Extracted

• • Target

    2025-02-27_8f55ce9352a6fb03e3d87f8ed1ffaa7f_dharma_ramnit

  • Size

    200KB

  • MD5

    8f55ce9352a6fb03e3d87f8ed1ffaa7f

  • SHA1

    1c5d21857b4329fee9257d8608134b2f94ea149c

  • SHA256

    590d3c67a0d4bdcfdabdc579ba3ef3e035144c7b422af7d083d30f6f53ce7cc4

  • SHA512

    3d2dfa038b24aa2e4bfdcef334fbe03679a9c56fcbc47267fb4dd4e2cdbd6906c2711c82573399ee7a91932ac5cec998b9053ffdd68ae61f8f4802d0d48c4b6e

  • SSDEEP

    6144:yw+E6shLjgYIz+X303peGbfUTpYDDmu/+3fbY:ycjgLzs0sG+pG/YY

  Score

  10^/10

  dharmaramnitbankercredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealertrojanupxworm

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma

  • Dharma family

    dharma

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit

  • Ramnit family

    ramnit

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Renames multiple (310) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Drops file in System32 directory

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2