MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fdad49049078d3ac7495a956bba7cffe07200354a6105f76a60a60993779776. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Ramnit


Vendor detections: 10


Intelligence 10 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fdad49049078d3ac7495a956bba7cffe07200354a6105f76a60a60993779776
SHA3-384 hash: 20d7c37d240089939967cf387b789964658426e0f8d91f70a2caa6c12138c126c45b5a68a12c3c99d5ae555e24be4c42
SHA1 hash: 9d4bb38c600b2b293d13d5862844683f0961b8ad
MD5 hash: 56308ab59945013c5c10ec41d3ced252
humanhash: hamper-beer-low-nuts
File name:AIBIJIAO 12.exe
Download: download sample
Signature Worm.Ramnit
Create hunting rule
File size:50'388'992 bytes
First seen:2024-07-24 20:20:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 296f66fd7ff91755bf6e94027b2eea4b (1 x Worm.Ramnit)
ssdeep 786432:9+9iYwdyesqQVt5aY6YiY4NJz2jAXYbzs71Us+V8UoO71:9+8nsqQVW2jAXCsRUv8UoOR
TLSH T140B7F142F361C4F1F05551319866DB39EAB1BE258824471B26A9FA0F6B333D21E7BF06
TrID 35.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
16.2% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
10.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
6.4% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 8cb4727e786ccc8e (1 x Worm.Ramnit)
Reporter Anonymous
Tags:exe Worm.Ramnit


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
CN CN
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a1623bae21d7902eafc199
Tags:
Execution Generic Network Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Modifying an executable file
Query of malicious DNS domain
Infecting executable files
Result
Verdict:
MALICIOUS
Result
Threat name:
Bdaejec
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1480709
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Yara detected Bdaejec
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3fdad49049078d3ac7495a956bba7cffe07200354a6105f76a60a60993779776
Gathering data
Threat name:
Win32.Virus.Wapomi
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 20:21:14 UTC
File Type:
PE (Exe)
Extracted files:
4820
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h7nnjecja6gtvr2jlkkwxot477qheabvjjqql53kmctate3xs53a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
aspackv2 discovery
Link:
https://tria.ge/reports/240724-y41akaxgrg/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b6f781df-5dcb-4818-88d6-139c8e6fe3d6
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Hacktools_CN_Panda_andrew
Create hunting rule
Author:Florian Roth
Description:Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_3f060b9c
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Worm.Ramnit

Executable exe 3fdad49049078d3ac7495a956bba7cffe07200354a6105f76a60a60993779776

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play MultimediaWINMM.dll::midiOutPrepareHeader
WINMM.dll::midiOutReset
WINMM.dll::midiOutUnprepareHeader
WINMM.dll::midiStreamClose
WINMM.dll::midiStreamOpen
WINMM.dll::midiStreamOut
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyA
ADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegQueryValueA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments