MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfa1b613290dd96e58d12317a1bd0a2d557f0ba6ba1b6f3dc5dc59c8cc9beb6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ramnit


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfa1b613290dd96e58d12317a1bd0a2d557f0ba6ba1b6f3dc5dc59c8cc9beb6c
SHA3-384 hash: f5f03b933840bc4a0c9521e348a375ea012bf5518c882883a1aecac28cf52495b0785d1923b55a3301d13255b11c327d
SHA1 hash: d0a2c145c4dcacc089e0ec87a83bdcdc9304bd40
MD5 hash: 3413b76a95e64a6445a1a61f8a6db295
humanhash: hamper-massachusetts-lactose-hamper
File name:sample
Download: download sample
Signature Ramnit
Create hunting rule
File size:1'214'464 bytes
First seen:2022-06-01 18:07:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a49977b0f9a42d88116ab0c5adc7799e (1 x Ramnit)
ssdeep 24576:LAyXX8qif7h9RHyevHQdsXQaz27MMMMMM3s5xE3DQ:LuF7h9RH/H+QQaMMMMMMMKE3k
Threatray 11'931 similar samples on MalwareBazaar
TLSH T101459E61B7DAC032F9761EB014B9B309293EBA220774CDDFA7902D5E5931AD29D7034B
TrID 46.5% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
34.6% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
7.5% (.EXE) InstallShield setup (43053/19/16)
5.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon cdebeaaebaeefa8c (1 x Ramnit, 1 x DCRat, 1 x Neurevt)
Reporter Anonymous
Tags:32-bit exe ramnit

Intelligence

File Origin
# of uploads :
1
# of downloads :
641
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
ramnit
Create hunting rule
ID:
1
File name:
sample
Verdict:
Malicious activity
Analysis date:
2022-06-01 18:11:21 UTC
Tags:
installer trojan ramnit
Link:
https://app.any.run/tasks/88c90ec0-cc90-4074-bdb2-0ed5da20a07e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276165/
Detection(s):
Win.Trojan.Ramnit-1846
Create hunting rule

Win.Trojan.Ramnit-1847
Create hunting rule

SecuriteInfo.com.LuheRamnit-corrupted.2526.124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Changing a file
Creating a window
Launching a process
Searching for synchronization primitives
Unauthorized injection to a recently created process
Searching for the browser window
Sending a custom TCP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ramnit
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a540d786-f8d4-4a6d-9965-90d6a3f36d74
Result
Threat name:
Ramnit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1005279
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Ramnit
Behaviour
Behavior Graph:
Download SVG
Detection:
ramnit
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cfa1b613290dd96e58d12317a1bd0a2d557f0ba6ba1b6f3dc5dc59c8cc9beb6c/
Threat name:
Win32.Worm.Ramnit
Create hunting rule
Status:
Malicious
First seen:
2015-05-23 13:45:32 UTC
File Type:
PE (Exe)
Extracted files:
127
AV detection:
25 of 25 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z6q3mezjbxmw4wgreml2dpikfvkx6c5gxinw6pof3rm4rte35nwa._file
Verdict:
malicious
Similar samples:
06f2fef10fedbb774853c71cc9c923cd56d49d6165a6476fa7e5445550b0a6dc
Ramnit
680e418e349d611812a6afd357c39fa4fe3baf32cd95012f9b0632a364f2f349
Ramnit
712902f16ad8e9570dc1e25dba5f4219f3fdd497d727f08dd98f1c6baa78335b
Ramnit
b8e40ed3d1f01fd75f0f43d4784d92aaa9596f289f23c35969af1a4c1e149c30
Ramnit
bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90
Ramnit
bdde1e74ef46863692bd6975af9203dffa21931c60dc29f01f3cf69f2093e35a
Ramnit
c770def66ece0d6100ca50a3b54898be0c177e7d0baddd8803785571f83c1c1a
Ramnit
f158a9650580dcf9a875b153192a86e20798c7f01b4a458b668704661e2cc89c
Ramnit
+ 11'921 additional samples on MalwareBazaar
Result
Malware family:
ramnit
Create hunting rule
Score:
  10/10
Tags:
family:ramnit banker persistence spyware stealer trojan upx worm
Link:
https://tria.ge/reports/220601-wqv3ksbab5/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Loads dropped DLL
Executes dropped EXE
UPX packed file
Modifies system executable filetype association
Ramnit
Unpacked files
SH256 hash:
624c41a674148696330c7021f0b4c1b45b3f1ba1eb5087a1f81297d11841aa55
MD5 hash:
99eaca96d7128348a76019dd67aefcc5
SHA1 hash:
4f2b9ee0018b61aa9db25b02603330d9a98ae453
Detections:
win_ramnit_g1
Create hunting rule
win_ramnit_auto
Create hunting rule
Link:
https://www.unpac.me/results/5b66d733-f6eb-405d-a8fb-3e5b5803a871/
SH256 hash:
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386
MD5 hash:
17efb7e40d4cadaf3a4369435a8772ec
SHA1 hash:
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2
Link:
https://www.unpac.me/results/5b66d733-f6eb-405d-a8fb-3e5b5803a871/
SH256 hash:
cfa1b613290dd96e58d12317a1bd0a2d557f0ba6ba1b6f3dc5dc59c8cc9beb6c
MD5 hash:
3413b76a95e64a6445a1a61f8a6db295
SHA1 hash:
d0a2c145c4dcacc089e0ec87a83bdcdc9304bd40
Link:
https://www.unpac.me/results/5b66d733-f6eb-405d-a8fb-3e5b5803a871/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfa1b613290dd96e58d12317a1bd0a2d557f0ba6ba1b6f3dc5dc59c8cc9beb6c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276165/

Comments