83665f8cf0fc798b6dbeca777554aeaeb9d9cc53e27674c36e67294729d118f0
Banload
844f891f338bcde305546fb85d97ac01bfd2c4db663ce779e6048307af5085f5
Banload
d0003c908fdb5d830ecf51ce698e757f920a776d639e731b6a7472122e02b23d
Banload
dcacb6e6cd979249275767b31c9d0250101d3627c525011e9f4d66581dbb7722
Banload
fc0eee220cef0c364edb4cb6ff45e12b2d3c035b2be1072c627e40c4a298ea72
Banload
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/210730-fzwv239rb6/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/41da210f64e2b009aaf03e96b2de701a30222faee25e38c6fbbaf958c84f680b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malpedia
Malpedia
https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth
  
Dropping
Win.Astaroth
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/175335/

Comments