Win32/Ramnit

Forum for analysis and discussion about malware.
Ludvig
Posts: 7
Joined: Fri Jan 29, 2016 9:30 am

rmnet

Post by Ludvig » Mon Mar 28, 2016 7:01 am

i'm looking for new rmnet sample

MD5 = 99f21ba5b02b3085c683ea831d79dc79

http://malware.dontneedcoffee.com/2016/ ... 00306.html

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: rmnet

Post by patriq » Mon Mar 28, 2016 5:18 pm

you could ask Kafeine directly

Kafeine
Posts: 105
Joined: Thu Jul 28, 2011 1:19 pm

Re: rmnet

Post by Kafeine » Mon Mar 28, 2016 6:58 pm

Hello,

Thx Xylit0l for the ping :)
See in the attached Zip. Added one from today as well.
You do not have the required permissions to view the files attached to this post.

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Win32/Ramnit

Post by patriq » Thu Mar 31, 2016 11:27 pm

I thought this was interesting. New ramnit still being pushed by Angler.
http://www.kernelmode.info/forum/viewto ... 295#p28142

sample 99f21ba5b02b3085c683ea831d79dc79 examined on win7
https://www.virustotal.com/en/file/0d52 ... /analysis/

NSIS dropper for Ramnit

reduces security turns off firewall
windows security center service off
copies self to %temp%
dumps dlls in roaming temp
add exe to startup menu
HKLM\software\microsoft\windows nt\currentversion\winlogon\Userinit

registers two services via svchost.exe (attach)

port scans local subnet tcp/110 tcp/139
opens port tcp/23 LISTENING

http get macromedia flash download > 404

active C&C (or C&C proxy)
tcp 188.93.211.67:443 (ru) gugendolik.com

NSIS script 'raw' trick
http://stackoverflow.com/questions/3431 ... 69#3431269
my offset: 00402E5D
produces file: 514d9131fb386b22c64ae2568236228b nsyAD6F.tmp

cathouses
Paraldehyde

villeinage.dll exports > Chihuahua

99f21ba5b02b3085c683ea831d79dc79 lugdbbmp.exe
cfc171e42ed3fd73502424f37a55dc53 MilageAorta
514d9131fb386b22c64ae2568236228b nsyAD6F.tmp
99f21ba5b02b3085c683ea831d79dc79 sbnvyybh.exe
99f21ba5b02b3085c683ea831d79dc79 smvohluj.exe
11d49157689a21b549dd6399e78c5a0a System.dll
cfa194068f62843ef36a5c31e2576b53 villeinage.dll
c2a126b2dd4fb7c6fbe19eb7064f214d Warsaw
2bcd3e6fdde56ee3e5d39b33dd236fec -other sample on VT

https://www.virustotal.com/en/file/a305 ... /analysis/

https://www.virustotal.com/en/file/3475 ... /analysis/

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Win32/Ramnit

Post by patriq » Sun Apr 03, 2016 1:35 pm

patriq wrote: 99f21ba5b02b3085c683ea831d79dc79 lugdbbmp.exe
cfc171e42ed3fd73502424f37a55dc53 MilageAorta
514d9131fb386b22c64ae2568236228b nsyAD6F.tmp
99f21ba5b02b3085c683ea831d79dc79 sbnvyybh.exe
99f21ba5b02b3085c683ea831d79dc79 smvohluj.exe
11d49157689a21b549dd6399e78c5a0a System.dll
cfa194068f62843ef36a5c31e2576b53 villeinage.dll
c2a126b2dd4fb7c6fbe19eb7064f214d Warsaw
attached

also, edit above DNS , same IP, observed: prokladk2.com
http://bgp.he.net/net/188.93.211.0/24#_dns
188.93.211.67 prokladk2.com gugendolik.com
You do not have the required permissions to view the files attached to this post.

User avatar
xors
Posts: 160
Joined: Mon May 23, 2016 2:01 am

Re: Win32/Ramnit

Post by xors » Wed Dec 07, 2016 4:12 pm

According to ESET scan, it's ramnit
You do not have the required permissions to view the files attached to this post.
@xorsthingsv2

ynvb
Posts: 10
Joined: Tue Feb 26, 2013 12:17 pm

Re: Win32/Ramnit

Post by ynvb » Mon Aug 06, 2018 3:53 am

It seems Ramnit has started a new campaign dubbed - `Black`.
The campaign started at May-2018 and infected over 100,000 victims within ~2 months.

What's really strange about it that all it is doing is delivering a proxy-malware named ngioweb, which is used to create a network of malicious proxies.
Why? Well, not really sure about this one - but I have some guesses...

Check it out:
https://research.checkpoint.com/ramnits ... y-servers/

Post Reply