MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1da2af4d03374487f047533fcf04795dab48c3b862342c0219bab3e5dbb52c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ramnit


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1da2af4d03374487f047533fcf04795dab48c3b862342c0219bab3e5dbb52c4
SHA3-384 hash: 61ead3e18b71efb07bd1045e8981a4be96b19de33c6240530f498b54cd8187dbda57bbd8e6d410fce6f7594d479b37fa
SHA1 hash: 294f35409b2b551d19da913144d60c433e4a329d
MD5 hash: ccccf92266b11c7cedb2c1407882280e
humanhash: colorado-twenty-zebra-hotel
File name:ccccf922_by_Libranalysis
Download: download sample
Signature Ramnit
Create hunting rule
File size:160'204 bytes
First seen:2021-05-05 08:08:31 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 7b7934e66094c0c143762109c757defc (2 x Ramnit)
ssdeep 3072:MnyNyBzvw3LUfoOTvluvVrt9W3jAaAi4dzC:MnZvw3wxQVrt+AJG
Threatray 1'122 similar samples on MalwareBazaar
TLSH 47F304136783C4B3D2A801B58B39CEF496659DDB093E7E0ABE80F9491BE09497637347
Reporter Libranalysis
Tags:ramnit


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'170
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ramnit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/150070/
Detection(s):
Win.Trojan.Ramnit-1849
Create hunting rule

Win.Trojan.Ramnit-1847
Create hunting rule

Win.Virus.Ramnit-9775603-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Searching for the window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ramnit
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37e6c51b-e7b6-48e9-922f-af1d9ba5bd3b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/711643
Signature
Antivirus / Scanner detection for submitted sample
Delayed program exit found
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404748 Sample: ccccf922_by_Libranalysis Startdate: 05/05/2021 Architecture: WINDOWS Score: 88 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus / Scanner detection for submitted sample 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 2 other signatures 2->98 9 loaddll32.exe 17 2 2->9         started        process3 file4 58 C:\Windows\SysWOW64\loaddll32mgr.exe, PE32 9->58 dropped 104 Drops executables to the windows directory (C:\Windows) and starts them 9->104 13 regsvr32.exe 12 1 9->13         started        17 rundll32.exe 9->17         started        19 cmd.exe 1 9->19         started        21 5 other processes 9->21 signatures5 process6 file7 60 C:\Windows\SysWOW64\regsvr32mgr.exe, PE32 13->60 dropped 108 Drops executables to the windows directory (C:\Windows) and starts them 13->108 23 regsvr32mgr.exe 13->23         started        62 C:\Windows\SysWOW64\rundll32mgr.exe, PE32 17->62 dropped 26 rundll32mgr.exe 17->26         started        28 rundll32.exe 1 19->28         started        110 Multi AV Scanner detection for dropped file 21->110 30 rundll32mgr.exe 21->30         started        32 iexplore.exe 104 21->32         started        35 iexplore.exe 103 21->35         started        37 2 other processes 21->37 signatures8 process9 dnsIp10 100 Multi AV Scanner detection for dropped file 23->100 102 Delayed program exit found 23->102 39 iexplore.exe 23->39         started        41 iexplore.exe 26->41         started        43 rundll32mgr.exe 28->43         started        46 iexplore.exe 30->46         started        64 www.msn.com 32->64 66 web.vortex.data.msn.com 32->66 72 5 other IPs or domains 32->72 68 geolocation.onetrust.com 104.20.184.68, 443, 49721, 49722 CLOUDFLARENETUS United States 35->68 70 www.msn.com 35->70 74 8 other IPs or domains 35->74 signatures11 process12 dnsIp13 106 Multi AV Scanner detection for dropped file 43->106 49 iexplore.exe 43->49         started        90 192.168.2.1 unknown unknown 46->90 51 iexplore.exe 46->51         started        54 iexplore.exe 46->54         started        56 iexplore.exe 46->56         started        signatures14 process15 dnsIp16 76 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49770, 49771 YAHOO-DEBDE United Kingdom 51->76 78 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49764, 49765 FASTLYUS United States 51->78 84 10 other IPs or domains 51->84 80 www.msn.com 54->80 86 6 other IPs or domains 54->86 82 www.msn.com 56->82 88 6 other IPs or domains 56->88
Detection:
ramnit
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f1da2af4d03374487f047533fcf04795dab48c3b862342c0219bab3e5dbb52c4/
Threat name:
Win32.Worm.Ramnit
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 19:45:48 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
Ramnit
173240b443fdb5cc7ed97cf6eedeb0d823924df3dab6d468c9da2898443f3ac6
Ramnit
2dc2cf646b7c31af83b7e91b3fabcb0c86cefea53aca57ce7e0d52aa943de13c
Ramnit
414d612f1134c580046095e37ead026b1c2fbfa31432e1ee662276286983fa24
Ramnit
712902f16ad8e9570dc1e25dba5f4219f3fdd497d727f08dd98f1c6baa78335b
Ramnit
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
Ramnit
8fa3eaa46c7d8d1f44a2eeca895f802f2aa7a2251bab347ccb765c72d63ccb58
Ramnit
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
Ramnit
9edbdfe197acf70216e52d558ff3c076be7b71c67beaa56f0fe06ef769db144e
Ramnit
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
Ramnit
+ 1'112 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210505-ny6bytjn8j/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
985f1f17203a632b8fb2093278b42e3de3f9a7df1409431b7010df765675198a
MD5 hash:
0f1114d69d2541d8a3e9f9263a0b7e54
SHA1 hash:
8e310de4cb97eaa9395829b816d8968d3a1df9f8
Detections:
win_ramnit_g0
Create hunting rule
win_ramnit_g1
Create hunting rule
win_ramnit_auto
Create hunting rule
Link:
https://www.unpac.me/results/83652027-5e8f-4af2-b8f9-31ced9c35d5d/
Parent samples :
4c460b12b1f4594cb2bb7d67c117cb694614aba1c18abfa1041c76ef47eec44c
9edbdfe197acf70216e52d558ff3c076be7b71c67beaa56f0fe06ef769db144e
f1da2af4d03374487f047533fcf04795dab48c3b862342c0219bab3e5dbb52c4
9303baf8bfa696731486273de443d5424dbe71c01fb856aa31cd778bbd4753b4
a0adbb57264ffd5b728b19b8217ae80ba073a0a440978dde87466ba81ef668de
SH256 hash:
5e805780f4e840580c60a8925a129e78b6b4bcf2a64cc12287c9f2f0ce25c4a4
MD5 hash:
9e57e3a559908c2445d40496210707da
SHA1 hash:
4b6db64c6e560665f13f3974457a880c53a6174e
Detections:
win_ramnit_g0
Create hunting rule
win_ramnit_g1
Create hunting rule
win_ramnit_auto
Create hunting rule
Link:
https://www.unpac.me/results/83652027-5e8f-4af2-b8f9-31ced9c35d5d/
Parent samples :
4c460b12b1f4594cb2bb7d67c117cb694614aba1c18abfa1041c76ef47eec44c
9edbdfe197acf70216e52d558ff3c076be7b71c67beaa56f0fe06ef769db144e
f1da2af4d03374487f047533fcf04795dab48c3b862342c0219bab3e5dbb52c4
9303baf8bfa696731486273de443d5424dbe71c01fb856aa31cd778bbd4753b4
a0adbb57264ffd5b728b19b8217ae80ba073a0a440978dde87466ba81ef668de
SH256 hash:
f1da2af4d03374487f047533fcf04795dab48c3b862342c0219bab3e5dbb52c4
MD5 hash:
ccccf92266b11c7cedb2c1407882280e
SHA1 hash:
294f35409b2b551d19da913144d60c433e4a329d
Link:
https://www.unpac.me/results/83652027-5e8f-4af2-b8f9-31ced9c35d5d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150070/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 09:03:17 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [C0052] File System Micro-objective::Writes File
2) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
3) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
4) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
5) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
6) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
7) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
8) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
9) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
10) [C0040] Process Micro-objective::Allocate Thread Local Storage
11) [C0041] Process Micro-objective::Set Thread Local Storage Value
12) [C0018] Process Micro-objective::Terminate Process