ramnit | 4b0b477f3376a36b2f7939c30a568069c17a583224e69ffa63e21e748955acfe | Triage

Sharing

General

Target

a31bada21fe1534531c065bde9f789f8
Size

95KB
Sample

240225-g7sapadg64
MD5

a31bada21fe1534531c065bde9f789f8
SHA1

8843e2a81e47c5666f1d3f1e531c9e591dea543e
SHA256

4b0b477f3376a36b2f7939c30a568069c17a583224e69ffa63e21e748955acfe
SHA512

525dc5d5f865f3d6aa7fca2613ea8925e40a76d4c889d2b3dc39de795fe40a3b46dbc1946f8d511ddf7d3fb0d1151547a4aa064a5187dc91e567458b9838aa73
SSDEEP

1536:QY5lAPkj6ri16pxNeRaNAj0yf+/2rlYlS+oqxYxBzHS82G5E8k8jwaaHw7Koj4r3:KkjN1acMAj0dNHxYbS/GFk8jwaaHw7Kw

Score

10^/10

ramnit banker evasion persistence spyware stealer trojan worm

Malware Config

Targets

- Target
  
  a31bada21fe1534531c065bde9f789f8
- Size
  
  95KB
- MD5
  
  a31bada21fe1534531c065bde9f789f8
- SHA1
  
  8843e2a81e47c5666f1d3f1e531c9e591dea543e
- SHA256
  
  4b0b477f3376a36b2f7939c30a568069c17a583224e69ffa63e21e748955acfe
- SHA512
  
  525dc5d5f865f3d6aa7fca2613ea8925e40a76d4c889d2b3dc39de795fe40a3b46dbc1946f8d511ddf7d3fb0d1151547a4aa064a5187dc91e567458b9838aa73
- SSDEEP
  
  1536:QY5lAPkj6ri16pxNeRaNAj0yf+/2rlYlS+oqxYxBzHS82G5E8k8jwaaHw7Koj4r3:KkjN1acMAj0dNHxYbS/GFk8jwaaHw7Kw
Score

10^/10

ramnit banker evasion persistence spyware stealer trojan worm
- Modifies WinLogon for persistence
  persistence
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- UAC bypass
  evasion trojan
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ramnitbankerevasionpersistencespywarestealertrojanworm

behavioral2

ramnitbankerspywarestealertrojanworm