Overview

overview

10

Static

static

10

2025-02-27...ch.exe

windows7-x64

10

2025-02-27...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27/02/2025, 06:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-27_04ba1382d3b32b13b5be3e1dc1bf9a0c_ramnit_sliver_snake_snatch.exe

  • Size

    3.8MB

  • MD5

    04ba1382d3b32b13b5be3e1dc1bf9a0c

  • SHA1

    e10fbf5f3b3c4f8a948471346e3db15fd8743490

  • SHA256

    471ed649fe4f91930ff3b2dcbd14c47904975844a22269635deda338e2bc8498

  • SHA512

    f7152d5684655decd1896d97014641522153e0e648abb279029a48b9a7f50e27be3b9eff31ac8889735302e561a25a9cde9a8dd4eed580453068260e1c7b7143

  • SSDEEP

    49152:TcV8Ytr1dhrwierOjeAzBruTqQt02+Pg1:TWrHh28gqQ+Q

Score
10/10
ramnitzebrocybackdoorbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Zebrocy

    Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.

    trojanbackdoorzebrocy
  • Zebrocy Go Variant 2 IoCs
  • Zebrocy family
    zebrocy
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_04ba1382d3b32b13b5be3e1dc1bf9a0c_ramnit_sliver_snake_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-27_04ba1382d3b32b13b5be3e1dc1bf9a0c_ramnit_sliver_snake_snatch.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Users\Admin\AppData\Local\Temp\2025-02-27_04ba1382d3b32b13b5be3e1dc1bf9a0c_ramnit_sliver_snake_snatchmgr.exe
      C:\Users\Admin\AppData\Local\Temp\2025-02-27_04ba1382d3b32b13b5be3e1dc1bf9a0c_ramnit_sliver_snake_snatchmgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2828
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    fc95262c988107d294d545e1c2d39527

    SHA1

    6c0a20103842d1ecc66d68087885408aeb7536af

    SHA256

    1351268a7590af18187968053f8734bf46071b11ccdf1d877300d173c46a11b0

    SHA512

    18a4ed2276d81fcd9e13a39f73a5d72f85c6910ed1f5e8e05318f57f665fd70b7a0943330292ab1e63dd9206a47856b8aa8d48a0299ecea72c9e39bc40ae3b20

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    b8814abc68b95d3ab12285a2e0846ec7

    SHA1

    44e93fef934c3451327596e7e48e4acee188d32a

    SHA256

    b6005752ffb4fe48b5cc452192b46ae8dd772c8c553a59db3db639ac0eb2f884

    SHA512

    f93b7574d985f718b606c6cdd77d8c7130a91684fd4c04ebf80e66ff6d2c159197338dc93d7e2e0c3d0e208bd40bc418790e15e516201db5baea454ad407548c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9321dfb1ee6a4ecf6d0fa9e212042de0

    SHA1

    966ac82aa4c43c6cbf4958413246dc5a740187e9

    SHA256

    91db542be0be03d59573921d1b7db13de85cd6542557ddd6bf77765e7128e774

    SHA512

    57df66640e6eef2e8fe87ff8336aa511f73bbd0bf1e74d80257ba21ca1e4767dcce51b838a14b9f1ce3dd041a3c92ff19d51c4585f1e0d9b7fa1bf66d2517855

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    4cd633997a3348a3acfb25121815f3d0

    SHA1

    e8c7ce40393dd666385fa54f86967b64c5562c8e

    SHA256

    f580c395aad12c03fdc56446c41556ec61a8d668b8e678c194b7c359216da64c

    SHA512

    cc23d910f26f9aa7dd0b6fc0bc3ac2166cd088271066b4b8ccf70b92914ddec75aea7d982c28c1195daa3b5a49323567e98da604903051775961c2808e9bcf51

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7ddba9a06f56e4fe7191ec8e719e696a

    SHA1

    dede41654497153fead70d4de450247e08e834db

    SHA256

    159473b5742d5c87be29a6884f7dafda490e3bd0cb357d71ea02b9ee1664c0e4

    SHA512

    344f1c9ca5696445a8745f4d9551345c09e6556b0f180f0dffad184f4da4ae4815cd0e8bdef93043cd580c20fe224a0710c022e36279fcf20503b2b41c12eb00

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    371622c493b80f02d56519d030d541f8

    SHA1

    83dd7364eb9ffaa4f1b6ee066840cadad7554b4a

    SHA256

    f21478a5c32fcaf1a555bae0841d000866884dbef7e40d1a1e3cb322a6d62e56

    SHA512

    2f38c71906799ace81e1c9913f0c9a53296c1ff2a76f22e759264cbe17c9cd2287ea60548001a38eff97b6f639e11d2400fb689b2a135e388f6ed59df33e8bf1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    dc4ddb8b054a3dde622ae6ad7b3a7c41

    SHA1

    dc5ba50425ac0c115aa04baba30ecc6ae2303477

    SHA256

    b03f76eddd15058aac0793d251eb54e0b60d9a4cdf9b1155eb37c26cb013d1f7

    SHA512

    7a9de7dcfcf64998ad1d3b58a8731e2f111577faa2ff63193e9097947d5e275e1d9a6c2f24deb189dba45d57c0861628afea8214b236958530603f33e7f24c4a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6f00d0e919e64fe860cbedb76020488b

    SHA1

    f70e157d2ca882f685ea1c9b1acc806b50544f03

    SHA256

    7bf91ce593d667936100a4bb718b50c0cf8d7330f6d28ad481b10dd3b5ddcf87

    SHA512

    a6bec0169cbebf64b8d6e94e53878b3787fb904a05143552f5909fd6a2cbf0729c98dbd15d805044bd22f9bd528b11fd7f7ca3417bf1d6e0ab8fe4519e966b1a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    a0e21baa14d9db429f6787ac56a08776

    SHA1

    b4fcedf177d2bfa2d9c86fb396a59b0f95a5b10a

    SHA256

    7b28ae37fba12b2141db62744cf0eb9d3bd0f0fb2c3c00d84204a38d73768fb2

    SHA512

    d3654ba8c6e8e97d7f4cc5162fbf26f1a4b1532618e173ee44bd44e1cd7574ab36c440d2c7c7ff83cf960b6689ebce6c2e9fc3ca00d16bf8bb9b8e75112a37c0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6cb244050ff6cea6a3e9c652d2cdaad9

    SHA1

    bc364464154eb8854f05a5d208fd6e0910a906bf

    SHA256

    74a0d6282d423178b7bdb4c0129fcd2ca6aa19a5d4427b358f74f7ddb01f9741

    SHA512

    8054db04003a9bf3ce12d04b48cc6f6271eb427be89c8dccd1c83d4c5a3baa2f1d0ce28fc47864cb0e4ca3d0e10175d84517a70cc40a905a203518f254c87fa4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5ad2a7cf487ae687243696391dd9af1f

    SHA1

    852e6af1346b355c96ebf82d5b2e370b2f6e3027

    SHA256

    b34fb3f138cc9d2e5b3528ebe1cea38b0920e335f7b40a6ee8da44244037e371

    SHA512

    9e103a8021541d51b2a78c85baee1cfcfaabce651d0edaf66eb782346e4170a631458c2a62f230289ff04ba1adab3e47618c52041ed2137650d5dac3148469eb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e7a6f526d6ac45f64b7768a2c7908228

    SHA1

    dea106387950cb43026d1e5d0f076d0590f631a8

    SHA256

    2190d841169abf83012231febb8c945fddb076aee7dc1d5a2676825463bb9b0c

    SHA512

    caf4cea618068c2eed8927f9fe1cf355b91ba272c9c51369385f1b7b09c3b68b25e2ab823641f4abeaa9276b8b884c60c1002ad19649a8674e62b3e5e98891af

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    1f56783ff0e45f7cd3538c895a2267de

    SHA1

    d5b9329bb8ba4934125fd5eb2c37b8aa0569f30d

    SHA256

    0ee205560f291441265c33a1afac984f1df44585ec2ed33490404e1eee21d66a

    SHA512

    aae71242f5e70d02e14784e59e7d74ced9afe2928ade6f1a3e4dc3b6323712bb71ff4460430ac82d1f88755ae8dee2992bc5acc1da2689b05eaaf8e232049802

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    3c7b8ed8d887ac3c3446e9af621273e4

    SHA1

    0884c5596dc2c792adc40d331999242466a117e8

    SHA256

    daa927b1acf197a6fa35a482148ea6046c9ec87de2766ca6044686686a032f46

    SHA512

    34dd4be0754ff410a7d1d54d3811b00b5e6657d986e97dcb46427140f31f45585976feb8482866dffa6629a37865a95d8a52843ee29cbe82e1d8f156b7077151

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8084a39935bffe14fa78586ef46f6e95

    SHA1

    d9878f42fc62d15aeb43dff36e7ffcbdf2680634

    SHA256

    4daa9ef0a0e0d6db612a5e6c6abab2f7afcc54ef1b0a8934e34c7867b7bc8de5

    SHA512

    985c5293a54809c8c5acde0abf5f3816d83e4a2ef0f08c290abaca3c14c3d98c514cf9c42ba191da342347db900ec5cbffe86b2d8856d7e74f5694b967a8caac

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    15754f36e20b8bdb93b70eae665cde58

    SHA1

    5443337f55e989b1d3606ed948328d01a151af09

    SHA256

    53d166c1fcdf45e1d9dcdcf372209413ee6dcefba70dfc770220b0dcff729ea2

    SHA512

    3a08ab80ef3b1187b82046980e95ccbb82589071558e0f1060707557d15c052a7309dad74b20fe212e5b7323baa02ee2338d9616c76de39bcbb2fec4f217c648

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    eda85ec109e455c9ff0e3a788d5c160c

    SHA1

    557444119be662d0f7b06af82b012984df156bbf

    SHA256

    ab5d2562f14d93809b42b5342f0438898f14667fd24ee31c7ad0152ac304ba51

    SHA512

    8c48109c0c7fb70791e9716a2a3f96bcc4c2915ed32739910f54ca76d804f6035503de5c51695b584539a77cea146b1f6d2e399b03db0d664a28169e183b5651

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A9368CC1-F4D3-11EF-AA78-72B5DC1A84E6}.dat
    Filesize

    4KB

    MD5

    6106f8789a8830d76b0903fa3f0aa369

    SHA1

    6fe3d4b1dc2d5dcf51dfaead70f3472d016b468c

    SHA256

    fbe17e12c8b7725f6e20ebd22a2da1160cce705ae368ed7dfc37592cfd772a80

    SHA512

    38b3a48f45a94cc73517508a7dce118b79af5e71ebe67b656657a93d2505864990296730608ee3a9524c961245ed76793f5fbe100aefbb259ffefd422e3eb305

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_04ba1382d3b32b13b5be3e1dc1bf9a0c_ramnit_sliver_snake_snatchmgr.exe
    Filesize

    105KB

    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabE092.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarE1A2.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • memory/2260-20-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2260-17-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2260-16-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2260-14-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2260-15-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2260-13-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2260-11-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2260-12-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2540-1-0x0000000000400000-0x00000000007EB000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2540-18-0x0000000000400000-0x00000000007EB000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2540-9-0x0000000000300000-0x000000000035D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2540-10-0x0000000000300000-0x000000000035D000-memory.dmp

    Filesize

    372KB

    Download