A forum for reverse engineering, OS internals and malware analysis 

Win32/Ramnit

Forum for analysis and discussion about malware.

Re: rmnet

 #28141  by patriq
 Mon Mar 28, 2016 5:18 pm
you could ask Kafeine directly

Re: rmnet

 #28142  by Kafeine
 Mon Mar 28, 2016 6:58 pm
Hello,

Thx Xylit0l for the ping :)
See in the attached Zip. Added one from today as well.
Attachments
2 ramnit sample - password : infected
(284.01 KiB) Downloaded 71 times

Re: Win32/Ramnit

 #28169  by patriq
 Thu Mar 31, 2016 11:27 pm
I thought this was interesting. New ramnit still being pushed by Angler.
http://www.kernelmode.info/forum/viewto ... 295#p28142

sample 99f21ba5b02b3085c683ea831d79dc79 examined on win7
https://www.virustotal.com/en/file/0d52 ... /analysis/

NSIS dropper for Ramnit

reduces security turns off firewall
windows security center service off
copies self to %temp%
dumps dlls in roaming temp
add exe to startup menu
HKLM\software\microsoft\windows nt\currentversion\winlogon\Userinit

registers two services via svchost.exe (attach)

port scans local subnet tcp/110 tcp/139
opens port tcp/23 LISTENING

http get macromedia flash download > 404

active C&C (or C&C proxy)
tcp 188.93.211.67:443 (ru) gugendolik.com

NSIS script 'raw' trick
http://stackoverflow.com/questions/3431 ... 69#3431269
my offset: 00402E5D
produces file: 514d9131fb386b22c64ae2568236228b nsyAD6F.tmp

cathouses
Paraldehyde

villeinage.dll exports > Chihuahua

99f21ba5b02b3085c683ea831d79dc79 lugdbbmp.exe
cfc171e42ed3fd73502424f37a55dc53 MilageAorta
514d9131fb386b22c64ae2568236228b nsyAD6F.tmp
99f21ba5b02b3085c683ea831d79dc79 sbnvyybh.exe
99f21ba5b02b3085c683ea831d79dc79 smvohluj.exe
11d49157689a21b549dd6399e78c5a0a System.dll
cfa194068f62843ef36a5c31e2576b53 villeinage.dll
c2a126b2dd4fb7c6fbe19eb7064f214d Warsaw
2bcd3e6fdde56ee3e5d39b33dd236fec -other sample on VT

https://www.virustotal.com/en/file/a305 ... /analysis/

https://www.virustotal.com/en/file/3475 ... /analysis/

Re: Win32/Ramnit

 #28188  by patriq
 Sun Apr 03, 2016 1:35 pm
patriq wrote: 99f21ba5b02b3085c683ea831d79dc79 lugdbbmp.exe
cfc171e42ed3fd73502424f37a55dc53 MilageAorta
514d9131fb386b22c64ae2568236228b nsyAD6F.tmp
99f21ba5b02b3085c683ea831d79dc79 sbnvyybh.exe
99f21ba5b02b3085c683ea831d79dc79 smvohluj.exe
11d49157689a21b549dd6399e78c5a0a System.dll
cfa194068f62843ef36a5c31e2576b53 villeinage.dll
c2a126b2dd4fb7c6fbe19eb7064f214d Warsaw
attached

also, edit above DNS , same IP, observed: prokladk2.com
http://bgp.he.net/net/188.93.211.0/24#_dns
188.93.211.67 prokladk2.com gugendolik.com
Attachments
(958.73 KiB) Downloaded 77 times

Re: Win32/Ramnit

 #29688  by xors
 Wed Dec 07, 2016 4:12 pm
According to ESET scan, it's ramnit
Attachments
password:infected
(201.71 KiB) Downloaded 61 times

Re: Win32/Ramnit

 #31939  by ynvb
 Mon Aug 06, 2018 3:53 am
It seems Ramnit has started a new campaign dubbed - `Black`.
The campaign started at May-2018 and infected over 100,000 victims within ~2 months.

What's really strange about it that all it is doing is delivering a proxy-malware named ngioweb, which is used to create a network of malicious proxies.
Why? Well, not really sure about this one - but I have some guesses...

Check it out:
https://research.checkpoint.com/ramnits ... y-servers/
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10
 Return to “Malware”