ramnit | 6559e803c67cc26809e54fa6fb9787ac5e1183387afa4f436cc3349297d9e18a | Triage

Submit
Reports

Overview

overview

Static

static

6559e803c6...8a.dll

windows7-x64

6559e803c6...8a.dll

windows10-2004-x64

Sharing

General

Target

6559e803c67cc26809e54fa6fb9787ac5e1183387afa4f436cc3349297d9e18a
Size

164KB
Sample

221124-fsdnbaba84
MD5

caf07c4c640fa87062a9769ce836cace
SHA1

1fe87194d8c4c04c857acddd4ad44d14e51c70e4
SHA256

6559e803c67cc26809e54fa6fb9787ac5e1183387afa4f436cc3349297d9e18a
SHA512

0f44fff3fd976ada1c291f5adf9e9ae1be20489f9804dde59f63f01028bb046f4e6ea9d7b7aceb4a5635d31dc079222b847d876341aec4c4429cf0ea54178c66
SSDEEP

3072:xm2PxxtqUEJPPzxvtON5FRUDHGnOBxvWotbXAS:wvX3TO5bMH4OBxvWebXD

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan upx worm

Static task

static1

Behavioral task

behavioral1

Sample

6559e803c67cc26809e54fa6fb9787ac5e1183387afa4f436cc3349297d9e18a.dll

Resource

win7-20221111-en

ramnit banker evasion persistence spyware stealer trojan upx worm

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

6559e803c67cc26809e54fa6fb9787ac5e1183387afa4f436cc3349297d9e18a.dll

Resource

win10v2004-20221111-en

ramnit banker evasion spyware stealer trojan upx worm

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  6559e803c67cc26809e54fa6fb9787ac5e1183387afa4f436cc3349297d9e18a
- Size
  
  164KB
- MD5
  
  caf07c4c640fa87062a9769ce836cace
- SHA1
  
  1fe87194d8c4c04c857acddd4ad44d14e51c70e4
- SHA256
  
  6559e803c67cc26809e54fa6fb9787ac5e1183387afa4f436cc3349297d9e18a
- SHA512
  
  0f44fff3fd976ada1c291f5adf9e9ae1be20489f9804dde59f63f01028bb046f4e6ea9d7b7aceb4a5635d31dc079222b847d876341aec4c4429cf0ea54178c66
- SSDEEP
  
  3072:xm2PxxtqUEJPPzxvtON5FRUDHGnOBxvWotbXAS:wvX3TO5bMH4OBxvWebXD
Score

10^/10

ramnit banker evasion persistence spyware stealer trojan upx worm
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Modify Registry

Bypass User Account Control

Disabling Security Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

ramnitbankerevasionpersistencespywarestealertrojanupxworm

behavioral2

ramnitbankerevasionspywarestealertrojanupxworm

© 2018-2024

Terms | Privacy