MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba12343f978332fa8c76a99e384a9052b0f9ecc1bcf24bd25552832af77a03ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Ramnit


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba12343f978332fa8c76a99e384a9052b0f9ecc1bcf24bd25552832af77a03ef
SHA3-384 hash: ab2f747ac7a8b99a3dd928b8140647ce9bb2e4d17903aa0c3492b9b96a6ed4b93ce98979bd69cfaa80ad2d7d0f9f7031
SHA1 hash: 09754968722731fb208ddbebcc6c6a7cc9d42c7b
MD5 hash: 3a085e2c496b3d2020401c3452b57aef
humanhash: magazine-louisiana-princess-south
File name:7Y18r(193).exe
Download: download sample
Signature Worm.Ramnit
Create hunting rule
File size:217'088 bytes
First seen:2024-07-24 17:43:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cf6c67a92b992938826c4e4ca9230c19 (1 x Stealc, 1 x Heodo, 1 x Worm.Ramnit)
ssdeep 3072:mGmCsSSeDqwOo211BXydq3/CxrLgGolIWWi98mux/Xh0vFF1MY7glCFGCH:tDXDpf2lIq3/mPgaWWD9xKdFd7gUA
TLSH T14724CF2236D48073E27766348B71C2928F27B8769B7198DF2B94096E1E752D2CFB4347
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0020426060626200 (1 x Stealc, 1 x Worm.Ramnit)
Reporter Anonymous
Tags:exe Worm.Ramnit


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Dropper.Glupteba-10014252-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a13d7dae21d7902eafb2e8
Tags:
Execution Generic Network Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Modifying an executable file
Query of malicious DNS domain
Infecting executable files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66a13df79149fd55f98ffe6f/reports/a85f274f-84d4-4657-9128-7c52dcaea491/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d904270c-7985-40a7-8596-96a96ae91473
Result
Threat name:
Bdaejec, Stealc
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1482727
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Uses known network protocols on non-standard ports
Yara detected Bdaejec
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482727 Sample: 7Y18r(193).exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 31 ddos.dnsnb8.net 2->31 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 13 other signatures 2->41 8 7Y18r(193).exe 1 2->8         started        signatures3 process4 file5 21 C:\Users\user\AppData\Local\Temp\WuiXLS.exe, PE32 8->21 dropped 43 Detected unpacking (changes PE section rights) 8->43 45 Detected unpacking (overwrites its own PE header) 8->45 47 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 8->47 49 Found evasive API chain (may stop execution after checking locale) 8->49 12 WuiXLS.exe 12 8->12         started        17 WerFault.exe 19 16 8->17         started        signatures6 process7 dnsIp8 33 ddos.dnsnb8.net 44.221.84.105, 49705, 799 AMAZON-AESUS United States 12->33 23 C:\Program Files\7-Zip\Uninstall.exe, PE32 12->23 dropped 25 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 12->25 dropped 27 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 12->27 dropped 51 Antivirus detection for dropped file 12->51 53 Multi AV Scanner detection for dropped file 12->53 55 Detected unpacking (changes PE section rights) 12->55 57 2 other signatures 12->57 19 WerFault.exe 19 16 12->19         started        29 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->29 dropped file9 signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ba12343f978332fa8c76a99e384a9052b0f9ecc1bcf24bd25552832af77a03ef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba12343f978332fa8c76a99e384a9052b0f9ecc1bcf24bd25552832af77a03ef/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 17:44:21 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xijdip4xqmzpvddwvgpdqsuqkkypt3gbxtzexusvkkbsv532apxq._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc aspackv2 discovery stealer
Link:
https://tria.ge/reports/240724-wa9k2ascnh/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Stealc
Malware Config
C2 Extraction:
http://bernardofata.icu
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/68629e8a-5570-4948-8506-04b23471b701
Unpacked files
SH256 hash:
7e5af8f5fdb81a1a7e01db2cd2a136d9bbb98f9419dac76985db3903c6ef29ad
MD5 hash:
41f8cc8825eec70b1a59b5a8391ff9f5
SHA1 hash:
fb9dc9610a2b97b296bd35dd25a8330925376978
Detections:
stealc
Create hunting rule
win_stealc_auto
Create hunting rule
win_stealc_a0
Create hunting rule
win_stealc_bytecodes_oct_2023
Create hunting rule
detect_Mars_Stealer
Create hunting rule
Link:
https://www.unpac.me/results/0ab0afcf-c9f0-4ff9-9d2b-785d92da3803/
Parent samples :
d98972d3ac1090f030d18a15eb6f08edec2b76f45f883cfe317c77be20e1c000
702a59059d11f6194881998bec8cb3124967952654c71351d749d3e26b6fbe7d
86138fcb7a53e15c4ce40d5c60bab85645226be9f119cbf4c60c80dd4c791cb8
d77cb87bc0dccc16883d87ca240ab6457bcf4040636e2954681ceeaefcef77ab
9989f3ee35fbd082a9e8b0117afcc5d53bc637ad51d07989a8a160021022ac8a
0a4d3c5d2e69c9b149f35e9ef629fa36bc9baaf00a8e552c6a36c1d5c940b6aa
5579c693bd0129ae7350d599239695cfe4a578965ae2889b74fe3cea19d7e3da
c9ea3ac3016093a34f864a52b854e01d655be9f1848fc6de098c79a3d560fc19
78380c9b3b9036cb8d3fdbacd2438971115405bcb828bb9812e4abb488408590
60e9383ff5038ed988a1b988b66091bac7bf93a6d070763f45479dccdfd9d147
a79f593a22f2698e351aee60ab23afdaa239ef545297e495df30ecedb99fe222
0552f23284ed52e84060cdc66d242f9258bbe0555eab899355b9d848bbf70605
349f4ed12f7b4cd5d2cecc282f03ca70a28518094973e66749086920ec47fea4
18db81d906e97ea89314ddaa87811b43e349e08a2af276dcfe21f3031131e69f
487ca2266b9ddac43dde09ad484b1b73ca38071698bfda25d419dcf6c5ed3a22
6f40d5c35c41245183c6866fb0a4f8a60c5a70079213b1c76792c269f174364f
fe87527ba3585e4e2437669ad1d4922dca958a78ed2416ed8426a8abf0ee2f6b
588f49a1ba2f244d08911daaf351bc36ac8bffa5802eefe73a0ef1b7c4fc2a7e
ee36161c6b3635240df4c30f370420483174cc1a4999a386952d452d0de03c40
02d956d1f2c9ecdc43ebcbfef06dc160cdd9e5e31f50c692bde9ed1dd9797040
9526a4e0b40f262bc5cd1e07a8b80f465e052c18b3698e496ba0e2dd6549127a
70b2fbdbe34e05f0c3a84f5c9068e7f4970d7fa25452fa561357ca7d2e2be2ef
a56d61de6a7f641f555d4bcf3935f3cb1c22d58e21edc76ad03d32a1a8dd436e
a499710f67a78322f78a493b0a672095a7a636c87ff984c7754526f30d36459d
9d180b3b8219292c40814afbc36db5d36771022b39429b41ec0e7485433da81a
b61e2f809951583a432ac8096b49b2a97506511109ec5c673831a28759cd44bb
00d943709baa0d034312f4d6ee584ac89e9e0546007c91bc187d2b0209e39e25
1c93b99d8e1968867508692feb30aa67c0a48a2a623704f982d1dd9754125ace
7747004e33e1ce463c04eff2c919071d6f7c01b9de6a407381923a5c33a08081
95cc300618cf5a0abb4b36427d838ee00bc37e515bf527ecf24725d70610c993
ba12343f978332fa8c76a99e384a9052b0f9ecc1bcf24bd25552832af77a03ef
SH256 hash:
b321168bc528a311cf626d9cf282507b47d22fbd2aca2451d871cca0e908b489
MD5 hash:
971710c837dd1b34427d47d6c66ae9c1
SHA1 hash:
d8e4443d9ea84a9123b18f94987cf74479494757
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/0ab0afcf-c9f0-4ff9-9d2b-785d92da3803/
SH256 hash:
ba12343f978332fa8c76a99e384a9052b0f9ecc1bcf24bd25552832af77a03ef
MD5 hash:
3a085e2c496b3d2020401c3452b57aef
SHA1 hash:
09754968722731fb208ddbebcc6c6a7cc9d42c7b
Link:
https://www.unpac.me/results/0ab0afcf-c9f0-4ff9-9d2b-785d92da3803/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Worm.Ramnit

Executable exe ba12343f978332fa8c76a99e384a9052b0f9ecc1bcf24bd25552832af77a03ef

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::RevertToSelf
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::OpenSemaphoreW
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::DeleteVolumeMountPointA
KERNEL32.dll::FindNextVolumeMountPointA
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetDriveTypeA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AddConsoleAliasW
KERNEL32.dll::WriteConsoleInputW
KERNEL32.dll::WriteConsoleOutputCharacterA
KERNEL32.dll::WriteConsoleOutputW
KERNEL32.dll::WriteConsoleInputA
KERNEL32.dll::WriteConsoleW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryExW
KERNEL32.dll::CreateHardLinkA
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileWithProgressA
KERNEL32.dll::MoveFileWithProgressW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::QueryDosDeviceA
WIN_HTTP_APIUses HTTP servicesWINHTTP.dll::WinHttpGetProxyForUrl
WINHTTP.dll::WinHttpOpen
WINHTTP.dll::WinHttpReadData
WINHTTP.dll::WinHttpWriteData

Comments