MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 9dd2eb7c197323caa4b78641ce05ad9c3e28622164f813caa992c28a88ad8598. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Worm.Ramnit
Vendor detections: 7
| SHA256 hash: | 9dd2eb7c197323caa4b78641ce05ad9c3e28622164f813caa992c28a88ad8598 |
|---|---|
| SHA3-384 hash: | 4b777fab75f55c706b962c34e6f2045d30e73d38dc4bcf88f996dd8de28d042b973b5bcadd88ccf6ce6fa4c54ffd9d44 |
| SHA1 hash: | 4a41c8a73a62aa28984c442ad1172323776fca28 |
| MD5 hash: | d64d84d57fc9cc6528acf7b78e0698ff |
| humanhash: | hawaii-cup-bacon-football |
| File name: | d64d84d5_by_Libranalysis |
| Download: | download sample |
| Signature | Worm.Ramnit |
| File size: | 81'920 bytes |
| First seen: | 2021-05-05 09:07:26 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | a8070c6ad7600bbdd417216375913d93 (7 x Jadtre, 6 x Wapomi, 3 x Worm.Ramnit) |
| ssdeep | 1536:fHB0UxMkzOt7HcvJGt5AdHIOWnToIf12Ze6GCq2iW7z:fhAWJGSCTBf12ZRGCH |
| Threatray | 3'082 similar samples on MalwareBazaar |
| TLSH | C5836B197ED34463E4F2097082D655DACFFEAD1336A2612FDF0B1FA413A060989E45FA |
| Reporter |  Libranalysis |
| Tags: | Worm.Ramnit |
Intelligence
File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
DNS request
Sending a UDP request
Modifying an executable file
Infecting executable files
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Verdict:
Malicious
Threat name:
Win32.Virus.Wapomi
Status:
Malicious
First seen:
2020-05-06 19:32:00 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
unknown
Similar samples:
+ 3'072 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
8/10
Tags:
aspackv2
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Unpacked files
SH256 hash:
ba516a734d68017e13d0447adb347a412b4915ae1603df429fb3c547921dfd14
MD5 hash:
4243d3bd2d73a4bb1f234eb412a60a98
SHA1 hash:
dc16e657db7e09ad97ee8189c7edbbc334e47051
Detections:
win_unidentified_045_g0
win_unidentified_045_auto
SH256 hash:
9dd2eb7c197323caa4b78641ce05ad9c3e28622164f813caa992c28a88ad8598
MD5 hash:
d64d84d57fc9cc6528acf7b78e0698ff
SHA1 hash:
4a41c8a73a62aa28984c442ad1172323776fca28
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | INDICATOR_EXE_Packed_ASPack |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables packed with ASPack |
| Rule name: | suspicious_packer_section |
|---|---|
| Author: | @j0sm1 |
| Description: | The packer/protector section names/keywords |
| Reference: | http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ |
| Rule name: | win_unidentified_045_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | autogenerated rule brought to you by yara-signator |
| Rule name: | win_unidentified_045_g0 |
|---|---|
| Author: | Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de> |
| Description: | Unknown 045 |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [F0001] Anti-Behavioral Analysis::Software Packing
2) [C0060] Data Micro-objective::Compression Library
3) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [B0023] Execution::Install Additional Program
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0052] File System Micro-objective::Writes File
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
14) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
15) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
16) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
17) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
18) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
19) [C0017] Process Micro-objective::Create Process
20) [C0054] Process Micro-objective::Resume Thread
21) [C0018] Process Micro-objective::Terminate Process