ramnit | 46f6f3d642c24915a198afc854c75b61fdd502af2a8719224efbb6eb18fdb335

General

Target

6889adc5ad025fd7d87df2471b0af649.dll
Size

184KB
MD5

6889adc5ad025fd7d87df2471b0af649
SHA1

cdd5b28d6e11a467648a723dc493384ee28d2186
SHA256

46f6f3d642c24915a198afc854c75b61fdd502af2a8719224efbb6eb18fdb335
SHA512

6e9938cf27bc21be4b30e2339545ef715cb4091d4d60ea2f033e01b552294cd8f6e8289391f81f0c70bad533d0fa6dcf5bae3631ff6fca9f8650cdb951b5fc40
SSDEEP

3072:EwHlOS2xtVutM0DGHZpvs7VBUrmVv+uhulMCs2haEp:EwFItpzHTY6rmVv9UGHy

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 1 IoCs

pid	Process
2384	rundll32mgr.exe

Loads dropped DLL 4 IoCs

pid	Process
2952	rundll32.exe
2952	rundll32.exe
2384	rundll32mgr.exe
2384	rundll32mgr.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2384-21-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2384-10-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2408	2384	WerFault.exe	16
2824	2952	WerFault.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2952	2884	rundll32.exe	19
PID 2884 wrote to memory of 2952	2884	rundll32.exe	19
PID 2884 wrote to memory of 2952	2884	rundll32.exe	19
PID 2884 wrote to memory of 2952	2884	rundll32.exe	19
PID 2884 wrote to memory of 2952	2884	rundll32.exe	19
PID 2884 wrote to memory of 2952	2884	rundll32.exe	19
PID 2884 wrote to memory of 2952	2884	rundll32.exe	19
PID 2952 wrote to memory of 2384	2952	rundll32.exe	16
PID 2952 wrote to memory of 2384	2952	rundll32.exe	16
PID 2952 wrote to memory of 2384	2952	rundll32.exe	16
PID 2952 wrote to memory of 2384	2952	rundll32.exe	16
PID 2952 wrote to memory of 2824	2952	rundll32.exe	18
PID 2952 wrote to memory of 2824	2952	rundll32.exe	18
PID 2952 wrote to memory of 2824	2952	rundll32.exe	18
PID 2952 wrote to memory of 2824	2952	rundll32.exe	18

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6889adc5ad025fd7d87df2471b0af649.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6889adc5ad025fd7d87df2471b0af649.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2952

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 180
  2⤵
  - Program crash
  PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 248
1⤵
- Program crash
PID:2824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
9KB

MD5
6908cbf48912eb2fa758063d2e137826

SHA1
cf667f043d3c6230a94efe0505993897e70e9853

SHA256
4875bba3fac9c6c7da089e006a92d337a88de409d5d77be27c96d3f4f48aaf03

SHA512
1bbe65397c20427799c77ad1be11acc4424f187f75cf2bb17753169f991235e478db3183802673ec6dd8428a91e04c852fa2321ad786ccd1722899fcf68f67b8

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
42KB

MD5
51bea73984f9683c3818f04cabc3385b

SHA1
367de6f736b89cc9044f5cbd14f9d5c7fb11f0f2

SHA256
abee7a72fc45151b1aadd1ac9deb4edc81fc274e8a39ac3f7fa5cdda17b358a8

SHA512
b13190779609253492d076b5f238cc461d9b92b534fe02f461c9feb2d44c3a50c3b652dcd69978c984b27d31b82fbcb3214078562f615f87a0e4b6ade496142a

Download Submit
\Users\Admin\AppData\Local\Temp\~TMA6C.tmp

Filesize
39KB

MD5
b5dd49ee311cf82befc626da62bcac60

SHA1
7e82907622da81699ecf2dc5b5d4ffea8a0e8d83

SHA256
67a168497985506ab0a90601cf02493eb5e3f85c35c6b5db671844d336aa064a

SHA512
467a5b6af8eb59974fdd055575f71311eaca7dda62742371811cc60277cd5752d3c81058e1cb60f5279484fcbfa68d1e8664845e3de492defcbe92020251fa59

Download Submit
\Users\Admin\AppData\Local\Temp\~TMA8D.tmp

Filesize
2KB

MD5
2729a72acaa3c682884a9e089a85f6e7

SHA1
7f53c8d9a79788cd10075e87544934abadf69ad3

SHA256
edaa4678d4c6faae57fe9b2e89e49b1ce45d59e2be62828d5a540d5ae3e43770

SHA512
461a43c378ffa63bff864daf3d63be8febe98c1d361a099b36cdfac10f9077a969d37cb54bcc500249975bc710e1879c37ba29af219d99b77d16c5cf1ef3fd71

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
36KB

MD5
31f709686fd8b42c4ccf5fbb82233b34

SHA1
06772f474296f19118a500fc74a982140094dbf4

SHA256
d22704094a3edc0497212c1014f19f640169ea3b859e733dc9d5ea03558652f1

SHA512
b2ae2e2e253550edf853ab49d1e7d8d8542e67add3aca65d8df8fa61253612cd41ee45b8153085a5feedc99d756c0de4f2b4da59091151587589ddd0c1cf1ea2

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
5KB

MD5
279c3df522ccbe2f50c5a54b2925dc29

SHA1
df69ac88d83e404490369504daa4b76e256525f8

SHA256
8daa74b3b3ee78f27cef5693d1aee97b26efa85be2818887e4da05a9e68db33b

SHA512
ff57bbe59e9d244c94fc05d7578763195c8ab80732d2d40cbe0309e43fa2048167d967c7ceb3e90d92e1da2eff8666d7f46ca0d55b2dd59f91996643957b4095

Download Submit
memory/2384-20-0x0000000077260000-0x0000000077370000-memory.dmp

Filesize
1.1MB

Download
memory/2384-15-0x0000000077B20000-0x0000000077B21000-memory.dmp

Filesize
4KB

Download
memory/2384-14-0x0000000077B1F000-0x0000000077B21000-memory.dmp

Filesize
8KB

Download
memory/2384-11-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2384-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2384-17-0x0000000077B20000-0x0000000077B22000-memory.dmp

Filesize
8KB

Download
memory/2384-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2384-22-0x0000000077260000-0x0000000077370000-memory.dmp

Filesize
1.1MB

Download
memory/2384-23-0x0000000077260000-0x0000000077370000-memory.dmp

Filesize
1.1MB

Download
memory/2952-1-0x0000000010000000-0x000000001002F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing