Overview

overview

10

Static

static

3

2025-02-27...ch.exe

windows7-x64

10

2025-02-27...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/02/2025, 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-27_a2ab6183df2e5993bd1caabd8738e14a_frostygoop_poet-rat_ramnit_sliver_snatch.exe

  • Size

    6.0MB

  • MD5

    a2ab6183df2e5993bd1caabd8738e14a

  • SHA1

    c953195e5291954bd6aef6cb89f165387c4895d1

  • SHA256

    0c1b2a64482258bc821a9700c2203768b0f7b3eb590e13919d890becf51a8b7a

  • SHA512

    7934df07e408eadc49312ae9b2aaee5a64b58649fd47af9718b4cf90e306f49b8c5ac459350444c9afdbda28ff9c6a8ea3170e399defabcbd1686032fc91be0d

  • SSDEEP

    49152:YLlt90ZzSvd+rMdmBcHF4mL8jIr1zrAwZK7eFiDrHb2rjPNtBO6NuxpGh5pFN7nO:2lt9b+mV8ju1zJU6NuUpFN7nKGh39LK

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_a2ab6183df2e5993bd1caabd8738e14a_frostygoop_poet-rat_ramnit_sliver_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-27_a2ab6183df2e5993bd1caabd8738e14a_frostygoop_poet-rat_ramnit_sliver_snatch.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Users\Admin\AppData\Local\Temp\2025-02-27_a2ab6183df2e5993bd1caabd8738e14a_frostygoop_poet-rat_ramnit_sliver_snatchmgr.exe
      C:\Users\Admin\AppData\Local\Temp\2025-02-27_a2ab6183df2e5993bd1caabd8738e14a_frostygoop_poet-rat_ramnit_sliver_snatchmgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1504
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275458 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    1cc55ab330354ec35d277b13d6055aa7

    SHA1

    5eef5d97fd3940a9ed14c355f0791d790475d8ee

    SHA256

    59baccbc5206253c3f5bb70ff4a428dd689eced0f958539948f9644f324dc193

    SHA512

    b24abb22bb7bbea876b2a814a6005f304d88ae389cb38c67e3d189141697331cfe429d47d2ee07296119fe0538779e3e6c48dcb183d6c04af7cb0766b221de42

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7e50fcef14417cb462662e1d6a23db85

    SHA1

    15570318013c94205ea22114979d9bb13e4dd6a9

    SHA256

    33ee817bc0471e69e7e84fcf503809f16e1079e2b81e422e95255c1ab3896167

    SHA512

    4252d5b6a3834b1064093a35ae99194a54fcd40bf3a6194ddb9afac52d80273c1228917fdf4e8e56922168f15dc95950f21aa14a46f7cd84f0a8267ae30625e7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    4328ea4e7909457469a34893abc35890

    SHA1

    fb1e6851ef58191e8df80f2fa98f217e8a64e103

    SHA256

    eff511e77e469f63100a6ca182b98ae66d1bb177e645d4ca76f311b80b0e5c35

    SHA512

    ad014c778cd41052068506d7234c3c1278d2349a1193a990ec49b01e04ce4542cd8b565c4bd681944a8f5ebf13c58ebdb8adc7a88edfa3cfa1ac9f4b5e9ca3dd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9c1395edc3bb581842e286a20a006bd9

    SHA1

    3300b34ef215e7ad99cc3cf9719482094905a631

    SHA256

    bfa7a56c06aec15ff088327a5d150e3b6d2f55df55b2d6a8dc7e61458adeefd9

    SHA512

    cad604854cc1804480261180c2cfeebc379922bc86a13ac1bca85acd96ff2352e29dfb0e226040ffdcc8cb11399fdbe7b46b9883b95a68ea7bb12073bc4e5e0d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    123bd7704480cd2c93e81fc51967081c

    SHA1

    b9581b57f1fb0a063f403425c111bba109923196

    SHA256

    91b99a385a92ea9f2a28668461ce83b7a37b25894a9b121b0adcf8b48215832c

    SHA512

    34068ed152f4fc56758ac72c590d24444ba95c4b8b46299bf8050207028a930967b01fe65564b9d32616f214567b81755dee9e6caf27cb569f52156fe925db42

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    17851ff0277de175f58e8592f5b51add

    SHA1

    eda63847f8c80b12c29452775d04466b7c9f3da3

    SHA256

    ce4ca799c775d336ceceef61652c853418588619b05db5117d6fa6f8767e1c89

    SHA512

    f0fbd090f5fb8d05cea123d7fdca3c6bbf301491e677e00e3d11bbde63892f05df01bc929f3c1fafec41e617820fedab5acf91b5a03a1cdf11557f2e38578f61

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    1313024ad82611ddb8c9db8ea908d57e

    SHA1

    904e46addc295f2a6889e6226f1f8759c32d86fc

    SHA256

    b0a51493cd0843790158a15b2d28f5f33f0f41d7c65dea629038ebf245f847e0

    SHA512

    2fc0fd72c03aeed1bf9d4655583f621b1e5ba1f84bc2ae563438dae72312dfe09b7957238f2acb4bccf4b43e5b66487e579e27348cb9a3e505230120b21c7dee

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    859c1399517ba53a79744a3949688d0d

    SHA1

    2457b4aae46848f56180dedfe73230e69e017346

    SHA256

    368ff0fca13e83c3b0c4d7e80cfe24ac992ec0aafac4d5eb79730f631e3433cf

    SHA512

    870d5c3b95d82b33bcb21569dbb65717642b000408c73bb9cf8405c48eaf87ea8ef7f23a52a7266cbbfc25d3b520c4ec4fd231bfc5ffff19cfcca9d03dc86747

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    ead3410475f205f5bee2529b1497f160

    SHA1

    dc608cb704ea14ca3cafce7cef0255cae7aa964e

    SHA256

    62dc2a8bc5520216394691f4b4b3289f955a3cf7dfa592c09b05e44bb4defd6f

    SHA512

    efed30558741d833e13724744e7e88a212c1a1d9040c38907f787ba6c1e0ce3bb59c79602339e65ae0eadde830480905cd37d552cd6b59af58d2441b5b00b2dc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    eae4b8f6d676d714213263e24ebc120f

    SHA1

    11219c14c4acbd394e72b39a3815b09a86dc4c36

    SHA256

    691d14fa0ab1418c26bee633a58f7e6b1b1f28cc76e470f5e0736709005ba165

    SHA512

    d0ef9e5a0447248d6e34051ef95463cb5717a2f4c964b5983a9a9245e41c9a0a37a045deac6c0f18388aea94afb79fdbf6bc5aba7ee5fa8e9da20b68d8143fad

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    560ab7f78e8c44666f05663cc92bec8c

    SHA1

    0b525fac97303342ffa5020f5ba20ae84fedf80f

    SHA256

    4543e2928678cfac66b865c516f491f59472e6190092b98f2755c26a812c2748

    SHA512

    f54245baa804abe7b009df71c8a7a29051eeb63873ff6f85c1299c2d9c2c4f8a75afca27a25c974dfadadd75133e214b40c5b2359312da2bd549d0f5a1309493

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    aa1ceb54aef88a8cf81a59782dde8634

    SHA1

    3f9a7b7b381583f1935587e5dcc8e1eec2c4814a

    SHA256

    a4d794fa8de0ec3536202e01088a980c9fa755fa7a5b2a5d11a8aa9fc7cdcc0d

    SHA512

    ee1db9a1c61bae4f6a7026187725713406ff86c94b6189fc15d1fc0682e03ff3c1fcac023e658c20661cf7487e403fd058b8c8bcf3f06a0a5ced67f12ca6578b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    0dfc34db89d72f8f0cfe0e2af6160a72

    SHA1

    cee2243257c75d6fcc4be8426157f0ee18899b2d

    SHA256

    3e4b68e4e6d10075622d2db5df2319899870c0ab142f6a91488443b50c11da5b

    SHA512

    923960a169bfeccb2bac37467aa3d47b7e8b828fd5e7b0301836d149c00ac7ebb3bdc4167350ab39d4bc926860bceedef46414658b5a047d14368c6f4665729a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    676d0f7f36511fe52468e86b4f79b082

    SHA1

    c5071aab313efc2dc95931d6cec14c751c5372cd

    SHA256

    8f7882064f743a7c6f5ec087921a2f7f4a77126483b8ce45c4bf8e1cc04c8987

    SHA512

    21190925b3d138126e2e3d71e31ebff865ba5029881a9e91f415e54923201170fc9c80cd3e470bc9933b218ec0093d2b45953418be2006a08e6173ed4335f79e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    4e195b529b4eb88301282d967d9f8667

    SHA1

    2f303cfdfc229bb6c4a4d6b76df3706f4730e4f2

    SHA256

    47d9af5edd08291eb96401d6ba0735eb9ae7284cdce88ac24aac349d967fd612

    SHA512

    afa9b54e005909cfe621ee44c0ef588126f18b8aaba6f3d8f6792257881b41cc82444d8c22d5ed98ccb3b2f75128a6a0f48575c882f22bb7969ff4fac5ea66a3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7ebdc6aa60bc0a3c8ac9cee73c990980

    SHA1

    8639c399cbc8e89832c87ebce12634038d3e47bf

    SHA256

    e27383f033bb4871fdfc602d267c8a34ab05f7b065cc15a1e9629a84269e5461

    SHA512

    ff5876e75099fe4e1ab30584d188933a0d94e3816bf420179e8ceb719d322897000e17903368fcda6d0618a0c9841f40991b9038f416c75e1e955c428f7befbc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    ce619de9bffbf4cfc3a9e9d841c2ee05

    SHA1

    032ca68fe2b5b2a6b5bb96d3125a6977e04b6bc3

    SHA256

    64818b6ae3dcd4958ed7fc2e6f23ab4cb0955e4417836dd2f79403a791a36ade

    SHA512

    21bc466bc18414ee32b0bcd08b8b23df08672a06cdc232a95fdbd0df8df281e84586925af249843c7d7ce838378114faaa2a7f0fc07ef0c583d620c4b8e8c808

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    a6a6a59aaceb611acfd20c9837c567cb

    SHA1

    fdb8cbf244ba1ad1eaa9749eb3e9f8909d9c5050

    SHA256

    24ea4c8c174083e36c8d46b285437e8179d1d0575d1fffc5d6d8be9f1e6ac794

    SHA512

    00896cdc366155200f91a48ad03da622fdc4d661954bb2dd6a744461852489a79165c44c6f786744d48dad27bc74faa39692706e87a8d023f1acf21b0fe0655c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B63073E1-F4D9-11EF-AE85-F245C6AC432F}.dat
    Filesize

    5KB

    MD5

    2cf617d8e3d6a55e89bf7b61058883c2

    SHA1

    046226a2215c95e7673369da1e7390acaeeb6c36

    SHA256

    0beaac31c2c9360c2b84b2826f3a18bd27ff31ec2a9692b76b0c6ca49c8b9e23

    SHA512

    575a351ece7f60bffaf2df90f7ed95784b7690aee94b7c1b5872a1d72abdc66a52989651eb7a33ff00b53aa13572dea367000759832a21bc5694fbbdf9e265ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab7800.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar78F1.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2025-02-27_a2ab6183df2e5993bd1caabd8738e14a_frostygoop_poet-rat_ramnit_sliver_snatchmgr.exe
    Filesize

    105KB

    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

    Download Submit

  • memory/2888-10-0x0000000000AC0000-0x00000000010E5000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3008-9-0x0000000000330000-0x0000000000331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3008-12-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3008-11-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/3008-8-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3008-15-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download