Overview

overview

10

Static

static

12ykgyy/do...rm.exe

windows7_x64

10

12ykgyy/do...rm.exe

windows10-2004_x64

10

12ykgyy/do...71.dll

windows7_x64

10

12ykgyy/do...71.dll

windows10-2004_x64

10

12ykgyy/do...id.dll

windows7_x64

10

12ykgyy/do...id.dll

windows10-2004_x64

10

12ykgyy/do...ne.dll

windows7_x64

10

12ykgyy/do...ne.dll

windows10-2004_x64

10

12ykgyy/do...71.dll

windows7_x64

10

12ykgyy/do...71.dll

windows10-2004_x64

10

12ykgyy/do...71.dll

windows7_x64

10

12ykgyy/do...71.dll

windows10-2004_x64

10

12ykgyy/do...b1.dll

windows7_x64

10

12ykgyy/do...b1.dll

windows10-2004_x64

10

12ykgyy/kugou.exe

windows7_x64

1

12ykgyy/kugou.exe

windows10-2004_x64

1

12ykgyy/xldl.dll

windows7_x64

3

12ykgyy/xldl.dll

windows10-2004_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    40ae5686af1d386286a4087e18640a47e9a1406f724207c1988c8d118b4be384

  • Size

    2.9MB

  • Sample

    220708-slxh3afdbj

  • MD5

    1f19f86a6d27e63ec78bb8c6f1b2ca3f

  • SHA1

    86743cbbaee1606e9cb55e110ac4f0a7f8b5abda

  • SHA256

    40ae5686af1d386286a4087e18640a47e9a1406f724207c1988c8d118b4be384

  • SHA512

    7adf7516d9eb69f21ea8d739e8c826e8da9e82bf37a6a5754d1a6378dd80c798a951798ebac62d34b07b7d2f70426114a7d8eb95e68b5bb367899764b526a752

Score
10/10
ramnitbankerbootkitpersistencespywarestealertrojanupxworm

Malware Config

Targets

    • Target

      12ykgyy/download/MiniThunderPlatform.exe

    • Size

      266KB

    • MD5

      5761b0b1f4ba56ef156a8848d1c214cf

    • SHA1

      bea7e9a95457ab67cda2e75757facdeaf88b3cff

    • SHA256

      f1a7a250356418e387d2827dd440b76326586621b4fdd837f8b327d16919827f

    • SHA512

      8a8da092149da09d222ad236ef0f15738d0474fd0016300dda0c8fbc7eb5200a9eb3f90e8944ee5f805717cff247475ec3e0f928e7839daaab71507d34dd4af9

    Score
    10/10
    ramnitbankerbootkitpersistencespywarestealertrojanupxworm

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

      trojanspywarestealerwormbankerramnit

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

    • Target

      12ykgyy/download/atl71.dll

    • Size

      144KB

    • MD5

      b62b589c2f9ac092aa395e24d2065bde

    • SHA1

      b8a0aa139c2675a3f19bf80a3332bc7b98d910ff

    • SHA256

      6be9c04059303edf631a974d0ed971deb8b9301f36f369ab52a3ab6db3fa2b35

    • SHA512

      264559a9e2ec2c24cd3e247990fb6d8978d1926f069391679f0e6d477e9b792a419bc490d1e14ec32935e3898aea23e9e74d746ae14432c16b7bfed12257b267

    Score
    10/10
    ramnitbankerspywarestealertrojanupxworm

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

      trojanspywarestealerwormbankerramnit

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      12ykgyy/download/dl_peer_id.dll

    • Size

      89KB

    • MD5

      dba9a19752b52943a0850a7e19ac600a

    • SHA1

      3485ac30cd7340eccb0457bca37cf4a6dfda583d

    • SHA256

      69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

    • SHA512

      a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

    Score
    10/10
    ramnitbankerspywarestealertrojanupxworm

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

      trojanspywarestealerwormbankerramnit

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral5behavioral6

    • Target

      12ykgyy/download/download_engine.dll

    • Size

      3.4MB

    • MD5

      f439fadefab179b17e5c209172276ce1

    • SHA1

      f1e27afac4b1e28a8ea26c149bc929fb7ab68c7a

    • SHA256

      ce09928019dd63b7495c33f4e9cabd6d0f49b37afbc55b8072aa54d8fa92badc

    • SHA512

      a959da00d128dc638c5d1860851c534000be2d2bfd44b75a9d744709bdf9a55df9eb4ec3a322543d046ea0d37b63a28c5e8a99b1baca5691f31afadd56469177

    Score
    10/10
    ramnitbankerspywarestealertrojanupxworm

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

      trojanspywarestealerwormbankerramnit

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral7behavioral8

    • Target

      12ykgyy/download/msvcp71.dll

    • Size

      492KB

    • MD5

      a94dc60a90efd7a35c36d971e3ee7470

    • SHA1

      f936f612bc779e4ba067f77514b68c329180a380

    • SHA256

      6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

    • SHA512

      ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

    Score
    10/10
    ramnitbankerspywarestealertrojanupxworm

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

      trojanspywarestealerwormbankerramnit

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral9behavioral10

    • Target

      12ykgyy/download/msvcr71.dll

    • Size

      400KB

    • MD5

      c9a57f461b0c51a0b94c2c3838f4a8cb

    • SHA1

      c2ebe57a27bed1a94d499e44da27f1a3fa60b9ed

    • SHA256

      64fefd29fb57b2493811c24ce99c14e1b6960718eb9337e71442b48cbdb3fac5

    • SHA512

      4870b0b4cf1ec06aa7d3e6ea6a9239270ee5b06b9b63e51e498e74ccbdbccbadc8fdaff4b1b7c3b55afa8f9ff5a3bae6812679dc08295a327bc51b094cf163fd

    Score
    10/10
    ramnitbankerspywarestealertrojanupxworm

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

      trojanspywarestealerwormbankerramnit

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral11behavioral12

    • Target

      12ykgyy/download/zlib1.dll

    • Size

      58KB

    • MD5

      89f6488524eaa3e5a66c5f34f3b92405

    • SHA1

      330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

    • SHA256

      bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

    • SHA512

      cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

    Score
    10/10
    ramnitbankerspywarestealertrojanupxworm

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

      trojanspywarestealerwormbankerramnit

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral13behavioral14

    • Target

      12ykgyy/kugou.exe

    • Size

      923KB

    • MD5

      e20f4505e1ab652125cba81c140711f3

    • SHA1

      032c588022753ae7934a3bc2eeb1dc9ab8df8afa

    • SHA256

      b4bd05b009f3b77e0ccfaa8255ca8bfce8a5d7ac066c6daa119553ea9eb107e8

    • SHA512

      79a0c9fcf0fb2268418d2d20f8c26c534f835901879d496ddf14ebf966aa768e05c3c513893367b8ad9855f40e15e72f8e8acf1f8e5d3372c420eae072fb4f29

    Score
    1/10
    behavioral15behavioral16

    • Target

      12ykgyy/xldl.dll

    • Size

      286KB

    • MD5

      40e8d381da7c2badc4b6f0cdb4b5378f

    • SHA1

      3646338c6a20f17bf4383a8d053ce37681df8ead

    • SHA256

      cb0b0c42dae0a1e946f97f6bda522eb5ad943cb632ba3d19f597ecb3e1f5eb94

    • SHA512

      68dc5128d2e90885ca0e69dced80254e87ab765faefaf152b3cf452b37fb730ec146d4930342ced3f227bd7622a93592526d73567155346de14cd76e5180e7b3

    Score
    3/10
    behavioral17behavioral18

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

7
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

Score
N/A

behavioral1

ramnitbankerbootkitpersistencespywarestealertrojanupxworm
Score
10/10

behavioral2

ramnitbankerbootkitpersistencespywarestealertrojanupxworm
Score
10/10

behavioral3

ramnitbankerspywarestealertrojanupxworm
Score
10/10

behavioral4

ramnitbankerspywarestealertrojanupxworm
Score
10/10

behavioral5

ramnitbankerspywarestealertrojanupxworm
Score
10/10

behavioral6

ramnitbankerspywarestealertrojanupxworm
Score
10/10

behavioral7

ramnitbankerspywarestealertrojanupxworm
Score
10/10

behavioral8

ramnitbankerspywarestealertrojanupxworm
Score
10/10

behavioral9

ramnitbankerspywarestealertrojanupxworm
Score
10/10

behavioral10

ramnitbankerspywarestealertrojanupxworm
Score
10/10

behavioral11

ramnitbankerspywarestealertrojanupxworm
Score
10/10

behavioral12

ramnitbankerspywarestealertrojanupxworm
Score
10/10

behavioral13

ramnitbankerspywarestealertrojanupxworm
Score
10/10

behavioral14

ramnitbankerspywarestealertrojanupxworm
Score
10/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
3/10

behavioral18

Score
3/10