Threat behavior
TrojanDownloader:Win32/Banload.HP is a trojan that downloads and runs other malware. The Win32/Banload trojan downloads malware that is usually members of the
Win32/Banker or
Win32/Bancos families. These downloaded trojans steal banking credentials and other sensitive data, and send it back to a remote attacker.
Installation
TrojanDownloader:Win32/Banload.HP may be installed by other malware. When run, it activates its trojan download payload.
Payload
Downloads Malware
TrojanDownloader:Win32/Banload.HP tries to download additional files from a remote server. In the wild, this trojan contacted the domain 'new-mrcash.net' however the files retrieved by the malware were not available. Downloaded malware may be saved as the following:
%windir%\system\sys.exe
The registry may be modified to execute the downloaded malware at each Windows start.
Adds value: "Sys"
With data: "%windir%\system\sys.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Terminates Windows Service
TrojanDownloader:Win32/Banload.HP attempts to terminate the "Local Security Authority" process (LSASS.EXE).
Analysis by Shawn Wang
Prevention