MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a5fcd571c34b11c0c630c8cf1f50a91a136e931e0057f7f8e3ca36ecd73d993. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Worm.Virut

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	2a5fcd571c34b11c0c630c8cf1f50a91a136e931e0057f7f8e3ca36ecd73d993
SHA3-384 hash:	31448cabb3912b74afbed86b8ee4327c16c495be8c0f5564592cdac1a29eb00ce8aef5fbd3d935e4e0b9c8ec1daedf06
SHA1 hash:	bff968fb18c296edabf8ad52953e7c36ae0bcdea
MD5 hash:	e5e7f440ae47fe295bb93034b1edf3c1
humanhash:	jig-kentucky-oxygen-minnesota
File name:	RAMN.vbs
Download:	download sample
Signature	Worm.Virut Create hunting rule
File size:	173'490 bytes
First seen:	2022-03-12 08:42:41 UTC
Last seen:	2022-04-20 09:53:09 UTC
File type:	vbs
MIME type:	text/plain
ssdeep	3072:dyfkMY+BES09JXAnyrZalI+Y6XXI6EyA3:osMYod+X3oI+YS1tA3
Threatray	16 similar samples on MalwareBazaar
TLSH	T1F304B0C9916E44C2DC063EC5A81437C74B3472739BE80064266FBE489FABDEE8459E79
Reporter	adm1n_usa32
Tags:	dropper ramnit vbs Worm.Virut

Intelligence

File Origin

# of uploads :

# of downloads :

1'270

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/249812/

Detection(s):

SecuriteInfo.com.VBS.Dropper-9.UNOFFICIAL

SecuriteInfo.com.VBS.Dropper-4.UNOFFICIAL

SecuriteInfo.com.VBS.Dropper-1.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/622c5d19b94fb38cb464b774/reports/3c45e700-0829-43f6-9b62-d9c5c568a413/overview

Result

Verdict:

MALICIOUS

Details

Malicious Scriptlet 2 of 7

Detected a malicious pivot typically seen during the 'file-less' pivot commonly seen in malware carriers.

Result

Threat name:

Virut

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/955434

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Drops PE files with benign system names

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: File Created with System Process Name

Sigma detected: Suspicious Svchost Process

Sigma detected: System File Execution Location Anomaly

VBScript performs obfuscated calls to suspicious functions

Yara detected Virut

Behaviour

Behavior Graph:

Download SVG

Detection:

ramnit

Link:

https://mwdb.cert.pl/sample/2a5fcd571c34b11c0c630c8cf1f50a91a136e931e0057f7f8e3ca36ecd73d993/

Threat name:

Script-WScript.Worm.Ramnit

Status:

Malicious

First seen:

2021-08-30 20:37:18 UTC

File Type:

Text (VBS)

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fjp42vy4gsyrydddbsgpd5iksgqtn2jr4acx674ohsrw5tlt3gjq._file

Verdict:

malicious

Worm.Virut

4ee7ce2fdad1a287ac5299129c80dfc3fedb2a5eb31a1af706d1fc466cb2839a

Worm.Virut

59561642f32679da96576e2ce946233f8ca58e0ddc07f3047e08a1177a471a8c

Worm.Virut

5a9b347e38b129cdc4fb31e15c01381c60bc4d9c29f3129a78a6f03648e2273c

Worm.Virut

680e418e349d611812a6afd357c39fa4fe3baf32cd95012f9b0632a364f2f349

Worm.Virut

712902f16ad8e9570dc1e25dba5f4219f3fdd497d727f08dd98f1c6baa78335b

Worm.Virut

b41d64df33eff5fe041782eb6b1d54121b35985aaf57ef852dbdf08f4a7abc2e

Worm.Virut

bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90

Worm.Virut

f158a9650580dcf9a875b153192a86e20798c7f01b4a458b668704661e2cc89c

Worm.Virut

+ 6 additional samples on MalwareBazaar

Result

Malware family:

ramnit

Score:

10/10

Tags:

family:ramnit banker evasion spyware stealer trojan upx worm

Link:

https://tria.ge/reports/220312-kmkxnaaea2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Checks computer location settings

Executes dropped EXE

UPX packed file

Modifies firewall policy service

Ramnit

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.86

Link:

https://yomi.yoroi.company/submissions/2a5fcd571c34b11c0c630c8cf1f50a91a136e931e0057f7f8e3ca36ecd73d993

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_VBS_in_ISO Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects ISO files that contain VBS functions
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/249812/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample