MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0df97a0e5fe6fa55e4e8d20b0478a80dfb6d080bca66e630e9f80ed4838facee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Ramnit


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0df97a0e5fe6fa55e4e8d20b0478a80dfb6d080bca66e630e9f80ed4838facee
SHA3-384 hash: 6c801c651e3f53ff39d05c330b9474276066a3cf6aaab04b8278cc95ec77e98fbfa64d2793782477e3fa31314ae064d4
SHA1 hash: 673530e912626f9d7e99478ff16e64cc14351702
MD5 hash: 45da45b9e7e6a55fcf398dd247288c0c
humanhash: music-aspen-violet-maryland
File name:MouseClick.exe
Download: download sample
Signature Worm.Ramnit
Create hunting rule
File size:2'455'552 bytes
First seen:2022-06-01 17:57:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 68d145a52f4e766ec5a0bf252b652d36 (1 x Worm.Ramnit)
ssdeep 49152:sxCP5Hm8yn0nmTO+TfHdmsJxhW6djMuUqPKKQwDaE0L:sxOzmTPd1oH6K7w8L
TLSH T12BB52285C94424DBC8E8E77147C1CC7255BA8DFD6630362E686BF85BD730A80DA6B732
TrID 54.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
4.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9a65e2d964b059a6 (1 x Worm.Ramnit)
Reporter Anonymous
Tags:32-bit exe ramnit Worm.Ramnit

Intelligence

File Origin
# of uploads :
1
# of downloads :
656
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
ramnit
Create hunting rule
ID:
1
File name:
MouseClick.exe
Verdict:
Malicious activity
Analysis date:
2022-06-01 18:31:27 UTC
Tags:
trojan ramnit
Link:
https://app.any.run/tasks/11c3902b-dc6e-4454-b418-d3b045656a50

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276158/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Win.Trojan.Ramnit-1847
Create hunting rule

Win.Malware.Gotango-7000352-0
Create hunting rule

Win.Malware.Agen-7172367-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a file in the Program Files subdirectories
Launching a process
DNS request
Sending an HTTP GET request
Searching for the window
Changing an executable file
Moving a recently created file
Unauthorized injection to a recently created process
Searching for the browser window
Modifying an executable file
Creating a file in the Windows subdirectories
Running batch commands
Creating a process with a hidden window
Setting a global event handler for the keyboard
Query of malicious DNS domain
Infecting executable files
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ramnit
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dbcd0d51-0f9f-4b82-b1d7-0c3781153474
Result
Threat name:
Ramnit
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1005270
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Found evasive API chain (may stop execution after checking mutex)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Snort IDS alert for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Uses known network protocols on non-standard ports
Yara detected Ramnit
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 637766 Sample: MouseClick.exe Startdate: 01/06/2022 Architecture: WINDOWS Score: 100 97 Snort IDS alert for network traffic 2->97 99 Multi AV Scanner detection for domain / URL 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 12 other signatures 2->103 9 MouseClick.exe 6 2->9         started        process3 file4 55 C:\Users\user\Desktop\MouseClickSrv.exe, PE32 9->55 dropped 57 C:\Users\user\AppData\Local\Temp\csrss2.exe, PE32 9->57 dropped 59 C:\Users\user\AppData\Local\Temp\csrss1.exe, PE32 9->59 dropped 61 C:\Users\user\AppData\Local\Temp\csrss3.exe, PE32 9->61 dropped 12 csrss2.exe 3 9->12         started        17 csrss3.exe 9->17         started        19 csrss1.exe 1 3 9->19         started        21 MouseClickSrv.exe 3 9->21         started        process5 dnsIp6 87 localhost.ptlogin2.qq.com 127.0.0.1 unknown unknown 12->87 89 2018.ip138.com 12->89 63 C:\Users\user\AppData\Local\Temp\PtTWl.exe, PE32 12->63 dropped 65 C:\Users\user\...\TemporaryFile (copy), PE32 12->65 dropped 111 Multi AV Scanner detection for dropped file 12->111 23 PtTWl.exe 12->23         started        67 C:\Users\user\AppData\Local\Temp\BHenj.exe, PE32 17->67 dropped 69 C:\Users\user\...\TemporaryFile (copy), PE32 17->69 dropped 71 C:\Users\user\AppData\...\steamwebhelperr.exe, PE32 17->71 dropped 28 BHenj.exe 17->28         started        30 steamwebhelperr.exe 17->30         started        91 client.shudaxia.com 47.105.147.27, 49737, 49738, 49739 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 19->91 93 sal.topgslb.com 42.176.34.16, 49779, 80 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN China 19->93 95 3 other IPs or domains 19->95 73 ShuDaXia_PC_OFFICE...v2.5.1.8.exe (copy), PE32 19->73 dropped 75 C:\Users\user\AppData\Local\...\tmp80BA.tmp, PE32 19->75 dropped 113 Contains functionality to register a low level keyboard hook 19->113 32 ShuDaXia_PC_OFFICES_Setup_v2.5.1.8.exe 19->32         started        77 C:\Program Files (x86)\...\DesktopLayer.exe, PE32 21->77 dropped 115 Found evasive API chain (may stop execution after checking mutex) 21->115 34 DesktopLayer.exe 21->34         started        file7 signatures8 process9 dnsIp10 79 ddos.dnsnb8.net 63.251.106.25, 49765, 49772, 49780 VOXEL-DOT-NETUS United States 23->79 45 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 23->45 dropped 47 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 23->47 dropped 105 Multi AV Scanner detection for dropped file 23->105 107 Infects executable files (exe, dll, sys, html) 23->107 36 WerFault.exe 23->36         started        38 WerFault.exe 28->38         started        49 C:\Windows\SysWOW64\106429439.dll, PE32 30->49 dropped 51 C:\Users\user\AppData\...\nsNiuniuSkin.dll, PE32 32->51 dropped 53 C:\Users\user\AppData\Local\...\System.dll, PE32 32->53 dropped 109 Tries to delay execution (extensive OutputDebugStringW loop) 32->109 40 iexplore.exe 1 74 34->40         started        file11 signatures12 process13 process14 42 iexplore.exe 2 158 40->42         started        dnsIp15 81 dual-a-0001.dc-msedge.net 131.253.33.200, 443, 49718 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 42->81 83 a-0003.dc-msedge.net 131.253.33.203, 443, 49748, 49749 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 42->83 85 16 other IPs or domains 42->85
Detection:
ramnit
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0df97a0e5fe6fa55e4e8d20b0478a80dfb6d080bca66e630e9f80ed4838facee/
Threat name:
Win32.Worm.Ramnit
Create hunting rule
Status:
Malicious
First seen:
2019-06-22 05:40:55 UTC
File Type:
PE (Exe)
Extracted files:
477
AV detection:
28 of 28 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bx4xuds7435flzhi2ifqi6fibx5w2calzjtommhj7ahnja4pvtxa._file
Verdict:
malicious
Result
Malware family:
ramnit
Create hunting rule
Score:
  10/10
Tags:
family:ramnit aspackv2 banker spyware stealer trojan upx worm
Link:
https://tria.ge/reports/220601-wjl64aedgr/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Ramnit
Unpacked files
SH256 hash:
9d1166c09ae4cd951b8e5babace868cef45a09bef57af00a2d4a1a4c2d7fa59b
MD5 hash:
52340284af42b75fa2f9746a3adf095f
SHA1 hash:
7884bef181fd46ee55ea342f26bc223ccdc7e5c2
Link:
https://www.unpac.me/results/f74432fb-abfe-40d1-98b7-c99088b42d88/
SH256 hash:
876c5cea11bbbcbe4089a3d0e8f95244cf855d3668e9bf06a97d8e20c1ff237c
MD5 hash:
44e92c4b5f440b756f8fb0c9eeb460b2
SHA1 hash:
ed5bf6e6e4f2b71ba1e0f73381ee64155f9722c2
Link:
https://www.unpac.me/results/f74432fb-abfe-40d1-98b7-c99088b42d88/
SH256 hash:
6057d87753daee3c71eb8c0d3cb8582ea88d6e56f02864019db9fd7af3fb4a9f
MD5 hash:
651defc532f0e72be60621696aa97972
SHA1 hash:
43176a96322202fc8fd8901c213fde820d005871
Detections:
win_ramnit_g1
Create hunting rule
win_ramnit_auto
Create hunting rule
Link:
https://www.unpac.me/results/f74432fb-abfe-40d1-98b7-c99088b42d88/
Parent samples :
3aae149445e6ae7d5dff0a830abcd1bb26b868e4e7c8cf8bc625a9e46795d96b
4f71eb9c8a80ea511ade6a4ea951cd642c7046f3a97c7b965fdc732314bb3224
712902f16ad8e9570dc1e25dba5f4219f3fdd497d727f08dd98f1c6baa78335b
21077824b7eea56bdfe182de863fe599286c70fd067744faf6fa850da7342db3
3eabf4e909e889bfcb994a36d041ced30c30a377a6a0d6057eda4b8f35f4ca0e
1d448335a3b897166b49488a43f72689a054cd464ad5b5b148d57454d0515f50
680e418e349d611812a6afd357c39fa4fe3baf32cd95012f9b0632a364f2f349
bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90
f158a9650580dcf9a875b153192a86e20798c7f01b4a458b668704661e2cc89c
b8e40ed3d1f01fd75f0f43d4784d92aaa9596f289f23c35969af1a4c1e149c30
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
4e707c27c365409032b8081092276d83498149589fa42c52271febbc5682bc81
0df97a0e5fe6fa55e4e8d20b0478a80dfb6d080bca66e630e9f80ed4838facee
06f2fef10fedbb774853c71cc9c923cd56d49d6165a6476fa7e5445550b0a6dc
81b64a354103b21b8d7f2bebb62923b5c2bc4f7f9cba5197fc24b5d869c032be
33b4058adaed65e17b07ee1c11af2c1a53e65dbd98f86cdfc72d841529160c14
aa7c68bbb7a270aede803fb6d767aaec5794724cb2711a34c15eac54cfd9a88f
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3
493c63489f594c10e1f5aace2dd833f3fddaac2800d3603498d2b4abe4bd7e0c
f09ec41136e8e5e5076ca495192d9326e5581c748148fa877412d466db26112d
33d3f697332b0fc4e09540cb9dc622ac0675fb8b2733554d4c0199307774ab52
973c7137d6a2921d75eb42cb09ef9270a60ca23f25457bb5803a604effd14eb4
93e0a3cbd07c8c1e99fea9e05a7a2bd7a312cf92d3b407be37db43774827ca09
876c5cea11bbbcbe4089a3d0e8f95244cf855d3668e9bf06a97d8e20c1ff237c
b5aa1fa3949badd59b3c1a6f5a838c8eadf639c4199b7238179f0de512383217
60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117
87c160843bc0bdcd754a151c288f899763494385830016c299245f1fe9354b54
daa4efd6ea62d68ce47d73ee57d12cacb07d84ed87e7b4d680c20a715e29e519
ab41d83fb3c5aedecd6fbb3c54ce1c3a58d73d9969fc9c76d01c1c3f2b8c8cc2
f2574f6588e32a3d97988edb359a4f0a9a2df8f36caf8a0e2597d46bb2551985
482991b76849008ad700cf7e29ddd2b3d00d7d40d69377650154dca3adfde791
be4f04a6cb1df55610f461e3e05d81daebe75cbab021746e0cbf6b05389ff02b
ceeed21fc6b040b57c17d0b94c3af9597abde599a37192f40730656e48633b51
d0265e42d4f24fa518f631540cd3e29d9f1086448400de348c300c63bf6aa35f
8a9e221015ab7127c650f6fe81ef3e062ae7ebe00f88ba04717189099862c7d7
d0df8fac2089608a6b5dee7132981e88ab3b98178aff1d3fe7e003d388541e24
ee9378542050d13b1028b443f214d363dac7d11c1229e7e9054efde251d3e36b
c1ebd4c1595fa80d6521320a9500d22b55693bd7ce20af58492a1018b8ccf18e
90dd057ac1bdec6b27174681b857af28e2ddd05f84b7536eecd28cf6cc1a1189
cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f
08e00ccaa704c210e5841227e0db6b5c911ad675f3eaf48f5a629877c0ac3de1
250f05b7b22f886df69550d87c9f0139c0ddfb7dc85b6c6c7e12d1ae3b71d1e7
990357fe141b7e0ef376eb3d71279a6d160f8bbbd3e6d25e269c34af50e6ef04
4bb178da0a560d36af39e243dda93fe45446907a00009210abd6ba1a036a600c
2c3804853d63043067a602c9b5271831d7c8b7b9bc91e39a061e28135588b6b3
SH256 hash:
934315afdd00f54681cd3f76b495add1bd30cd0d561aebcea72db298001e473d
MD5 hash:
c7e1088ad9bcc30ea3d07b5b54eda29b
SHA1 hash:
8535a1c99e04793a744677d51fd96b465328e858
Link:
https://www.unpac.me/results/f74432fb-abfe-40d1-98b7-c99088b42d88/
SH256 hash:
cdac75ca851b0942994fe20d539a00eee2f9439fc42229e7efce97fd72b23164
MD5 hash:
b54ece0ddc8f4d33c68488cb070fa799
SHA1 hash:
5eff5f20a22ec5d90300cd8a9de18275c9ab1ad6
Link:
https://www.unpac.me/results/f74432fb-abfe-40d1-98b7-c99088b42d88/
SH256 hash:
8614e00ca88b3e163de1017854c6756f0fc3a3b3909ea4cafb472b89544b073f
MD5 hash:
e6b120d87efeb67386bd67c53bae7cf1
SHA1 hash:
eaca0b2ade4ae63fa28058195d576b91f48cda9c
Detections:
win_unidentified_045_g0
Create hunting rule
win_unidentified_045_auto
Create hunting rule
Link:
https://www.unpac.me/results/f74432fb-abfe-40d1-98b7-c99088b42d88/
SH256 hash:
ae0e77f0901895ba7e43b5b7d9694d0c1bb3d61f59ebf96090c3b074216f43e6
MD5 hash:
c5a52fd912f353f501f285e4f41369e3
SHA1 hash:
db1e69f49d542ce590bcdb50ca96f91fbcbdfe66
Detections:
win_electricfish_auto
Create hunting rule
Link:
https://www.unpac.me/results/f74432fb-abfe-40d1-98b7-c99088b42d88/
SH256 hash:
0df97a0e5fe6fa55e4e8d20b0478a80dfb6d080bca66e630e9f80ed4838facee
MD5 hash:
45da45b9e7e6a55fcf398dd247288c0c
SHA1 hash:
673530e912626f9d7e99478ff16e64cc14351702
Link:
https://www.unpac.me/results/f74432fb-abfe-40d1-98b7-c99088b42d88/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0df97a0e5fe6fa55e4e8d20b0478a80dfb6d080bca66e630e9f80ed4838facee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:win_unidentified_045_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.unidentified_045.
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:without_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any url
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276158/

Comments