Banload Trojan Targets Brazilians With Malware Downloads

McAfee Labs has recently encountered new variants of the Banload Trojan. Banload has been around since the last decade. This malware generally arrives on a victim’s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or a drive-by download. When executed, Banload downloads other malware, often banking Trojans, on the victim’s system to carry out further infections. We have observed this malware is using the functionality of the legitimate freeware Mep Installer to carry out the infection cycle.

Mep Installer builds installation programs for Windows based on Inno Setup. When Mep Installer executes, it creates a temporary installation file in the %TEMP% directory. This file has the following execution command:


Mep Installer has its signature at the offset used in the preceding command:


This temporary installation file checks for the Mep Installer signature. If found, the file will read data from the third argument, which is a zlib-compressed file. The following is a snippet of the compressed data:


The temporary installation file has a zlib decompression procedure. After decompression it drops the executable and runs it.


Infection chain
We have observed that Banload hooks the Mep Installer to trick users into installing the Portuguese version of this software. Once the user gets a Banload-infected Mep Installer, the malware uses same functionality as the genuine Mep Installer to avoid suspicion. The infected version carries the malware inside the zlib-compressed file.

The malware executes with the same command as with the legitimate Mep Installer:


Upon decompression the temp file drops the malware in the Windows directory, as shown below:


This malware uses the temporary file of the genuine installer to carry out the infection. Banload also displays a fake Mep Installer signature to appear to be legitimate.


Obscuring techniques
The malware uses a number of tricks to avoid execution in controlled environments such as virtual machines, sandboxes, etc. It also checks for network monitoring tools like CommView, TCPView, etc.


The malware uses the following code patch to check for virtual machines:


Banload terminates if the system’s language ID does not match to 0x0416, Portuguese.


The malware also creates a mutex to ensure that only one instance of the malware is running at a time. The malware author uses standard RC4 algorithm to hide the payload’s URL. The encrypted URL looks like this:


The following are some of the decrypted URLs from which the malware downloads payloads to carry out further infections:

  • http://[BLOCKED].br/modulorato/
  • http:// [BLOCKED]
  • http:// [BLOCKED]
  • http:// [BLOCKED]
  • http:// [BLOCKED]
  • http://maranhao. [BLOCKED]
  •[BLOCKED]/goqt4x. [BLOCKED]
  •[BLOCKED]/gk5y6n. [BLOCKED]
  •[BLOCKED]/gbo7i6. [BLOCKED]
  • http://www. [BLOCKED].org/ddlevelsfiles/
  •[BLOCKED]/gpms2b. [BLOCKED]

The downloaded files are encrypted and are decrypted by the malware at runtime. The downloaded file may look like this:


After decrypting this, we get this Zip file:


This malware targets Brazilians by using the Mep Installer’s Portuguese version, checking for the Portuguese language ID, and most of the URLs listed above are from Brazil. McAfee products detect this malware as Downloader-FBIC! McAfee advises all users to keep their antimalware products up to date.

Analyzed hashes, SHA256

  • C5D3EC816D9029A5EDC6F0C64E1E9CAC02CF73A8A4828C3088C34FEF7338CC21


Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from McAfee Labs

Back to top