Overview

overview

10

Static

static

RAMN.vbs

windows7_x64

10

RAMN.vbs

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RAMN.vbs

  • Size

    169KB

  • Sample

    220312-kmkxnaaea2

  • MD5

    e5e7f440ae47fe295bb93034b1edf3c1

  • SHA1

    bff968fb18c296edabf8ad52953e7c36ae0bcdea

  • SHA256

    2a5fcd571c34b11c0c630c8cf1f50a91a136e931e0057f7f8e3ca36ecd73d993

  • SHA512

    a45c68efa11bf061c5ed5fd09e2c616acb2333b67cb1f86382eac88ac1f2fb1120ad2517381e2125eb5a98a5d69d602918cc1ac1277cee1f5a976d8e1a3eb92b

Score
10/10
ramnitbankerevasionspywarestealertrojanupxworm

Malware Config

Targets

    • Target

      RAMN.vbs

    • Size

      169KB

    • MD5

      e5e7f440ae47fe295bb93034b1edf3c1

    • SHA1

      bff968fb18c296edabf8ad52953e7c36ae0bcdea

    • SHA256

      2a5fcd571c34b11c0c630c8cf1f50a91a136e931e0057f7f8e3ca36ecd73d993

    • SHA512

      a45c68efa11bf061c5ed5fd09e2c616acb2333b67cb1f86382eac88ac1f2fb1120ad2517381e2125eb5a98a5d69d602918cc1ac1277cee1f5a976d8e1a3eb92b

    Score
    10/10
    ramnitbankerspywarestealertrojanupxwormevasion

    • Modifies firewall policy service

      evasion

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

      trojanspywarestealerwormbankerramnit

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks