MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f40f4d8e5fd1aeb0510e07f954f0f22f6d0e6644bae21bfcd5b913696c158cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ramnit


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f40f4d8e5fd1aeb0510e07f954f0f22f6d0e6644bae21bfcd5b913696c158cb
SHA3-384 hash: 3662148d8608f39884e10d06b0b3fc904c727f31c485772bd11464ae202c854f41c6df16c69a7dba56094c9b76399cbd
SHA1 hash: aab75fca715cd3bfb03782c0d4d9b9a28e6f22d1
MD5 hash: 323bf86aeeab08e1388d51cffc172f53
humanhash: oxygen-louisiana-three-william
File name:323bf86aeeab08e1388d51cffc172f53.exe
Download: download sample
Signature Ramnit
Create hunting rule
File size:212'480 bytes
First seen:2020-11-11 16:03:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c0564d670da24518bbc5c96b3cdd6da6 (2 x Ramnit)
ssdeep 6144:AL5KGJRNzQsiw/jQAUXwHKiByWlWmwpw2:A9vrNMByjQxAH5ByW
Threatray 450 similar samples on MalwareBazaar
TLSH 902401313570C872C09A12B159F4EA106EBF5A2131B981DBB7A8AB6D5F30FE1572670F
Reporter abuse_ch
Tags:exe ramnit

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Creating a window
Reading critical registry keys
Deleting a recently created file
Replacing files
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/531609
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 314905 Sample: 25LFLW1Bu3.exe Startdate: 12/11/2020 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Antivirus detection for URL or domain 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 3 other signatures 2->54 7 25LFLW1Bu3.exe 17 2->7         started        12 KgEjHkJK.exe 2->12         started        14 KgEjHkJK.exe 2->14         started        process3 dnsIp4 36 89.203.248.178, 49732, 80 CDT-ASTheCzechRepublicCZ Czech Republic 7->36 38 xreakmnpmc.xyz 104.31.91.192, 443, 49712 CLOUDFLARENETUS United States 7->38 32 C:\Users\user\AppData\Local\...\KgEjHkJK.exe, PE32 7->32 dropped 34 C:\Users\user\AppData\Local\...\w[1].exe, PE32 7->34 dropped 56 Detected unpacking (changes PE section rights) 7->56 58 Detected unpacking (overwrites its own PE header) 7->58 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 7->60 62 2 other signatures 7->62 16 KgEjHkJK.exe 7->16         started        19 cmd.exe 1 7->19         started        21 WerFault.exe 7 12->21         started        23 WerFault.exe 2 9 14->23         started        file5 signatures6 process7 signatures8 42 Detected unpacking (changes PE section rights) 16->42 44 Detected unpacking (overwrites its own PE header) 16->44 46 Machine Learning detection for dropped file 16->46 25 WerFault.exe 23 9 16->25         started        28 conhost.exe 19->28         started        30 schtasks.exe 1 19->30         started        process9 dnsIp10 40 192.168.2.1 unknown unknown 25->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f40f4d8e5fd1aeb0510e07f954f0f22f6d0e6644bae21bfcd5b913696c158cb/
Threat name:
Win32.Trojan.RanumBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 09:21:59 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5
Ramnit
2c10f6776795d59fe038ed6b7ff9e2d1a710a027a35845e34e4cd5fef17892f8
Ramnit
91a949a238f887601af94c9ab7921352102b1edc24aba6e4ab6d726a8c314843
Ramnit
a99dfa4b60347edac3d2083c96df817bc3dfdc3c206be400723abb594cdb510b
Ramnit
ad5592929818b5ee09b99dddb8a652d84621e0b70efe51c2f2b6ca54aeaa3713
Ramnit
db4a1546780f794d3fc6d3614051778827f609da6c8f7e0c8ff4621e73594817
Ramnit
e934da8d0b455bcdf23e6e9c2fa5580982bf2f9b39a5d0246b2f462bbf1ae141
Ramnit
ebbf1f05b4ebc687893c9989688b139424d0fe6242ab490c7282b7bd6299c187
Ramnit
f1dc32d9d1065e929bea07b26b09210056271a74dcf0e6b4e2d9705590b3753e
Ramnit
f5d6498574e03f954a8b2fed5af8b5bbb4acb1a454ee6da4c9fb6e281f9f4281
Ramnit
+ 440 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/201111-xefe85p4ds/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
ServiceHost packer
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
2f40f4d8e5fd1aeb0510e07f954f0f22f6d0e6644bae21bfcd5b913696c158cb
MD5 hash:
323bf86aeeab08e1388d51cffc172f53
SHA1 hash:
aab75fca715cd3bfb03782c0d4d9b9a28e6f22d1
Link:
https://www.unpac.me/results/641d961c-5639-4d26-b1f4-60eda16188af/
SH256 hash:
6c113f9d287a0040a57943dc3a8e4e1849948bef416ad5353edc5224a039bf6e
MD5 hash:
35a9691b3544d70065be69011f23f434
SHA1 hash:
3dea635b492f11c0ff1b45636f81db9b66155a9d
Link:
https://www.unpac.me/results/641d961c-5639-4d26-b1f4-60eda16188af/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Ramnit

Executable exe 2f40f4d8e5fd1aeb0510e07f954f0f22f6d0e6644bae21bfcd5b913696c158cb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/802950/
  
Delivery method
Distributed via web download

Comments