ramnit | ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406 | Triage

Submit
Reports

Overview

overview

Static

static

ffc961c731...06.dll

windows7-x64

ffc961c731...06.dll

windows10-2004-x64

Sharing

General

Target

ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406
Size

163KB
Sample

221123-vqxezahf98
MD5

2ad25d81e8d455471a4f9f803acd02ce
SHA1

0580f084f662cf2b79896eceec2cc57e44e95507
SHA256

ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406
SHA512

56a5d0e48c49918130b173291d75f41c73f85e63615d11ad64bf25ee5fcb97404e8521253a097f7cffa8432693abb8b1394c04d1601f6e69066985cdb7709a77
SSDEEP

3072:nv4tCk6tj9tnCRLMGbwQG52xKUgfyFRsxxulukd0pF:vMAtCRYGbG52gUHRU

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406.dll

Resource

win7-20220812-en

ramnit banker evasion persistence spyware stealer trojan worm

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406.dll

Resource

win10v2004-20220812-en

ramnit banker spyware stealer trojan worm

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406
- Size
  
  163KB
- MD5
  
  2ad25d81e8d455471a4f9f803acd02ce
- SHA1
  
  0580f084f662cf2b79896eceec2cc57e44e95507
- SHA256
  
  ffc961c73149fae4c1abc94f066190b77f8c20f5c5c21bbcc0ae0da0d11c9406
- SHA512
  
  56a5d0e48c49918130b173291d75f41c73f85e63615d11ad64bf25ee5fcb97404e8521253a097f7cffa8432693abb8b1394c04d1601f6e69066985cdb7709a77
- SSDEEP
  
  3072:nv4tCk6tj9tnCRLMGbwQG52xKUgfyFRsxxulukd0pF:vMAtCRYGbG52gUHRU
Score

10^/10

ramnit banker evasion persistence spyware stealer trojan worm
- Modifies WinLogon for persistence
  persistence
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- UAC bypass
  evasion trojan
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Modify Registry

Bypass User Account Control

Disabling Security Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

ramnitbankerevasionpersistencespywarestealertrojanworm

behavioral2

ramnitbankerspywarestealertrojanworm

© 2018-2024

Terms | Privacy