MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba7dd90bf8bd6a1dc665c8860c09489ea5531d739e55be0321bd85478b03c95f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Ramnit


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba7dd90bf8bd6a1dc665c8860c09489ea5531d739e55be0321bd85478b03c95f
SHA3-384 hash: b7e7a9c6874246ee8c402e57215ecdd261570efc94f57986d248df188c402ac944c373549039b7ffbf490698283bd76c
SHA1 hash: 577d22c959848dc225bb6dc5850c463bd04ed4e5
MD5 hash: cf49e5dc83e03d74059a50288f510c39
humanhash: coffee-emma-video-equal
File name:taskmgr.exe
Download: download sample
Signature Worm.Ramnit
Create hunting rule
File size:426'496 bytes
First seen:2021-03-21 23:17:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 19d4e66d725c89ba6712b82bebc8196d (5 x Gh0stRAT, 2 x PurpleFox, 1 x YoungLotus)
ssdeep 6144:4SuxNOug5MI3KBau3EO8iZrEXA2czL6mWzdoZtAznpGuGEwJvfJ0sQVCo:Fux9g5F6U2WOWczLygAzN6fJF
Threatray 42 similar samples on MalwareBazaar
TLSH B19412A23BC70556C34C76B1CCA49B29039DC3E01E6D900FBE30695AFD652ED9D3AE46
Reporter r3dbU7z
Tags:exe Worm.Ramnit

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Keylogger.Deepscan-7603977-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Changing an executable file
Creating a window
Creating a service
Launching a service
Modifying an executable file
Adding an access-denied ACE
DNS request
Creating a file in the drivers directory
Loading a system driver
Connection attempt
Deleting a recently created file
Replacing files
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching a process
Creating a file
Enabling autorun for a service
Infecting executable files
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95141648-1096-445e-a1fa-75ff44ea5c1d
Result
Threat name:
Mimikatz Wapomi
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/647210
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Sample is not signed and drops a device driver
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Yara detected Wapomi
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372573 Sample: taskmgr.exe Startdate: 22/03/2021 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for dropped file 2->67 69 9 other signatures 2->69 8 Dtldt.exe 1 2->8         started        12 taskmgr.exe 1 3 2->12         started        14 svchost.exe 2->14         started        16 10 other processes 2->16 process3 file4 49 C:\Windows\Temp\XOrdEk.exe, PE32 8->49 dropped 87 Antivirus detection for dropped file 8->87 89 Multi AV Scanner detection for dropped file 8->89 91 Machine Learning detection for dropped file 8->91 93 Drops executables to the windows directory (C:\Windows) and starts them 8->93 18 XOrdEk.exe 1 28 8->18         started        22 Dtldt.exe 13 1 8->22         started        51 C:\Windows\SysWOW64\Dtldt.exe, PE32 12->51 dropped 53 C:\Users\user\AppData\Local\Temp\XOrdEk.exe, PE32 12->53 dropped 55 C:\Windows\...\Dtldt.exe:Zone.Identifier, ASCII 12->55 dropped 25 XOrdEk.exe 18 12->25         started        27 cmd.exe 1 12->27         started        95 Changes security center settings (notifications, updates, antivirus, firewall) 14->95 29 MpCmdRun.exe 14->29         started        signatures5 process6 dnsIp7 71 Machine Learning detection for dropped file 18->71 73 Infects executable files (exe, dll, sys, html) 18->73 31 cmd.exe 1 18->31         started        57 a.9a9u.com 154.92.52.155, 9999 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 22->57 43 C:\Windows\System32\drivers\QAssist.sys, PE32+ 22->43 dropped 75 Sample is not signed and drops a device driver 22->75 59 ddos.dnsnb8.net 162.217.99.134, 49713, 49714, 49715 VOXEL-DOT-NETUS United States 25->59 45 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, data 25->45 dropped 47 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, data 25->47 dropped 77 Antivirus detection for dropped file 25->77 79 Multi AV Scanner detection for dropped file 25->79 81 Detected unpacking (changes PE section rights) 25->81 33 WerFault.exe 23 9 25->33         started        61 127.0.0.1 unknown unknown 27->61 83 Uses ping.exe to sleep 27->83 85 Uses ping.exe to check the status of other devices and networks 27->85 35 conhost.exe 27->35         started        37 PING.EXE 1 27->37         started        39 conhost.exe 29->39         started        file8 signatures9 process10 process11 41 conhost.exe 31->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba7dd90bf8bd6a1dc665c8860c09489ea5531d739e55be0321bd85478b03c95f/
Threat name:
Win32.Virus.Wapomi
Create hunting rule
Status:
Malicious
First seen:
2021-03-14 21:58:00 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xj65sc7yxvvb3rtfzcdayckit2svghlttzk34azbxwcupcydzfpq._file
Verdict:
unknown
Similar samples:
0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4
Worm.Ramnit
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
Worm.Ramnit
70bdecf71010c5daefda7581c8126f12340bdc82c1705711bc8fb3c33031d668
Worm.Ramnit
8eb11e49eff426eba9d7fa1172c03744a35eb18a806660ec3f1eb3b107a26905
Worm.Ramnit
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
Worm.Ramnit
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
Worm.Ramnit
ad8bb6a26ffb2234855a89f214ac91cc98c8e53910a181f7cf9828062a734c03
Worm.Ramnit
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
Worm.Ramnit
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
Worm.Ramnit
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
Worm.Ramnit
+ 32 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig aspackv2 miner persistence
Link:
https://tria.ge/reports/210321-kjmncdha3j/
Behaviour
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Loads dropped DLL
ASPack v2.12-2.42
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
xmrig
Unpacked files
SH256 hash:
b02ecd10942f04770c4649d8b690c8dc5c6c5fa49404b2dfa387c6fac49498ec
MD5 hash:
c07785cb94c8dd84e10e5c4c2b78cdfc
SHA1 hash:
be5c9247801051e8d687a85035b9a64af88742b4
Link:
https://www.unpac.me/results/66fb7be3-9326-4591-9af2-291983e7136a/
SH256 hash:
6ad780a0426fddb75a1f6e9eab88e9b553660a84f2bd265eb0508210f5b6ce05
MD5 hash:
919dcb8645e99f16020c846f160d78be
SHA1 hash:
a230cdfa3f4acd3d40bf1fa60c8e9b037f5b0fbe
Detections:
win_unidentified_045_g0
Create hunting rule
win_unidentified_045_auto
Create hunting rule
Link:
https://www.unpac.me/results/66fb7be3-9326-4591-9af2-291983e7136a/
SH256 hash:
ba7dd90bf8bd6a1dc665c8860c09489ea5531d739e55be0321bd85478b03c95f
MD5 hash:
cf49e5dc83e03d74059a50288f510c39
SHA1 hash:
577d22c959848dc225bb6dc5850c463bd04ed4e5
Link:
https://www.unpac.me/results/66fb7be3-9326-4591-9af2-291983e7136a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba7dd90bf8bd6a1dc665c8860c09489ea5531d739e55be0321bd85478b03c95f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments