ramnit | 08dc04ab87a5e1c66236aaf4470dd32a60cb025602d3934acaaee98f1a3417bf | Triage

Sharing

General

Target

08dc04ab87a5e1c66236aaf4470dd32a60cb025602d3934acaaee98f1a3417bf.exe
Size

222KB
Sample

250102-h82festjbq
MD5

e009e24d056f2a640f4857fffa857350
SHA1

e2da634e67c7efc75173322e7a15597304bf1ead
SHA256

08dc04ab87a5e1c66236aaf4470dd32a60cb025602d3934acaaee98f1a3417bf
SHA512

d2996e9af06e7f722005d1b36fbe91a155ed61a277bad282efc0a9b1a2e5efe7bb34ef781ca7fa198425fa5379945d1f0e075e83dff97dc1cd81b4128084cf96
SSDEEP

3072:BezgwwPGuEZbPfIGl3H/jQLBvBt0M1qCWzJP0ruTTBaClHpspom7ffrAmpI:BezgyuEZ4wH0LBf0dJ5TTBZbspom7bXW

Score

10^/10

ramnit banker discovery evasion persistence spyware stealer trojan upx worm

Malware Config

Targets

- Target
  
  08dc04ab87a5e1c66236aaf4470dd32a60cb025602d3934acaaee98f1a3417bf.exe
- Size
  
  222KB
- MD5
  
  e009e24d056f2a640f4857fffa857350
- SHA1
  
  e2da634e67c7efc75173322e7a15597304bf1ead
- SHA256
  
  08dc04ab87a5e1c66236aaf4470dd32a60cb025602d3934acaaee98f1a3417bf
- SHA512
  
  d2996e9af06e7f722005d1b36fbe91a155ed61a277bad282efc0a9b1a2e5efe7bb34ef781ca7fa198425fa5379945d1f0e075e83dff97dc1cd81b4128084cf96
- SSDEEP
  
  3072:BezgwwPGuEZbPfIGl3H/jQLBvBt0M1qCWzJP0ruTTBaClHpspom7ffrAmpI:BezgyuEZ4wH0LBf0dJ5TTBZbspom7bXW
Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm evasion
- Modifies firewall policy service
  evasion
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- Ramnit family
  ramnit
- Server Software Component: Terminal Services DLL
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Server Software Component

Terminal Services DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ramnitbankerdiscoverypersistencespywarestealertrojanupxworm

behavioral2

discoveryevasionpersistenceupx