ramnit | ca97bd5dbbcb449c0b49f54d9dceff863678578e2fb9293baa10e5790693cf09 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

ca97bd5dbb...09.dll

windows7-x64

ca97bd5dbb...09.dll

windows10-2004-x64

Sharing

General

Target

ca97bd5dbbcb449c0b49f54d9dceff863678578e2fb9293baa10e5790693cf09
Size

638KB
Sample

250228-c5ppkaxyet
MD5

51c8980f12f9f2c24350e5e06ffe8b2e
SHA1

3aa5663d81eb8bae16e3217f206e38a3333e04c6
SHA256

ca97bd5dbbcb449c0b49f54d9dceff863678578e2fb9293baa10e5790693cf09
SHA512

e1638f95566c31c723cfc098690a2beff1eba0f292563ae082d603a5ce0d2b88ccec50abe17e4c42fa56677a588db19b5d9000843fd9a64851179bf29603f422
SSDEEP

12288:TMFaRxiRVw4GEBkvkNbBUT29aCBYC8Hc/sdL9nHGqxHZC5gDG+pG/Y6:TMkxh49kvkNbHCW0d5HG0CeJgY6

Score

10^/10

ramnit zloader plspam plspam banker botnet discovery persistence spyware stealer trojan upx worm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ca97bd5dbbcb449c0b49f54d9dceff863678578e2fb9293baa10e5790693cf09.dll

Resource

win7-20240903-en

ramnit zloader plspam plspam banker botnet discovery persistence spyware stealer trojan upx worm

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

ca97bd5dbbcb449c0b49f54d9dceff863678578e2fb9293baa10e5790693cf09.dll

Resource

win10v2004-20250217-en

zloader plspam plspam botnet discovery persistence trojan upx

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

zloader

Botnet

PLSPAM

Campaign

PLSPAM

C2

http://marchadvertisingnetwork4.com/post.php

http://marchadvertisingnetwork5.com/post.php

http://marchadvertisingnetwork6.com/post.php

http://marchadvertisingnetwork7.com/post.php

http://marchadvertisingnetwork8.com/post.php

http://marchadvertisingnetwork9.com/post.php

http://marchadvertisingnetwork10.com/post.php

Attributes

build_id
27

rc4.plain

Targets

- Target
  
  ca97bd5dbbcb449c0b49f54d9dceff863678578e2fb9293baa10e5790693cf09
- Size
  
  638KB
- MD5
  
  51c8980f12f9f2c24350e5e06ffe8b2e
- SHA1
  
  3aa5663d81eb8bae16e3217f206e38a3333e04c6
- SHA256
  
  ca97bd5dbbcb449c0b49f54d9dceff863678578e2fb9293baa10e5790693cf09
- SHA512
  
  e1638f95566c31c723cfc098690a2beff1eba0f292563ae082d603a5ce0d2b88ccec50abe17e4c42fa56677a588db19b5d9000843fd9a64851179bf29603f422
- SSDEEP
  
  12288:TMFaRxiRVw4GEBkvkNbBUT29aCBYC8Hc/sdL9nHGqxHZC5gDG+pG/Y6:TMkxh49kvkNbHCW0d5HG0CeJgY6
Score

10^/10

ramnit zloader plspam plspam banker botnet discovery persistence spyware stealer trojan upx worm
- Ramnit
  Ramnit is a versatile family that holds viruses, worms, and Trojans.
  trojan spyware stealer worm banker ramnit
- Ramnit family
  ramnit
- Zloader family
  zloader
- Zloader, Terdot, DELoader, ZeusSphinx
  Zloader is a malware strain that was initially discovered back in August 2015.
  trojan botnet zloader
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ramnitzloaderplspamplspambankerbotnetdiscoverypersistencespywarestealertrojanupxworm

behavioral2

zloaderplspamplspambotnetdiscoverypersistencetrojanupx

© 2018-2025

Terms | Privacy