MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddc2c78d6f8510947bef12901b68da4f595e0733d9bc82434791d293cdc9e168. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.Ramnit


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddc2c78d6f8510947bef12901b68da4f595e0733d9bc82434791d293cdc9e168
SHA3-384 hash: b40f2c58c6b4fffe7e0d140c0aa4399f2a166f1ff3e7ea73339315c001bc34b0a7d505954da1ec8726b02845b4caecda
SHA1 hash: 9e7a81e25b980faa44c4048171027eea865e874b
MD5 hash: 3299acdbd8a544780abb6eae4668d1aa
humanhash: eight-virginia-nebraska-bravo
File name:LisectAVT_2403002B_208.exe
Download: download sample
Signature Worm.Ramnit
Create hunting rule
File size:794'624 bytes
First seen:2024-07-25 01:05:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ec99d108fd03acbc59a2a6c0a950d47a (3 x TrickBot, 1 x Worm.Ramnit)
ssdeep 12288:FeTBslq08I3L92xhqmqUVWFxjPc/jxEnU2vMQs:UtI3L9WqdjPU67
Threatray 7 similar samples on MalwareBazaar
TLSH T162F47C09B6BECC36C09A143F5FD25664626BAD025B25F58773872B8C8630B62B53731F
TrID 37.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
20.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.5% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter Anonymous
Tags:exe Worm.Ramnit


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Trojan.Generic-9886679-0
Create hunting rule

Win.Trojan.Generic-9933689-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Sending an HTTP GET request to an infection source
Modifying an executable file
Launching a process
Сreating synchronization primitives
Connection attempt
Query of malicious DNS domain
Connection attempt to an infection source
Forced shutdown of a system process
Unauthorized injection to a system process
Infecting executable files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger lolbin microsoft_visual_cc shell32
Link:
https://www.filescan.io/uploads/66a1a4fd3ba51bb345a372d0/reports/0a8b8a94-68a6-4a21-bf39-b096a4f555aa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TrickBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1383be63-4c82-4ffe-81e9-80a317a37366
Result
Threat name:
Bdaejec, Trickbot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1481967
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ddc2c78d6f8510947bef12901b68da4f595e0733d9bc82434791d293cdc9e168
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ddc2c78d6f8510947bef12901b68da4f595e0733d9bc82434791d293cdc9e168/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2024-07-25 01:06:05 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3xbmpdlpquiji67pckibw2g2j5mv4bzt3g6ieq2hshjjhtoj4fua._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
03ff8ba48d53dfb76d0218df8762010303fd6c49524eab335cb2ecb90bfaf693
Worm.Ramnit
0693dc7093f73fb893ec946c5311157f6d88d943ad142bf5e7cfae61d197447a
Worm.Ramnit
a36663051732f55a2234bd46bd8d0cda539be2bf2aad3a0e1b27be1686046127
Worm.Ramnit
ddc2c78d6f8510947bef12901b68da4f595e0733d9bc82434791d293cdc9e168
Worm.Ramnit
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:top115 aspackv2 banker discovery trojan
Link:
https://tria.ge/reports/240725-bf5ttayclp/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Trickbot
Malware Config
C2 Extraction:
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/89e11dfa-7dee-444d-aad3-9bf0eb74d21c
Unpacked files
SH256 hash:
b30647d36a75666d5142a875e3d5d5175cb8feefcc685b46984419b2e18cfbae
MD5 hash:
2585bb23fc85fb23e367cbbeab3e6415
SHA1 hash:
b539c5dd4709bf6886454bacf43761b76a9b13d8
Link:
https://www.unpac.me/results/7bee67f4-e209-4398-9d93-8d6774b90561/
SH256 hash:
052768f762a74dfba8f86244f0964f1fbe56b70420f23713232d02b00fecf2f0
MD5 hash:
bf32eef67f44e8788adc0c12b849fa54
SHA1 hash:
90fac4ff6a18100a4d235319a5d4e88689f6ffc0
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/7bee67f4-e209-4398-9d93-8d6774b90561/
Parent samples :
0693dc7093f73fb893ec946c5311157f6d88d943ad142bf5e7cfae61d197447a
03ff8ba48d53dfb76d0218df8762010303fd6c49524eab335cb2ecb90bfaf693
a36663051732f55a2234bd46bd8d0cda539be2bf2aad3a0e1b27be1686046127
ddc2c78d6f8510947bef12901b68da4f595e0733d9bc82434791d293cdc9e168
SH256 hash:
ffe7886fe60549de5f209f21c62937c3e88900b47d2b0e8ddffc03828779ed99
MD5 hash:
83e18057dc3bbe39f4d67f3124c33eaa
SHA1 hash:
217c7c28446654e92ae3bad8e82db22ce25a1acc
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/7bee67f4-e209-4398-9d93-8d6774b90561/
SH256 hash:
b1c705f9e3f66860129d3d4d65271bae1f5be5cbb511cbc02f9d0ff03dc86b32
MD5 hash:
ac29891f7cdbfa9098dce999421d908c
SHA1 hash:
56ec09ef88dde94b348ff240211986b7950da11a
Link:
https://www.unpac.me/results/7bee67f4-e209-4398-9d93-8d6774b90561/
SH256 hash:
ddc2c78d6f8510947bef12901b68da4f595e0733d9bc82434791d293cdc9e168
MD5 hash:
3299acdbd8a544780abb6eae4668d1aa
SHA1 hash:
9e7a81e25b980faa44c4048171027eea865e874b
Link:
https://www.unpac.me/results/7bee67f4-e209-4398-9d93-8d6774b90561/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Worm.Ramnit

Executable exe ddc2c78d6f8510947bef12901b68da4f595e0733d9bc82434791d293cdc9e168

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoFreeUnusedLibraries
MULTIMEDIA_APICan Play MultimediaGDI32.dll::StretchDIBits
SHELL_APIManipulates System ShellSHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
ADVAPI32.dll::GetFileSecurityA
KERNEL32.dll::MoveFileA
ADVAPI32.dll::SetFileSecurityA
KERNEL32.dll::GetFileAttributesA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegCreateKeyA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegQueryValueA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::CreateMenu
USER32.dll::FindWindowA
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments