MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Ramnit


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd
SHA3-384 hash: c2bd0047baab900456e7a2c58c416c4e3d979b5324f9fc6c12164feb6365eaf71262684d63fb9d8caad380197508634d
SHA1 hash: 6ed6b8e9a3dafdffd3eb6e8f9ebeb9cd5bf946e3
MD5 hash: 59c6799d099dfcf591f7eba6e10fc773
humanhash: comet-leopard-blossom-eleven
File name:7330CD3F687528DF21E625E5DDF7C9BC478E1653685B91F26A833F1EE0153B02.exe
Download: download sample
Signature Worm.Ramnit
Create hunting rule
File size:382'464 bytes
First seen:2024-07-24 15:51:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e22fde80595c4bea0880fd6845018d6a (7 x RedLineStealer, 6 x Loki, 6 x Worm.Ramnit)
ssdeep 6144:JfZrS/lrP25xXcVqaUTva3Z3wADUcUd7gW+Iz3z4jEDoC4Wx1xD7oV:JdQlrP25xSxea3Z7fWnroM
TLSH T1B284CF00B7A0D035E5B712F448BB93ACB53E7AA16B3564CB63D46AEE16316E4EC31347
TrID 29.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
21.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
16.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
6.7% (.SCR) Windows screen saver (13097/50/3)
File icon (PE):PE icon
dhash icon 8ccc9eeeaa8ecccc (1 x N-W0rm, 1 x Worm.Ramnit)
Reporter Anonymous
Tags:exe Worm.Ramnit


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Virus.Wapomi-9802127-0
Create hunting rule

Win.Dropper.Generickdz-9939781-0
Create hunting rule

Win.Trojan.Generickdz-9950759-0
Create hunting rule

Win.Trojan.Generickdz-9951389-0
Create hunting rule

Win.Packed.Crypterx-9954995-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a12329ae21d7902eaf9e7f
Tags:
Execution Generic Network Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Sending an HTTP GET request to an infection source
Modifying an executable file
Query of malicious DNS domain
Connection attempt to an infection source
Infecting executable files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66a1237d9149fd55f98ff305/reports/449b4fe0-6f1c-46a1-9512-f2bf0739e35a/overview
Verdict:
Malicious
Labled as:
Wapomi.BA virus
Link:
https://www.hybrid-analysis.com/sample/2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/847a1c97-d5e3-46b1-8130-02a131e42fa0
Result
Threat name:
Bdaejec, RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1480351
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Yara detected Bdaejec
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 15:52:13 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ez2us37k7ulv4b6igfctja7mtdjiull4au2ssb37nvwo7cwocx6q._file
Verdict:
malicious
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:50n aspackv2 discovery infostealer
Link:
https://tria.ge/reports/240724-ta25vaxbmh/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RedLine
RedLine payload
Malware Config
C2 Extraction:
193.106.191.123:34450
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4ab30fc0-705f-4553-a4b5-5554c2c0cd4e
Unpacked files
SH256 hash:
2767de6964de10e75abc9d3d0cabe6b8d388a3b7af8a145f1a4ec88d10339510
MD5 hash:
4ed460470422fe23a6d880ed25b83209
SHA1 hash:
f42368aa1e6caf6c391bb971bc60750aefcfe721
Detections:
redline
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
Link:
https://www.unpac.me/results/ca7e15db-7544-4d92-a9c6-84fdee8a7683/
Parent samples :
33c53b90bd463b6615931cb912bfe4bc25aec284b75e7a5df2f1a2d00cdf759e
ae1e3decb43c98f06e878ef6c155627bc96da7081f8805ebb1dd0efe02346c26
343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33
456a62ef0aaa0549e4867c3da9f2413f96f1fa8e77a7262e64d6a16e3d7aa63a
2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd
7ca89a6f22cb893e863c1bf91e6aff494909a7bb43096ee4b99099f1d355cf62
75cbc91956cfc4c996d770124fc8e5b463ca25385f649aa442a5e398e272466a
d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695
27dec375f899651165489656df7d373a5511858e0b60be20763e5cccbe2f0245
305fba30150eb93af89d69366eef465ea9892a78775f41c79343b2b2b33ff442
d84137f81a51a3de088f2b18e4409d653c7dcda854761b63d2d8968824a5f479
57d53aa206e547c03001850bc5c6141bc94f3daf6505f32bd6ab415787b37241
fe7525bd0374eded2a65bb894a599973d6dce62f3149b4de01d57608349c1e11
aece79a736d19ec249f8d188c0f5f041e073e26a9cc34a215066eb62a1167f29
9bc2f72646fcc040a0c11d469f353931f3d6eb606f8fa60bdcbd0fa091e59968
SH256 hash:
e91235274497606449cd88b55806818968beb74b2b07c6d2f1bde7aa63d1273a
MD5 hash:
a579937aa5afe3fa3358c95bdbb00300
SHA1 hash:
6638780c6885831197a3cd7d129ef457524d4b57
Detections:
redline
Create hunting rule
MALWARE_Win_MetaStealer
Create hunting rule
Link:
https://www.unpac.me/results/ca7e15db-7544-4d92-a9c6-84fdee8a7683/
Parent samples :
33c53b90bd463b6615931cb912bfe4bc25aec284b75e7a5df2f1a2d00cdf759e
ae1e3decb43c98f06e878ef6c155627bc96da7081f8805ebb1dd0efe02346c26
343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33
456a62ef0aaa0549e4867c3da9f2413f96f1fa8e77a7262e64d6a16e3d7aa63a
2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd
7ca89a6f22cb893e863c1bf91e6aff494909a7bb43096ee4b99099f1d355cf62
75cbc91956cfc4c996d770124fc8e5b463ca25385f649aa442a5e398e272466a
d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695
27dec375f899651165489656df7d373a5511858e0b60be20763e5cccbe2f0245
305fba30150eb93af89d69366eef465ea9892a78775f41c79343b2b2b33ff442
d84137f81a51a3de088f2b18e4409d653c7dcda854761b63d2d8968824a5f479
57d53aa206e547c03001850bc5c6141bc94f3daf6505f32bd6ab415787b37241
fe7525bd0374eded2a65bb894a599973d6dce62f3149b4de01d57608349c1e11
aece79a736d19ec249f8d188c0f5f041e073e26a9cc34a215066eb62a1167f29
9bc2f72646fcc040a0c11d469f353931f3d6eb606f8fa60bdcbd0fa091e59968
SH256 hash:
8649f7e4e216932a183e51fc921ed31f9d158ae4274f290e36f4fdf62eaa9d8c
MD5 hash:
c875d51539971dd9b84990610b131906
SHA1 hash:
24c526387e9123a399d41e9b6f1a56c9429b5226
Detections:
win_samsam_auto
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
Link:
https://www.unpac.me/results/ca7e15db-7544-4d92-a9c6-84fdee8a7683/
Parent samples :
33c53b90bd463b6615931cb912bfe4bc25aec284b75e7a5df2f1a2d00cdf759e
ae1e3decb43c98f06e878ef6c155627bc96da7081f8805ebb1dd0efe02346c26
343d64201895c63577cd19542df2465a53786c78c40adf533f1b48ff2c1ede33
456a62ef0aaa0549e4867c3da9f2413f96f1fa8e77a7262e64d6a16e3d7aa63a
2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd
7ca89a6f22cb893e863c1bf91e6aff494909a7bb43096ee4b99099f1d355cf62
75cbc91956cfc4c996d770124fc8e5b463ca25385f649aa442a5e398e272466a
d04877f9e4a006994b1e7cd831394b6c4c7f5bd787e13927315975d769c21695
27dec375f899651165489656df7d373a5511858e0b60be20763e5cccbe2f0245
305fba30150eb93af89d69366eef465ea9892a78775f41c79343b2b2b33ff442
d84137f81a51a3de088f2b18e4409d653c7dcda854761b63d2d8968824a5f479
57d53aa206e547c03001850bc5c6141bc94f3daf6505f32bd6ab415787b37241
fe7525bd0374eded2a65bb894a599973d6dce62f3149b4de01d57608349c1e11
aece79a736d19ec249f8d188c0f5f041e073e26a9cc34a215066eb62a1167f29
9bc2f72646fcc040a0c11d469f353931f3d6eb606f8fa60bdcbd0fa091e59968
SH256 hash:
0ef885d292d0e9c0b21681c6ed66b8193b227397e087e67aaeb155f8d7001cf4
MD5 hash:
651cda2d8a253f47fcd8fd09937c389b
SHA1 hash:
01e7a7a465a5a84f03ac4e822a9663754309dffd
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/ca7e15db-7544-4d92-a9c6-84fdee8a7683/
SH256 hash:
2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd
MD5 hash:
59c6799d099dfcf591f7eba6e10fc773
SHA1 hash:
6ed6b8e9a3dafdffd3eb6e8f9ebeb9cd5bf946e3
Link:
https://www.unpac.me/results/ca7e15db-7544-4d92-a9c6-84fdee8a7683/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Worm.Ramnit

Executable exe 2675496feafd175e07c831453483ec98d28a2d7c053529077f6d6cef8ace15fd

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindNextVolumeW
KERNEL32.dll::FindNextVolumeMountPointA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FillConsoleOutputCharacterA
KERNEL32.dll::FillConsoleOutputCharacterW
KERNEL32.dll::FlushConsoleInputBuffer
KERNEL32.dll::WriteConsoleInputA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleOutputCharacterA
KERNEL32.dll::WriteConsoleA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileWithProgressW
KERNEL32.dll::MoveFileA

Comments