ramnit | 1f6a5564252c6c0bc43ed68e3d07a41eabfea21d4868aadd44891937f8f3604d

General

Target

1f6a5564252c6c0bc43ed68e3d07a41eabfea21d4868aadd44891937f8f3604d.dll
Size

699KB
MD5

6709cc3bb411041f94ef37893a42c75d
SHA1

c80cf20de826434d709f524032c5f8287a3a111a
SHA256

1f6a5564252c6c0bc43ed68e3d07a41eabfea21d4868aadd44891937f8f3604d
SHA512

dee11a33e5661334f263a4acdabcf52a8333e27dbe55b8fb567cbaf4532a8afe22749b04003610f7db4e6f6d97a7af93a0e3d14616bd1bb1db5c81ae1933b38a
SSDEEP

12288:3zb9rMfc+CKUQyUmjtc4euuzPrs9pGp8hunWoopooK9kwP20:3zb1MlCKUQyUmjtczu6Prs9pgWoopoo7

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
1920	rundll32Srv.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-56.dat	upx
behavioral1/files/0x00140000000054ab-59.dat	upx
behavioral1/files/0x00140000000054ab-57.dat	upx
behavioral1/files/0x00140000000054ab-61.dat	upx
behavioral1/files/0x00140000000054ab-62.dat	upx
behavioral1/files/0x00140000000054ab-63.dat	upx
behavioral1/memory/1920-67-0x0000000000400000-0x0000000000434000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1932	rundll32.exe
1932	rundll32.exe
1004	WerFault.exe
1004	WerFault.exe
1004	WerFault.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1004	1920	WerFault.exe	29

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1932	1896	rundll32.exe	28
PID 1896 wrote to memory of 1932	1896	rundll32.exe	28
PID 1896 wrote to memory of 1932	1896	rundll32.exe	28
PID 1896 wrote to memory of 1932	1896	rundll32.exe	28
PID 1896 wrote to memory of 1932	1896	rundll32.exe	28
PID 1896 wrote to memory of 1932	1896	rundll32.exe	28
PID 1896 wrote to memory of 1932	1896	rundll32.exe	28
PID 1932 wrote to memory of 1920	1932	rundll32.exe	29
PID 1932 wrote to memory of 1920	1932	rundll32.exe	29
PID 1932 wrote to memory of 1920	1932	rundll32.exe	29
PID 1932 wrote to memory of 1920	1932	rundll32.exe	29
PID 1920 wrote to memory of 1004	1920	rundll32Srv.exe	30
PID 1920 wrote to memory of 1004	1920	rundll32Srv.exe	30
PID 1920 wrote to memory of 1004	1920	rundll32Srv.exe	30
PID 1920 wrote to memory of 1004	1920	rundll32Srv.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f6a5564252c6c0bc43ed68e3d07a41eabfea21d4868aadd44891937f8f3604d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f6a5564252c6c0bc43ed68e3d07a41eabfea21d4868aadd44891937f8f3604d.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\rundll32Srv.exe
    C:\Windows\SysWOW64\rundll32Srv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 88
      4⤵
      Loads dropped DLL
      Program crash
      PID:1004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32Srv.exe

Filesize
42KB

MD5
49073a31e6bf259b1a33d15808d4cba9

SHA1
fb149303da7ee1da5b36b6e27f7c9d2244a6b983

SHA256
16a36360e050860a4c6e37d69fbab941e3c93a1cd9ab8d17837029b3e7110ffa

SHA512
9a369bc1cfcaeaf39919a90c2ef5ad01fa31a555dc05ed91065ee373212e1fe50d6ca43d8ec37f147206cdf366e6c5f473d7fb5545b5e6c46c907d7e1d4af38d

Download Submit
\Windows\SysWOW64\rundll32Srv.exe

Filesize
42KB

MD5
49073a31e6bf259b1a33d15808d4cba9

SHA1
fb149303da7ee1da5b36b6e27f7c9d2244a6b983

SHA256
16a36360e050860a4c6e37d69fbab941e3c93a1cd9ab8d17837029b3e7110ffa

SHA512
9a369bc1cfcaeaf39919a90c2ef5ad01fa31a555dc05ed91065ee373212e1fe50d6ca43d8ec37f147206cdf366e6c5f473d7fb5545b5e6c46c907d7e1d4af38d

Download Submit
\Windows\SysWOW64\rundll32Srv.exe

Filesize
42KB

MD5
49073a31e6bf259b1a33d15808d4cba9

SHA1
fb149303da7ee1da5b36b6e27f7c9d2244a6b983

SHA256
16a36360e050860a4c6e37d69fbab941e3c93a1cd9ab8d17837029b3e7110ffa

SHA512
9a369bc1cfcaeaf39919a90c2ef5ad01fa31a555dc05ed91065ee373212e1fe50d6ca43d8ec37f147206cdf366e6c5f473d7fb5545b5e6c46c907d7e1d4af38d

Download Submit
\Windows\SysWOW64\rundll32Srv.exe

Filesize
42KB

MD5
49073a31e6bf259b1a33d15808d4cba9

SHA1
fb149303da7ee1da5b36b6e27f7c9d2244a6b983

SHA256
16a36360e050860a4c6e37d69fbab941e3c93a1cd9ab8d17837029b3e7110ffa

SHA512
9a369bc1cfcaeaf39919a90c2ef5ad01fa31a555dc05ed91065ee373212e1fe50d6ca43d8ec37f147206cdf366e6c5f473d7fb5545b5e6c46c907d7e1d4af38d

Download Submit
\Windows\SysWOW64\rundll32Srv.exe

Filesize
42KB

MD5
49073a31e6bf259b1a33d15808d4cba9

SHA1
fb149303da7ee1da5b36b6e27f7c9d2244a6b983

SHA256
16a36360e050860a4c6e37d69fbab941e3c93a1cd9ab8d17837029b3e7110ffa

SHA512
9a369bc1cfcaeaf39919a90c2ef5ad01fa31a555dc05ed91065ee373212e1fe50d6ca43d8ec37f147206cdf366e6c5f473d7fb5545b5e6c46c907d7e1d4af38d

Download Submit
\Windows\SysWOW64\rundll32Srv.exe

Filesize
42KB

MD5
49073a31e6bf259b1a33d15808d4cba9

SHA1
fb149303da7ee1da5b36b6e27f7c9d2244a6b983

SHA256
16a36360e050860a4c6e37d69fbab941e3c93a1cd9ab8d17837029b3e7110ffa

SHA512
9a369bc1cfcaeaf39919a90c2ef5ad01fa31a555dc05ed91065ee373212e1fe50d6ca43d8ec37f147206cdf366e6c5f473d7fb5545b5e6c46c907d7e1d4af38d

Download Submit
memory/1920-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-55-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1932-64-0x0000000005000000-0x00000000050B4000-memory.dmp

Filesize
720KB

Download
memory/1932-66-0x00000000001E0000-0x0000000000214000-memory.dmp

Filesize
208KB

Download
memory/1932-65-0x00000000001E0000-0x0000000000214000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing