ramnit | 13fff92ffcdbde76fe7f2581e429a4e5066c8a967af951c4b1d908adf16ba584 | Triage

Submit
Reports

Overview

overview

Static

static

13fff92ffc...84.exe

windows7-x64

13fff92ffc...84.exe

windows10-2004-x64

Sharing

General

Target

13fff92ffcdbde76fe7f2581e429a4e5066c8a967af951c4b1d908adf16ba584
Size

95KB
Sample

221123-sak1wsdg7x
MD5

9cbd0e5352d554efc8980721489a5c60
SHA1

dbe7f67482acbc9e64c754d47cc838ccfc49f821
SHA256

13fff92ffcdbde76fe7f2581e429a4e5066c8a967af951c4b1d908adf16ba584
SHA512

12834d52f9b9e92947d1b5f40bcd3a3e93238a3e9a7ad0261adb5ed41aa188944f7ea200d8fd0e9c4889bcc4184f9c65f009ad3bf055012066faf170fe802475
SSDEEP

1536:bHET961cNvam8ugR3qa8zACqA4/yvxi8yTYuMCyjQR3f7buhG5E8k8jwaaHw7Ko4:4Tg2HFgpqJFT3Ji8wYAF3/uYFk8jwaak

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

13fff92ffcdbde76fe7f2581e429a4e5066c8a967af951c4b1d908adf16ba584.exe

Resource

win7-20221111-en

ramnit banker evasion persistence spyware stealer trojan worm

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

13fff92ffcdbde76fe7f2581e429a4e5066c8a967af951c4b1d908adf16ba584.exe

Resource

win10v2004-20220901-en

ramnit banker spyware stealer trojan worm

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  13fff92ffcdbde76fe7f2581e429a4e5066c8a967af951c4b1d908adf16ba584
- Size
  
  95KB
- MD5
  
  9cbd0e5352d554efc8980721489a5c60
- SHA1
  
  dbe7f67482acbc9e64c754d47cc838ccfc49f821
- SHA256
  
  13fff92ffcdbde76fe7f2581e429a4e5066c8a967af951c4b1d908adf16ba584
- SHA512
  
  12834d52f9b9e92947d1b5f40bcd3a3e93238a3e9a7ad0261adb5ed41aa188944f7ea200d8fd0e9c4889bcc4184f9c65f009ad3bf055012066faf170fe802475
- SSDEEP
  
  1536:bHET961cNvam8ugR3qa8zACqA4/yvxi8yTYuMCyjQR3f7buhG5E8k8jwaaHw7Ko4:4Tg2HFgpqJFT3Ji8wYAF3/uYFk8jwaak
Score

10^/10

ramnit banker evasion persistence spyware stealer trojan worm
- Modifies WinLogon for persistence
  persistence
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- UAC bypass
  evasion trojan
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ramnitbankerevasionpersistencespywarestealertrojanworm

behavioral2

ramnitbankerspywarestealertrojanworm

© 2018-2024

Terms | Privacy