MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70f62aa60264ce150e290264a190270ec0a66c84452981ea4cbee8d2a427acca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Worm.Virut

Vendor detections: 16

Intelligence 16 IOCs YARA 1 File information Comments

SHA256 hash:	70f62aa60264ce150e290264a190270ec0a66c84452981ea4cbee8d2a427acca
SHA3-384 hash:	721e8b6458da1ea78ad63cf16cd293ecf83d9164dd0eb663e59f331ca639eeee735564637504c6d77badbc78d9e21398
SHA1 hash:	e396a04ab796cd7a61fc4e0b3d8a355248bff8bd
MD5 hash:	6371a2747f66ba06a6850f5bf89a11d0
humanhash:	quiet-happy-michigan-crazy
File name:	70f62aa60264ce150e290264a190270ec0a66c84452981ea4cbee8d2a427acca
Download:	download sample
Signature	Worm.Virut Create hunting rule
File size:	337'344 bytes
First seen:	2022-11-06 03:01:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	efe7bb5f9f0147c226b09f9b178c407a (1 x Worm.Virut)
ssdeep	6144:mdZsyFbUpWX5njifkVcUx8x2IrMR4daOtbOr6JFT3KrrrGurrrrrrrrrrrrrrrrv:Qtpnef6cUxtIeOtxNKrrrGurrrrrrrrP
Threatray	15'258 similar samples on MalwareBazaar
TLSH	T191748B96B5108CE9EC9F90B1A4B08FE35D58F1D3A6DDDB124A1C56B53B8F31C9A0B407
TrID	23.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 19.8% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 12.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 7.8% (.EXE) Win64 Executable (generic) (10523/12/4)
Reporter	DesdinovaOsint
Tags:	exe Worm.Virut

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

Vendor Threat Intelligence

Malware family:

ramnit

ID:

File name:

70f62aa60264ce150e290264a190270ec0a66c84452981ea4cbee8d2a427acca

Verdict:

Malicious activity

Analysis date:

2022-11-06 03:03:15 UTC

Tags:

trojan ramnit

Link:

https://app.any.run/tasks/aafba7fd-4120-40d9-9418-3e8e44b8ab32

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Ramnit

Link:

https://www.capesandbox.com/analysis/329293/

Detection(s):

Win.Trojan.Ramnit-1849

Win.Trojan.Ramnit-1847

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file

Сreating synchronization primitives

Creating a process from a recently created file

Searching for synchronization primitives

Unauthorized injection to a recently created process

Enabling the 'hidden' option for recently created files

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Query of malicious DNS domain

Unauthorized injection to a browser process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

nimnul overlay packed ramnit shell32.dll virus virut

Link:

https://www.filescan.io/uploads/636723ac3c6c57b4ec413438/reports/5375632e-e549-45df-a38b-ba28b3511972/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ramnit

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0d22bcd7-0c20-44d7-92c7-d8eb15eba333

Result

Threat name:

Ramnit, Virut

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1106412

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Contains functionality to detect sleep reduction / modifications

Creates a thread in another existing process (thread injection)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Snort IDS alert for network traffic

Tries to evade debugger and weak emulator (self modifying code)

Tries to resolve many domain names, but no domain seems valid

Writes to foreign memory regions

Yara detected Ramnit

Yara detected Virut

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/70f62aa60264ce150e290264a190270ec0a66c84452981ea4cbee8d2a427acca/

Threat name:

Win32.Worm.Ramnit

Status:

Malicious

First seen:

2022-11-06 03:02:07 UTC

File Type:

PE (Exe)

AV detection:

26 of 26 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=od3cvjqcmthbkdrjajskdebhb3akm3eeiuuyd2smx3unfjbhvtfa._file

Verdict:

malicious

Worm.Virut

130135c0b095014c9ba2c3b17c940611c4678534cf4f650b94fd2f4f8a32b28e

Worm.Virut

4322d3d6e14b7fd56673ebdc996a53665c42ad6480e4f0cf6606a16c89b7becc

Worm.Virut

493c63489f594c10e1f5aace2dd833f3fddaac2800d3603498d2b4abe4bd7e0c

Worm.Virut

4c72a5eff108b8b4d7789cd3cf92969a7357c6d5c6ecccfb1aa26f1e8f6ecb42

Worm.Virut

83d1b64a9bca34640ec3722e9ef0dcb18669ec1b5a866f4e7517e760005b7d73

Worm.Virut

9a52b3add7580749d5c6fac089238e11939a8926ae5f9482a61a25ad7182a21f

Worm.Virut

c24acebd63f3832f4d82501dac66fd98b6056b7542e524a1cfe634c78269b607

Worm.Virut

fd9bb6bf944bfc60dee7e7c762615be99ce4bd822df2af5df8ec0bf8cab2d805

Worm.Virut

+ 15'248 additional samples on MalwareBazaar

Result

Malware family:

ramnit

Score:

10/10

Tags:

family:ramnit banker evasion spyware stealer trojan upx worm

Link:

https://tria.ge/reports/221106-djf1zadccj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Loads dropped DLL

Executes dropped EXE

UPX packed file

Modifies firewall policy service

Ramnit

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e9d68280-7eb1-419a-86f1-5cfacc94a3eb

Unpacked files

SH256 hash:

2e774712cc111cd4eb3a59b5a6f58fa2be9080813ed316f75bf99cdc66f60692

MD5 hash:

0fbea7227adab7d43daa5c3d1645bb1d

SHA1 hash:

536b3c19db69d59f55b55e2b79760b7c5fcced6b

Link:

https://www.unpac.me/results/cbca61e6-ee1f-49ae-8c6a-7884be54df7f/

SH256 hash:

ffc9384268e7b83bce58e3e86e3b19f9689552679026bb2cfb9951bc3b40f07b

MD5 hash:

4469d96da242213b46e390c215df3d60

SHA1 hash:

699f475b95dae504cc902762b9c0f7315616c895

Detections:

win_ramnit_auto

win_ramnit_g1

win_ramnit_g0

Link:

https://www.unpac.me/results/cbca61e6-ee1f-49ae-8c6a-7884be54df7f/

Parent samples :

d410461b6a41d5193c3920f152e2a263944ca330c11f3d306bc266281b93ce78
e08e0f0228a8e08b8330c46c01f7b185513be82682b41d031e86591d195f2e56
2f05200e09f38d2197fb48d265bcd4d050131f688ce51cf86478192df100d675
199533f77cb4331908a90346f24610888ef42d6dd2f9866b733752426702e737
33afd44ca2f375189b68c6ab3f410d45ae1547e20ae04ed5e4e3b36978fdba49
2aef6190fbec261019520c2e603024eb0abf68eaf2460b3ed7c03c14754e5a09
337463b61d271e4826a1c570e565fe58f42548247b20c9cc8d52e7342943606e
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b
4f0790556072df8347f13be4fe3068c743b7a7f0dcefa155b434d8c408ec8d35
b1e7478ebc4b374feb2964da15149281da610a4e5773b890b7c9cabb4469c29f
2d5f86c5aea887418198a76538412499bbc1d000f633de6d613f32c82c7c5073
52c970b575040b26c6c357f1aa64288544578a229b9be70acd0f860f55cca346
70f62aa60264ce150e290264a190270ec0a66c84452981ea4cbee8d2a427acca
06f7c12171e1608547eb5ae2d39af72835519fdf56aaaeb1dcc6be853dac22a9
75a0a12b779dc49dee1cb4e27eb6362bae2bbde60c9754b12aed27d7f0b6d129
270ea6a72a4f9ab032ce73bd2ba9e9a207929f0d4041e2cb298a650d4d2062ed
ba33ab723fdac923f508eed7114aba2a370c6b7ecd3639dc588cd8fc0c865f34

SH256 hash:

04a1fe8e3d0f1112cd274b75559fea78fa9e873efb719001bd5480c4582799d0

MD5 hash:

fea9741cf5cb761ff4133120ded2176d

SHA1 hash:

25be4965f45af627f7477a45349e53b8d48a3509

Detections:

win_ramnit_auto

win_ramnit_g0

Link:

https://www.unpac.me/results/cbca61e6-ee1f-49ae-8c6a-7884be54df7f/

Parent samples :

SH256 hash:

f39e090178467d41f7740d041eb23e2a110948979ca4a0b569815311695c69f2

MD5 hash:

abd10a9b13b830a01aeb5261a92c612c

SHA1 hash:

ad8bf2252a5be9b6f480d2d16fb1582b10e71f6e

Detections:

win_ramnit_auto

win_ramnit_g1

win_ramnit_g0

Link:

https://www.unpac.me/results/cbca61e6-ee1f-49ae-8c6a-7884be54df7f/

SH256 hash:

0c05b100b1e3ac475353ec82ff6d982e6a5e3e930dd34f38b9f2b8f1c551fc42

MD5 hash:

8fa49fd67517e0186d635ed92e9b1416

SHA1 hash:

bd18dfa7edd06cf1056e79067dec3e815bdb31ff

Link:

https://www.unpac.me/results/cbca61e6-ee1f-49ae-8c6a-7884be54df7f/

SH256 hash:

70f62aa60264ce150e290264a190270ec0a66c84452981ea4cbee8d2a427acca

MD5 hash:

6371a2747f66ba06a6850f5bf89a11d0

SHA1 hash:

e396a04ab796cd7a61fc4e0b3d8a355248bff8bd

Link:

https://www.unpac.me/results/cbca61e6-ee1f-49ae-8c6a-7884be54df7f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/70f62aa60264/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/70f62aa60264ce150e290264a190270ec0a66c84452981ea4cbee8d2a427acca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_BlackMoon Create hunting rule
Author:	ditekSHen
Description:	Detects executables using BlackMoon RunTime

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/329293/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample