ramnit | 12af93d29007b28f8e5cd5db210de0b91e0e84ca318893a79d0efc11f813fb9d | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

12af93d290...9d.dll

windows7-x64

12af93d290...9d.dll

windows10-2004-x64

Sharing

General

Target

12af93d29007b28f8e5cd5db210de0b91e0e84ca318893a79d0efc11f813fb9d
Size

256KB
Sample

221205-qnx69sgh5x
MD5

5129a643720990da5ac6f1d0d7bd4181
SHA1

57cd9af7745ee0e4b68124bbb8851964d1653cd0
SHA256

12af93d29007b28f8e5cd5db210de0b91e0e84ca318893a79d0efc11f813fb9d
SHA512

9553055fa78c86fd7e51f3bc1454bd7b9aa59a0dc4a25a8e660fbd7a62861b7ca066b52f4d67980e06b487c30695f8a4a9deecbed6a17bb8d664d81bec05bfcb
SSDEEP

3072:54vRJRkTcZ7fcxdl5CTqBoEBClwrnfJMtZbzOPrLRiwte9I1yi5fEB1msmU580Xs:5OHngrYuyRmsm28KJ0I7

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan upx worm

Static task

static1

Behavioral task

behavioral1

Sample

12af93d29007b28f8e5cd5db210de0b91e0e84ca318893a79d0efc11f813fb9d.dll

Resource

win7-20221111-en

ramnit banker evasion persistence spyware stealer trojan upx worm

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

12af93d29007b28f8e5cd5db210de0b91e0e84ca318893a79d0efc11f813fb9d.dll

Resource

win10v2004-20220812-en

ramnit banker evasion spyware stealer trojan upx worm

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Targets

- Target
  
  12af93d29007b28f8e5cd5db210de0b91e0e84ca318893a79d0efc11f813fb9d
- Size
  
  256KB
- MD5
  
  5129a643720990da5ac6f1d0d7bd4181
- SHA1
  
  57cd9af7745ee0e4b68124bbb8851964d1653cd0
- SHA256
  
  12af93d29007b28f8e5cd5db210de0b91e0e84ca318893a79d0efc11f813fb9d
- SHA512
  
  9553055fa78c86fd7e51f3bc1454bd7b9aa59a0dc4a25a8e660fbd7a62861b7ca066b52f4d67980e06b487c30695f8a4a9deecbed6a17bb8d664d81bec05bfcb
- SSDEEP
  
  3072:54vRJRkTcZ7fcxdl5CTqBoEBClwrnfJMtZbzOPrLRiwte9I1yi5fEB1msmU580Xs:5OHngrYuyRmsm28KJ0I7
Score

10^/10

ramnit banker evasion persistence spyware stealer trojan upx worm
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ramnitbankerevasionpersistencespywarestealertrojanupxworm

behavioral2

ramnitbankerevasionspywarestealertrojanupxworm

© 2018-2025

Terms | Privacy