Win32/Ramnit

Forum for analysis and discussion about malware.
nullptr
Posts: 209
Joined: Sun Mar 14, 2010 6:35 am

Re: Ramnit.A

Post by nullptr » Sat Nov 20, 2010 2:31 am

It seems highly aggressive compared to some early Ramnit.A. MSE identified the infected PE files as Ramnit.I and HTML as Ramnit.B

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan SpyEye (alias Pincav)

Post by markusg » Fri Dec 10, 2010 6:32 pm

You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4808
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by EP_X0FF » Fri Dec 10, 2010 6:57 pm

Thanks. This is unusual SpyEye like bot.

It stores itself under %Program Files% folder and runs through autostart folder in Start menu. Bot payload dll named "hooker.dll" injected in memory of running processes.
When started bot spawned two IE copies and Windows Firewall blocked their activity.

Stuff from hooker.dll
{%08X-%04X-%04X-%04X-%08X%04X} ntdll.dll NtShutdownSystem kernel32.dll GetNativeSystemInfo
GetProductInfo SeDebugPrivilege SeShutdownPrivilege SeBackupPrivilege SeRestorePrivilege PROCESSOR_IDENTIFIER
HARDWARE\DESCRIPTION\System SOFTWARE\Microsoft\Windows\CurrentVersion SystemBiosVersion ProductId :///:
POSTGETHTTP/*.*
Host:{*}
Referer:{*}
/GET /%s HTTP/1.1
Host: %s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Accept: text/html, application/xml;q=0.9, application/xhtml+xml;q=0.9, image/png, image/jpeg, image/gif, image/x-xbitmap, *\*;q=0.1
Accept-Charset: utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1
Pragma: no-cache
Connection: close
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: max-age=0
Pragma: no-cache
Connection: Keep-Alive
Content-Type: text/html
Location: Date: Last-Modified: ddd',' dd MMM yyyy hh':'mm':'ss GMT ntdll.dll ZwQuerySystemInformation
ZwQueryInformationProcess ZwQueryInformationThread LdrLoadDll LdrGetDllHandle LdrGetProcedureAddress
RtlInitUnicodeString RtlUnicodeStringToAnsiString RtlFreeAnsiString RtlInitString RtlAnsiStringToUnicodeString
RtlFreeUnicodeString ZwQueueApcThread ZwTerminateProcess ZwResumeThread ZwProtectVirtualMemory
RtlCreateUserThread ZwClose kernel32.dll ExitThread ExitProcess r e p l a c e k e y w o r d s r e f e r e r u r l
b l a c k l i s t w h i t e l i s t d n s c h a n g e r a l l u n i q A S C I I U T F 8 U N I C O D E { k e y w o r d } < * >
ntdll.dll LdrLoadDll ZwQueryDirectoryFile dnsapi.dll DnsQuery_A DnsQuery_W DnsQuery_UTF8 ws2_32.dll send
sendto recv recvfrom WSASend WSASendTo WSARecv WSARecvFrom closesocket {4F6F3382-2928-8E14-74D2-1A9D1CD12BCC}
Ring0 - the source of inspiration

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan SpyEye (alias Pincav)

Post by markusg » Fri Dec 10, 2010 7:10 pm

this spyeye variannt i saw today 2 timesfrom 2 different persons. i can not send the secound, user has deleted before i was able to collect :-)
have an other user and will try to collect the files.

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan SpyEye (alias Pincav)

Post by markusg » Wed Dec 15, 2010 4:06 pm

spyeye, looks like for me. from infekted pc.
http://www.virustotal.com/file-scan/rep ... 1292428385
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4808
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by EP_X0FF » Wed Dec 15, 2010 5:29 pm

Not sure if this is still SpyEye. It has Autorunner behavior and misses rootkit functionality.

Cryptor + UPX

Payload dll "runner.dll" mapped to started Internet Explorer copy. IE blocked by Windows Firewall.
Last edited by EP_X0FF on Sat Feb 05, 2011 7:26 am, edited 1 time in total.
Reason: edit: removed unuseful strings dump
Ring0 - the source of inspiration


User avatar
EP_X0FF
Global Moderator
Posts: 4808
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan SpyEye (alias Pincav)

Post by EP_X0FF » Sat Feb 05, 2011 6:42 am

Autorunner worm (Cryptor + UPX -> MASM) with Stuxnet LNK vulnerability exploiting.
There are no evidences proving this is SpyEye.

Original dropper, unpacked dropper, payload dll (rmnsoft.dll) and exploit dll (runner.dll) in attach.
https://www.virustotal.com/file-scan/re ... 1296887112

This is Ramnit, posts moved.
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Sat Feb 05, 2011 7:27 am, edited 1 time in total.
Reason: edit, posts moved
Ring0 - the source of inspiration

User avatar
Xylitol
Global Moderator
Posts: 1667
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Win32.Ramnit

Post by Xylitol » Sat May 21, 2011 11:24 am

Image

0F15430C5BB59ED02D8703F89B6E8A00C53FF5C1.exe 17/42 >> 40.5%
http://www.virustotal.com/file-scan/rep ... 1305912106

A2B4DCB8A1E5BB706CFB13FE76CA363F7928EE4ACAF21FDADABC7AB36[...].exe 38/42 >> 90.5%
http://www.virustotal.com/file-scan/rep ... 1305929022

BF58D739006E38AA481000952CA28A0014EC963D.sys 9/43 >> 20.9%
http://www.virustotal.com/file-scan/rep ... 1305032323

found on 19 may 2k11 AMAG malware package.
You do not have the required permissions to view the files attached to this post.

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Win32.Ramnit

Post by markusg » Mon Dec 05, 2011 5:25 pm

ruppfmau.exe
MD5 : 06db41b721e1246296e1c843e8c7d45f
https://www.virustotal.com/file-scan/re ... 1323104124
You do not have the required permissions to view the files attached to this post.

Post Reply