MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78bd304c8dfe9bf2bdb139d0672d4aed6adde6686fbb6ed5e5420f955dc4de11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Ramnit


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78bd304c8dfe9bf2bdb139d0672d4aed6adde6686fbb6ed5e5420f955dc4de11
SHA3-384 hash: b18a3129ccd56d9c6241ea496f28bc0ad7a95e70eb70029fc9de3067c9d1974b37b079958ab05320f63ed74d77eaad82
SHA1 hash: 0e9d36102814aa134ef38f38f58c3fcc3bd12059
MD5 hash: b238708a6c194f7cb92c8c50400a3a98
humanhash: oklahoma-arizona-green-johnny
File name:b238708a6c194f7cb92c8c50400a3a98
Download: download sample
Signature Worm.Ramnit
Create hunting rule
File size:40'960 bytes
First seen:2022-06-07 00:02:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a3efcc970852f76f399fd867a4d6b207 (1 x Worm.Ramnit, 1 x Nitol)
ssdeep 768:C7I0+FNSW3YO5z+b+hCFfH/YZIvb5c4QGPL4vzZq2o9W7GsxBbPr:C7I0ekW3Ft+eeYZK5cTGCq2iW7z
Threatray 1'583 similar samples on MalwareBazaar
TLSH T15003E17227E0985FC49FA132096F77170ABA7830DEB5573F87E104AB1879610DDE4436
TrID 35.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
35.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 44b279d898f07082 (2 x Worm.Ramnit, 1 x Nitol)
Reporter zbetcheckin
Tags:32 exe Worm.Ramnit

Intelligence

File Origin
# of uploads :
1
# of downloads :
554
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b238708a6c194f7cb92c8c50400a3a98
Verdict:
Malicious activity
Analysis date:
2022-06-07 00:04:44 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/84e7b025-c1fe-4f22-b0a6-19604cd866ce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/277179/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Nitol-6802818-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Creating a file in the Windows directory
Creating a service
Launching a service
Creating a file in the Windows subdirectories
Sending a custom TCP request
Searching for synchronization primitives
Adding an access-denied ACE
Creating a file
Moving a file to the Windows subdirectory
Сreating synchronization primitives
Creating a process with a hidden window
Modifying an executable file
Running batch commands
Enabling autorun for a service
Query of malicious DNS domain
Moving of the original file
Infecting executable files
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
banload coinminer greyware nimnul nitol packed ramnit shell32.dll virus virut
Link:
https://www.filescan.io/uploads/629e95975dc88d3571669c76/reports/25011936-8206-4baf-a011-1cc6ca4e1c78/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Parite
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b211eeba-29a5-401f-8e01-526094321c08
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1007759
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Found stalling execution ending in API Sleep call
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 640251 Sample: 2l480DBdZv Startdate: 07/06/2022 Architecture: WINDOWS Score: 100 125 Snort IDS alert for network traffic 2->125 127 Multi AV Scanner detection for domain / URL 2->127 129 Antivirus detection for URL or domain 2->129 131 10 other signatures 2->131 9 2l480DBdZv.exe 1 3 2->9         started        13 ukkige.exe 4 2->13         started        16 ukkige.exe 2->16         started        18 14 other processes 2->18 process3 dnsIp4 91 C:\Windows\ukkige.exe, PE32 9->91 dropped 93 C:\Users\user\AppData\Local\Temp\aBYIeT.exe, PE32 9->93 dropped 95 C:\Windows\ukkige.exe:Zone.Identifier, ASCII 9->95 dropped 145 Moves itself to temp directory 9->145 20 aBYIeT.exe 18 9->20         started        111 c9v864gr.n.hyhuxa.top 154.12.38.162, 49720, 49752, 49755 UNMETEREDCA United States 13->111 113 v8.ter.tf 13->113 119 2 other IPs or domains 13->119 97 C:\Windows\Temp\aBYIeT.exe, PE32 13->97 dropped 99 C:\Windows\SysWOW64\hra8.dll, PE32 13->99 dropped 105 2 other files (1 malicious) 13->105 dropped 147 Found stalling execution ending in API Sleep call 13->147 149 Drops executables to the windows directory (C:\Windows) and starts them 13->149 25 aBYIeT.exe 1 28 13->25         started        27 hrlD99.tmp 13->27         started        121 3 other IPs or domains 16->121 101 C:\Windows\Temp\hrlA40C.tmp, PE32 16->101 dropped 103 C:\RCXA2B3.tmp, PE32 16->103 dropped 29 hrlA40C.tmp 16->29         started        115 127.0.0.1 unknown unknown 18->115 117 v8.ter.tf 18->117 123 17 other IPs or domains 18->123 107 12 other files (6 malicious) 18->107 dropped 151 Changes security center settings (notifications, updates, antivirus, firewall) 18->151 31 hrl5F43.tmp 18->31         started        33 hrl463D.tmp 18->33         started        35 hrl53D9.tmp 18->35         started        37 4 other processes 18->37 file5 signatures6 process7 dnsIp8 109 ddos.dnsnb8.net 63.251.106.25, 49714, 49717, 49722 VOXEL-DOT-NETUS United States 20->109 87 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 20->87 dropped 89 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 20->89 dropped 133 Antivirus detection for dropped file 20->133 135 Multi AV Scanner detection for dropped file 20->135 137 Machine Learning detection for dropped file 20->137 39 WerFault.exe 23 9 20->39         started        139 Detected unpacking (changes PE section rights) 25->139 141 Infects executable files (exe, dll, sys, html) 25->141 41 cmd.exe 1 25->41         started        143 Drops executables to the windows directory (C:\Windows) and starts them 29->143 43 aBYIeT.exe 31->43         started        45 aBYIeT.exe 33->45         started        47 aBYIeT.exe 35->47         started        49 aBYIeT.exe 37->49         started        51 aBYIeT.exe 37->51         started        53 aBYIeT.exe 37->53         started        55 cmd.exe 37->55         started        file9 signatures10 process11 process12 57 conhost.exe 41->57         started        59 cmd.exe 43->59         started        61 aBYIeT.exe 43->61         started        63 cmd.exe 45->63         started        65 cmd.exe 47->65         started        67 cmd.exe 49->67         started        69 cmd.exe 51->69         started        71 cmd.exe 53->71         started        73 conhost.exe 55->73         started        process13 75 conhost.exe 59->75         started        77 conhost.exe 63->77         started        79 conhost.exe 65->79         started        81 conhost.exe 67->81         started        83 conhost.exe 69->83         started        85 conhost.exe 71->85         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78bd304c8dfe9bf2bdb139d0672d4aed6adde6686fbb6ed5e5420f955dc4de11/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2022-06-07 00:12:39 UTC
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pc6taten72n7fpnrhhigolkk5vvn3ztin65w5vpfiihzkxoe3yiq._file
Verdict:
malicious
Similar samples:
5676e0a540f1996d4866fe92847a70f40b43a8d7a2e4622053126f4b19e318ea
Worm.Ramnit
625b414a29d10b09d84a02f01c2875db8bfdc3bb37963b738be8d2ff7663ba82
Worm.Ramnit
63d05e539ce789c454fc5765092323fe62fee683e1382d8d4d54d001cfac8457
Worm.Ramnit
a0cf2db65431fdf824968ec5e5444affcd60614aec5b34fcc4fa6ec69178a0cd
Worm.Ramnit
cc3456df5b06b6f2cae266ee1be8efdfa9396fa97a4b54a68b64ed839989de56
Worm.Ramnit
d1539a74f2278ae13e6b7d7dfa38a8d0bbf2acdc142ef9e615ed8f52d1e0cfa4
Worm.Ramnit
e0e4f4581764ecc5c601b8591362abf3bbfaa684cc059fd7fb71572a3621001b
Worm.Ramnit
ed84620f1fb9e2966299bdcd66403a6ff9a3ed063cc83fc084d1d7942db66be7
Worm.Ramnit
+ 1'573 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
aspackv2 suricata upx
Link:
https://tria.ge/reports/220607-ab1tmahgdk/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in Program Files directory
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
UPX packed file
suricata: ET MALWARE Win32.Nitol.K Variant CnC
Unpacked files
SH256 hash:
3c373fde7222d1e3c5a13339d37f3b5752374210ae09974b4f17baa261c3b9a5
MD5 hash:
de61de242b5500304af17e4661100ea5
SHA1 hash:
ed6c1fce0696ce100a93f2d3cea83a0475947e4f
Link:
https://www.unpac.me/results/8be01a49-9746-43e0-8cd2-a508c05056ad/
SH256 hash:
00b567f046ef1fe2b4476261ce70d88e77518e22bb2c18424e4c5553f58757db
MD5 hash:
d950e87f12c491df0d5e2b0847d33c1d
SHA1 hash:
535dddb5818ed089b8c2c5b19e3d30b7eb3aad7d
Detections:
win_unidentified_045_g0
Create hunting rule
win_unidentified_045_auto
Create hunting rule
Link:
https://www.unpac.me/results/8be01a49-9746-43e0-8cd2-a508c05056ad/
SH256 hash:
78bd304c8dfe9bf2bdb139d0672d4aed6adde6686fbb6ed5e5420f955dc4de11
MD5 hash:
b238708a6c194f7cb92c8c50400a3a98
SHA1 hash:
0e9d36102814aa134ef38f38f58c3fcc3bd12059
Link:
https://www.unpac.me/results/8be01a49-9746-43e0-8cd2-a508c05056ad/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/78bd304c8dfe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78bd304c8dfe9bf2bdb139d0672d4aed6adde6686fbb6ed5e5420f955dc4de11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:win_unidentified_045_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.unidentified_045.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Worm.Ramnit

Executable exe 78bd304c8dfe9bf2bdb139d0672d4aed6adde6686fbb6ed5e5420f955dc4de11

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2227868/
Cape
Cape
https://www.capesandbox.com/analysis/277179/

Comments


Avatar
zbet commented on 2022-06-07 00:02:25 UTC

url : hxxp://82.157.142.132/win.exe