dharma

General

Target

2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit
Size

201KB
Sample

250227-hy12xa1kw4
MD5

a43619354027879e0dae80878636389f
SHA1

bc7ce81b1388890a697a7480941e1659264fa462
SHA256

104b4ec8a7c39ba5f87be908d86a5e4f34fce70e5ae4992f8435837c2d8fb448
SHA512

7ea3706cb447c96c040dd397ede4c5047895a69639cd6b8524434ff71b9e0cbeb61563f0d80b464ffe0cb6088e54b618cbfbb0be50e841003aae88f0dbfb9c92
SSDEEP

6144:yw+E6shLwFZBh/kFdMyJeGbfUTpYDDmu/+3fbe:ycIZCdMy8G+pG/Ye

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Targets

- Target
  
  2025-02-27_a43619354027879e0dae80878636389f_dharma_ramnit
- Size
  
  201KB
- MD5
  
  a43619354027879e0dae80878636389f
- SHA1
  
  bc7ce81b1388890a697a7480941e1659264fa462
- SHA256
  
  104b4ec8a7c39ba5f87be908d86a5e4f34fce70e5ae4992f8435837c2d8fb448
- SHA512
  
  7ea3706cb447c96c040dd397ede4c5047895a69639cd6b8524434ff71b9e0cbeb61563f0d80b464ffe0cb6088e54b618cbfbb0be50e841003aae88f0dbfb9c92
- SSDEEP
  
  6144:yw+E6shLwFZBh/kFdMyJeGbfUTpYDDmu/+3fbe:ycIZCdMy8G+pG/Ye
Score

10^/10

dharma ramnit banker credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx worm
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- Ramnit family
  ramnit
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (311) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2