MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64ae52e978fe48c65e909c47332af1c73048dae656fe4d51189acba140b992b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Worm.Ramnit

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	64ae52e978fe48c65e909c47332af1c73048dae656fe4d51189acba140b992b2
SHA3-384 hash:	383934953d2c55ef9ed264434b1838ec92f8d999968ec295fffe44205cbf35e111dcc76ab4202fbdec6e80713681a59b
SHA1 hash:	d1110bcc891b203c69ff8eadf9cdfe03b06cb62d
MD5 hash:	d71a08e318fdfdafc7204cdc85866347
humanhash:	lima-edward-virginia-delaware
File name:	d71a08e3_by_Libranalysis
Download:	download sample
Signature	Worm.Ramnit Create hunting rule
File size:	31'232 bytes
First seen:	2021-05-05 08:05:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bada59b09f06f9c01c84b065a341cf6b (7 x Worm.Ramnit)
ssdeep	384:tPpOMLnVCiL5WTdCSIww/2AyFSqXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxl:tku5AmOqeQGPL4vzZq2o9W7GsxBbPr
Threatray	1'909 similar samples on MalwareBazaar
TLSH	73E29F8AB603A8F7D95732B000DE96B7DF7FA9218D71883ED670E9706F57890BC24215
Reporter	Libranalysis
Tags:	Worm.Ramnit

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/150001/

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Trojan.Agent-7823081-0

Win.Virus.Triusor-6887833-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a window

Changing an executable file

DNS request

Modifying an executable file

Sending a UDP request

Infecting executable files

Sending an HTTP GET request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/55512683-4d30-4766-a130-49dbd62c396c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/64ae52e978fe48c65e909c47332af1c73048dae656fe4d51189acba140b992b2/

Threat name:

Win32.Virus.Wapomi

Status:

Malicious

First seen:

2020-05-06 20:01:00 UTC

AV detection:

29 of 31 (93.55%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=msxff2ly7zemmxuqtrdtgkxry4yerwxgk37e2uiytlf2cqfzskza._file

Verdict:

unknown

Worm.Ramnit

1bf691a052d818af469a4458670b33d0d1c92bac19b1ee6fb8d44b2bec8e461d

Worm.Ramnit

22ec7743f9153a5f7fef373a65274ace9d263fb3fcd0e23cdb11450c2c391ecd

Worm.Ramnit

31156f82bcd06b0f206c65aad06e65ba55868d6ae7a63c1f6939b7a5c2e198f8

Worm.Ramnit

5c8345fee9c3dd52ada27a265198a4453d50bda9c08ce84c642e6ad625df7919

Worm.Ramnit

6849844f8db49f95dea55403c488f27bca49676b8a91bae8f4a43add845b98d1

Worm.Ramnit

9b70a1bcc0ec0b0e21ed4958bf861ef0c4049da761ddd2845ea46c2bb617c346

Worm.Ramnit

aa89e89ead0c0cf1bc6c92e6f851cd2df35c30baaabe11f0d0ad0665ca8290c6

Worm.Ramnit

ba7dd90bf8bd6a1dc665c8860c09489ea5531d739e55be0321bd85478b03c95f

Worm.Ramnit

cc3cc6a1905bcacf25dd804f51b1856cea7f69f751d8981a1fe34d1b77a8a494

Worm.Ramnit

+ 1'899 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

aspackv2

Link:

https://tria.ge/reports/210505-vpfvcj6f2n/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Unpacked files

SH256 hash:

fc91e9ba2fddaade6924c690e8151b980353d27c9fa6f91e6df7281bdc9b1fc9

MD5 hash:

9c7acccfe97d86d019263c185eaae4fe

SHA1 hash:

b0ed95f653a608657291645a367858fb2a3cffb9

Detections:

win_unidentified_045_g0

win_unidentified_045_auto

Link:

https://www.unpac.me/results/0c8fde4e-3980-4694-be4c-9af41376e36d/

SH256 hash:

64ae52e978fe48c65e909c47332af1c73048dae656fe4d51189acba140b992b2

MD5 hash:

d71a08e318fdfdafc7204cdc85866347

SHA1 hash:

d1110bcc891b203c69ff8eadf9cdfe03b06cb62d

Link:

https://www.unpac.me/results/0c8fde4e-3980-4694-be4c-9af41376e36d/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ASPack Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ASPack

Rule name:	ProcessInjector_Gen Create hunting rule
Author:	Florian Roth
Description:	Detects a process injection utility that can be used ofr good and bad purposes
Reference:	https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_unidentified_045_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_unidentified_045_g0 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>
Description:	Unknown 045

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/150001/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample