MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 455c792d602c9bff99be0631cc30cae0c997a5f2bae804274ddad10b9af39f84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Ramnit


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 455c792d602c9bff99be0631cc30cae0c997a5f2bae804274ddad10b9af39f84
SHA3-384 hash: da67baf788abf8d633b74da90e40065a0e439745ff2d7e3c1a122406ae3727d616f2ae267ab31b9b8e0db0b14901a8ef
SHA1 hash: c52ca0fd930f7702b99e8833d5dc017cf73a30e2
MD5 hash: bc020f08f3dbdceb42574f4d4ff84760
humanhash: ink-single-leopard-enemy
File name:537C7A26CE5E39643B98D9C078A14D5E955F0FCCF49073D05B1F8E3294636B41.exe
Download: download sample
Signature Worm.Ramnit
Create hunting rule
File size:1'385'984 bytes
First seen:2024-07-24 14:23:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 712f4a29c405ecb576101d367b2180fb (14 x Smoke Loader, 2 x AZORult, 1 x Formbook)
ssdeep 24576:nBXu9HGaS1c4WK5FRUO75CBg5/XWoGYNImnqKF8/M/2pe7qq7apCBJT:nw9SdWK5rUO75F/H2R/NWqquOJ
TLSH T1B75533833FC1922AC2D802F8E67CF95599539FF209CC59CB589D7CADBA3BB294C51064
TrID 35.4% (.EXE) UPX compressed Win32 Executable (27066/9/6)
21.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 61f0e8e8f28c88c0 (1 x Worm.Ramnit)
Reporter Anonymous
Tags:exe Worm.Ramnit


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a10e89cb3d02fa0e492e7c
Tags:
Execution Generic Network Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Modifying an executable file
Сreating synchronization primitives
Query of malicious DNS domain
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit coinminer lolbin microsoft_visual_cc packed packed packed shell32 upx
Link:
https://www.filescan.io/uploads/66a10e898f66298c01f35e03/reports/d5c5d4bb-6a05-49a5-bc69-7ed811cf9fe8/overview
Verdict:
Malicious
Labled as:
Virus.Nimnul
Link:
https://www.hybrid-analysis.com/sample/455c792d602c9bff99be0631cc30cae0c997a5f2bae804274ddad10b9af39f84
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8c896c0-21df-41b2-b260-45d004729e1c
Result
Threat name:
Bdaejec
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1480240
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Detected unpacking (changes PE section rights)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Yara detected Bdaejec
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480240 Sample: 537C7A26CE5E39643B98D9C078A... Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 37 ddos.dnsnb8.net 2->37 41 Antivirus detection for URL or domain 2->41 43 Antivirus detection for dropped file 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 10 other signatures 2->47 8 537C7A26CE5E39643B98D9C078A14D5E955F0FCCF49073D05B1F8E3294636B41.exe 6 2->8         started        signatures3 process4 file5 23 C:\Users\user\AppData\Local\Temp\temp2.exe, PE32+ 8->23 dropped 25 C:\Users\user\AppData\Local\Temp\temp1.exe, PE32 8->25 dropped 27 C:\Users\user\AppData\Local\...\aut68B4.tmp, PE32+ 8->27 dropped 29 2 other malicious files 8->29 dropped 49 Binary is likely a compiled AutoIt script file 8->49 12 DLsZRb.exe 14 8->12         started        17 temp1.exe 8->17         started        19 temp2.exe 8->19         started        signatures6 process7 dnsIp8 39 ddos.dnsnb8.net 44.221.84.105, 49705, 799 AMAZON-AESUS United States 12->39 31 C:\Program Files\7-Zip\Uninstall.exe, PE32 12->31 dropped 33 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 12->33 dropped 35 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 12->35 dropped 51 Antivirus detection for dropped file 12->51 53 Multi AV Scanner detection for dropped file 12->53 55 Detected unpacking (changes PE section rights) 12->55 57 Infects executable files (exe, dll, sys, html) 12->57 21 WerFault.exe 19 16 12->21         started        59 Binary is likely a compiled AutoIt script file 17->59 61 Machine Learning detection for dropped file 17->61 file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/455c792d602c9bff99be0631cc30cae0c997a5f2bae804274ddad10b9af39f84
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/455c792d602c9bff99be0631cc30cae0c997a5f2bae804274ddad10b9af39f84/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 14:24:07 UTC
File Type:
PE (Exe)
Extracted files:
68
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ivohsllafsn77gn6ayy4ymgk4dezpjpsxluaij2n3liqxgxtt6ca._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
aspackv2 discovery upx
Link:
https://tria.ge/reports/240724-rqqqmstdrc/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
AutoIT Executable
Legitimate hosting services abused for malware hosting/C2
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/52927d0b-ddee-4bbb-8dac-eff99913a9cf
Unpacked files
SH256 hash:
228d9cb45b64bcf7b659b7c9ca39dd2d84575adf4da37ad76864c7312a5ce551
MD5 hash:
397abddb99a07c4ce7ae72363102cb64
SHA1 hash:
b6d9bfb68a4ecef2e22ae52ad078fba842d1d912
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/309db5ab-dc17-4feb-bd9c-658c5dd5f115/
SH256 hash:
29386158e9c85e28ec70aa2ca17461177b743042ee122ed06634cd5fa78f0c47
MD5 hash:
4c911e600b22305280a87d49ba7a07a9
SHA1 hash:
d47c0838f6853befaf1fe14094284e11f140a37e
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/309db5ab-dc17-4feb-bd9c-658c5dd5f115/
SH256 hash:
455c792d602c9bff99be0631cc30cae0c997a5f2bae804274ddad10b9af39f84
MD5 hash:
bc020f08f3dbdceb42574f4d4ff84760
SHA1 hash:
c52ca0fd930f7702b99e8833d5dc017cf73a30e2
Link:
https://www.unpac.me/results/309db5ab-dc17-4feb-bd9c-658c5dd5f115/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/455c792d602c9bff99be0631cc30cae0c997a5f2bae804274ddad10b9af39f84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Worm.Ramnit

Executable exe 455c792d602c9bff99be0631cc30cae0c997a5f2bae804274ddad10b9af39f84

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments