ramnit | 4708bac148c1354efa086007eb4c5652851ad63f4490cb659b999957984925e9 | Triage

Sharing

General

Target

4708bac148c1354efa086007eb4c5652851ad63f4490cb659b999957984925e9
Size

292KB
Sample

221027-f8d9saahhr
MD5

0bb8cd8c15d83ecf1691797cec23e5f0
SHA1

3166b77481b08d270bd8cb1c432bd67398f8a1e2
SHA256

4708bac148c1354efa086007eb4c5652851ad63f4490cb659b999957984925e9
SHA512

d7651e3d585e3c4766682576b7ee89c81a29f9e0adaa1aa97af9b1a7e778b629812d84a8ce2793f4d8622d1f728dcf505e65c55e63f514f9e395ff695f483e0b
SSDEEP

6144:RyBK8GMRovbL43fPf6jXdmFDYoCCcUrHX4OKCwEo6v:UDTovP43nfemFWUrHX4OXwd6v

Score

10^/10

ramnit 28 ��1 banker persistence spyware stealer trojan worm

Malware Config

Extracted

Family

ramnit

Botnet

��1

C2

malesaqua.eu:442

Attributes

campaign_timestamp
1.506273416e+09
compile_timestamp
1.505999145e+09
dga_seed
4.13789472e+09
listen_port
0
num_dga_domains
100

xor.base64

rc4.plain

rsa_pubkey.base64

Extracted

Family

ramnit

Botnet

28

C2

malesaqua.eu:442

Attributes

campaign_timestamp
1.506273416e+09
compile_timestamp
1.505999145e+09
dga_seed
4.13789472e+09
listen_port
0
num_dga_domains
100

xor.base64

rc4.plain

rsa_pubkey.base64

Targets

- Target
  
  4708bac148c1354efa086007eb4c5652851ad63f4490cb659b999957984925e9
- Size
  
  292KB
- MD5
  
  0bb8cd8c15d83ecf1691797cec23e5f0
- SHA1
  
  3166b77481b08d270bd8cb1c432bd67398f8a1e2
- SHA256
  
  4708bac148c1354efa086007eb4c5652851ad63f4490cb659b999957984925e9
- SHA512
  
  d7651e3d585e3c4766682576b7ee89c81a29f9e0adaa1aa97af9b1a7e778b629812d84a8ce2793f4d8622d1f728dcf505e65c55e63f514f9e395ff695f483e0b
- SSDEEP
  
  6144:RyBK8GMRovbL43fPf6jXdmFDYoCCcUrHX4OKCwEo6v:UDTovP43nfemFWUrHX4OXwd6v
Score

10^/10

ramnit ��1 banker persistence spyware stealer trojan worm 28
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

ramnit��1bankerpersistencespywarestealertrojanworm

behavioral2

ramnit28��1bankerpersistencespywarestealertrojanworm