ramnit | 3e43490b5ab19b2c2759481bb5110757e379d97495fc39f85ac3394286f49f5f | Triage

Submit
Reports

Overview

overview

Static

static

3e43490b5a...5f.exe

windows7-x64

3e43490b5a...5f.exe

windows10-2004-x64

Sharing

General

Target

3e43490b5ab19b2c2759481bb5110757e379d97495fc39f85ac3394286f49f5f
Size

420KB
Sample

221121-slmc4aad9z
MD5

0a414330f9b89c38e0733ee2636f9a70
SHA1

aaf101c5b8bcc8b681e5772444a46489db59ce3d
SHA256

3e43490b5ab19b2c2759481bb5110757e379d97495fc39f85ac3394286f49f5f
SHA512

aaf276e55677ff167a88016682f5e9e3c9e68e28094a7a6024d7bca09c853ddeca681b8acff5083688cc7ae8ccfe7919e134d45838a56c523745cdcf099f46ed
SSDEEP

3072:8KMw54w9V4xu4kZ1Zuz7mzVGnM6vKBjALwBVYvOD76vmRigqYSxREepOYenPZcna:xJ5/4g4kZhS5sjLyodSxRExT5UY

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan upx worm

Static task

static1

Behavioral task

behavioral1

Sample

3e43490b5ab19b2c2759481bb5110757e379d97495fc39f85ac3394286f49f5f.exe

Resource

win7-20220901-en

ramnit banker evasion persistence spyware stealer trojan upx worm

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

3e43490b5ab19b2c2759481bb5110757e379d97495fc39f85ac3394286f49f5f.exe

Resource

win10v2004-20220812-en

ramnit banker evasion persistence spyware stealer trojan upx worm

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  3e43490b5ab19b2c2759481bb5110757e379d97495fc39f85ac3394286f49f5f
- Size
  
  420KB
- MD5
  
  0a414330f9b89c38e0733ee2636f9a70
- SHA1
  
  aaf101c5b8bcc8b681e5772444a46489db59ce3d
- SHA256
  
  3e43490b5ab19b2c2759481bb5110757e379d97495fc39f85ac3394286f49f5f
- SHA512
  
  aaf276e55677ff167a88016682f5e9e3c9e68e28094a7a6024d7bca09c853ddeca681b8acff5083688cc7ae8ccfe7919e134d45838a56c523745cdcf099f46ed
- SSDEEP
  
  3072:8KMw54w9V4xu4kZ1Zuz7mzVGnM6vKBjALwBVYvOD76vmRigqYSxREepOYenPZcna:xJ5/4g4kZhS5sjLyodSxRExT5UY
Score

10^/10

ramnit banker evasion persistence spyware stealer trojan upx worm
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- Blocklisted process makes network request
- Executes dropped EXE
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

ramnitbankerevasionpersistencespywarestealertrojanupxworm

behavioral2

ramnitbankerevasionpersistencespywarestealertrojanupxworm

© 2018-2024

Terms | Privacy