MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ramnit


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5
SHA3-384 hash: 31e252a1fd79376558e763220994944a7a7f5721cf498bda296c684f4b8aafbe53c904c34b10062f4e1f4fa8da45ebb7
SHA1 hash: d0330b0199af3e6c06534fee5cbf9d5e88966bc1
MD5 hash: 931fdd551975cf30ae02f85a90c5ee22
humanhash: connecticut-timing-edward-butter
File name:931fdd551975cf30ae02f85a90c5ee22.exe
Download: download sample
Signature Ramnit
Create hunting rule
File size:220'672 bytes
First seen:2020-11-11 16:04:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b6272d5ac2d9bb0c2485c8426919667b (1 x Ramnit)
ssdeep 6144:1LHMASXEutt8CT8kGeP2AAKnaQpUZ7M3:1rMALuv8COYFaQpsG
Threatray 26 similar samples on MalwareBazaar
TLSH FB24F122BC52DCB2C49F41714861DBA66E7F983112B9429B37AC6B6F4F543D1A332327
Reporter abuse_ch
Tags:exe ramnit

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-9791648-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Creating a window
Reading critical registry keys
Deleting a recently created file
Replacing files
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/531602
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 314902 Sample: halq3HrFP8.exe Startdate: 12/11/2020 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 3 other signatures 2->52 7 halq3HrFP8.exe 17 2->7         started        12 KFdcGbBK.exe 2->12         started        14 KFdcGbBK.exe 2->14         started        process3 dnsIp4 34 89.203.248.178, 49735, 80 CDT-ASTheCzechRepublicCZ Czech Republic 7->34 36 xreakmnpmc.xyz 104.31.91.192, 443, 49732 CLOUDFLARENETUS United States 7->36 30 C:\Users\user\AppData\Local\...\KFdcGbBK.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\Local\...\w[1].exe, PE32 7->32 dropped 54 Detected unpacking (changes PE section rights) 7->54 56 Detected unpacking (overwrites its own PE header) 7->56 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 7->58 60 2 other signatures 7->60 16 KFdcGbBK.exe 7->16         started        19 cmd.exe 1 7->19         started        21 WerFault.exe 2 9 12->21         started        file5 signatures6 process7 signatures8 40 Detected unpacking (changes PE section rights) 16->40 42 Detected unpacking (overwrites its own PE header) 16->42 44 Machine Learning detection for dropped file 16->44 23 WerFault.exe 23 9 16->23         started        26 conhost.exe 19->26         started        28 schtasks.exe 1 19->28         started        process9 dnsIp10 38 192.168.2.1 unknown unknown 23->38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 18:20:58 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
2c10f6776795d59fe038ed6b7ff9e2d1a710a027a35845e34e4cd5fef17892f8
Ramnit
2f40f4d8e5fd1aeb0510e07f954f0f22f6d0e6644bae21bfcd5b913696c158cb
Ramnit
91a949a238f887601af94c9ab7921352102b1edc24aba6e4ab6d726a8c314843
Ramnit
a99dfa4b60347edac3d2083c96df817bc3dfdc3c206be400723abb594cdb510b
Ramnit
ad5592929818b5ee09b99dddb8a652d84621e0b70efe51c2f2b6ca54aeaa3713
Ramnit
db4a1546780f794d3fc6d3614051778827f609da6c8f7e0c8ff4621e73594817
Ramnit
e934da8d0b455bcdf23e6e9c2fa5580982bf2f9b39a5d0246b2f462bbf1ae141
Ramnit
ebbf1f05b4ebc687893c9989688b139424d0fe6242ab490c7282b7bd6299c187
Ramnit
f1dc32d9d1065e929bea07b26b09210056271a74dcf0e6b4e2d9705590b3753e
Ramnit
f5d6498574e03f954a8b2fed5af8b5bbb4acb1a454ee6da4c9fb6e281f9f4281
Ramnit
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/201111-xt5bxz96ea/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
ServiceHost packer
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5
MD5 hash:
931fdd551975cf30ae02f85a90c5ee22
SHA1 hash:
d0330b0199af3e6c06534fee5cbf9d5e88966bc1
Link:
https://www.unpac.me/results/a7d8a198-1100-4954-8dde-74c76c36c66d/
SH256 hash:
6c113f9d287a0040a57943dc3a8e4e1849948bef416ad5353edc5224a039bf6e
MD5 hash:
35a9691b3544d70065be69011f23f434
SHA1 hash:
3dea635b492f11c0ff1b45636f81db9b66155a9d
Link:
https://www.unpac.me/results/a7d8a198-1100-4954-8dde-74c76c36c66d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Ramnit

Executable exe 28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/802950/
  
Delivery method
Distributed via web download

Comments