Attention: We will be transitioning to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access.
TrojanDownloader:Win32/Banload.AXI is a member of Win32/Banload - a family of trojans that downloads other malware. Banload is usually used to download and install members of the Win32/Banker and Win32/Bancos families onto affected computers. Win32/Banker and Win32/Bancos are trojans that steal banking credentials and other sensitive data, and send it back to a remote attacker.
Installation
TrojanDownloader:Win32/Banload.AXI creates the following files on your PC:
c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\recovery\active\{463b3efe-c0f0-11e3-8379-00db7fa21019}.dat
c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\recovery\active\recoverystore.{1f81cd32-c0f0-11e3-8379-00db7fa21019}.dat
c:\documents and settings\administrator\local settings\temp\~dfadfe.tmp
c:\documents and settings\administrator\local settings\temp\~dfe302.tmp
c:\documents and settings\administrator\local settings\temp\dff_fp3wt-d3dx9_41.exe
Payload
Contacts remote hosts
TrojanDownloader:Win32/Banload.AXI may contact the following remote hosts using port 80:
download.dll-files.com
www.obreirosdobonsucesso.com.br
Commonly, malware does this to:
Confirm Internet connectivity
Report a new infection to its author
Receive configuration or other data
Download and run files, including updates or other malware
Receive instructions from a remote hacker
Upload data taken from your PC
This malware description was produced and published using automated analysis of file SHA1 6747a6a6c493a1ba2d0134a4df82b789750e6dce.
The following could indicate that you have this threat on your PC:
You have these files:
c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\recovery\active\{463b3efe-c0f0-11e3-8379-00db7fa21019}.dat c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\recovery\active\recoverystore.{1f81cd32-c0f0-11e3-8379-00db7fa21019}.dat c:\documents and settings\administrator\local settings\temp\~dfadfe.tmp c:\documents and settings\administrator\local settings\temp\~dfe302.tmp c:\documents and settings\administrator\local settings\temp\dff_fp3wt-d3dx9_41.exe