MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad36573bcb7c51f96c47c21c6a4b828884709c242ae6185df918779db3b8da07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Ramnit


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad36573bcb7c51f96c47c21c6a4b828884709c242ae6185df918779db3b8da07
SHA3-384 hash: 8d6eee2855f735f9a6e2e7871f1c86c41b126fe09b949ffc313eabb6b66de25a7cb52c2a617f5dcbb5913e98b6dd1a85
SHA1 hash: 74c2eab08871f41bb6e120e8d3e8e652f28a16dd
MD5 hash: 3b1cb6ad6baca77f553d1634700c56ab
humanhash: uranus-thirteen-sierra-texas
File name:22c8c133d963b526b0fb8db11dc08092
Download: download sample
Signature Worm.Ramnit
Create hunting rule
File size:7'200'768 bytes
First seen:2020-11-17 11:43:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4741f7486b03721266ba5450d304412c (3 x Worm.Ramnit, 1 x Jadtre)
ssdeep 98304:lzUQYiG/SaK75kCk+LVAYniAfmrLxJDJJSkHIZXfpP6waC8ameAOOfxmHiMnyAQs:sPcmCWxnwMIZPpi28am5bg
Threatray 3 similar samples on MalwareBazaar
TLSH 61761223626240BAD0D54C364A3BBFB676B607270F52DDBB93D5ECC429225E0F322657
Reporter seifreed
Tags:Worm.Ramnit

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Gotango-7000352-0
Create hunting rule

Win.Malware.Agen-7172367-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Changing an executable file
DNS request
Launching the default Windows debugger (dwwin.exe)
Modifying an executable file
Creating a file
Running batch commands
Creating a process with a hidden window
Connection attempt to an infection source
Infecting executable files
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad36573bcb7c51f96c47c21c6a4b828884709c242ae6185df918779db3b8da07/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 11:45:34 UTC
AV detection:
37 of 48 (77.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vu3foo6lpri7s3chyiogus4crcchbhbefltbqxpzdb3z3m5y3idq._file
Verdict:
unknown
Similar samples:
34a52388b0de94f535226b9e7e0815ca1e0eff80bf1b07f3d9de3fb9f50b26ac
Worm.Ramnit
68d9b1b79eac821bd61cfea1a528b5a26fc371be1e24bf71ec424fddb63e5c92
Worm.Ramnit
8bdd3fc67f143159eb3cb3eb5dc0634448145a76604a0615cb2db7fb34127fd7
Worm.Ramnit
Result
Malware family:
n/a
Score:
  10/10
Tags:
aspackv2
Link:
https://tria.ge/reports/201117-p1btqt3lcj/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Drops file in Program Files directory
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
ad36573bcb7c51f96c47c21c6a4b828884709c242ae6185df918779db3b8da07
MD5 hash:
3b1cb6ad6baca77f553d1634700c56ab
SHA1 hash:
74c2eab08871f41bb6e120e8d3e8e652f28a16dd
Link:
https://www.unpac.me/results/8ba95bc6-bf5d-4c51-ae4b-63e6958a7dc7/
SH256 hash:
612405cb884ff5f32ec6606c19e2fab8db24fd2e1ca03ee9b6874e3dbbe0921d
MD5 hash:
7bc674ad24f5fb49feceb4fe748b941c
SHA1 hash:
1a5eb0af79513e3b05dbef5632e3f1b606874b01
Detections:
win_unidentified_045_g0
Create hunting rule
win_unidentified_045_auto
Create hunting rule
Link:
https://www.unpac.me/results/8ba95bc6-bf5d-4c51-ae4b-63e6958a7dc7/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments