win.ramnit (Back to overview)

Ramnit

aka: Nimnul
URLhaus    

There is no description at this point.

References
2020-01-10 ⋅ CSISCSIS
@techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2019-05-31 ⋅ Youtube (0verfl0w_)0verfl0w_
@online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit
2018-08-05 ⋅ Check PointAlexey Bukhteyev
@online{bukhteyev:20180805:ramnits:1268bad, author = {Alexey Bukhteyev}, title = {{Ramnit’s Network of Proxy Servers}}, date = {2018-08-05}, organization = {Check Point}, url = {https://research.checkpoint.com/ramnits-network-proxy-servers/}, language = {English}, urldate = {2020-01-09} } Ramnit’s Network of Proxy Servers
Ngioweb Ramnit
2018-02-22 ⋅ Vitali Kremez
@online{kremez:20180222:lets:6fd91bb, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into Ramnit Banker "VNC IFSB" Remote Control Module}}, date = {2018-02-22}, url = {http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html}, language = {English}, urldate = {2019-12-04} } Let's Learn: Deeper Dive into Ramnit Banker "VNC IFSB" Remote Control Module
Ramnit
2018-01-01 ⋅ nao_sec blognao_sec
@online{naosec:20180101:analyzing:0efde89, author = {nao_sec}, title = {{Analyzing Ramnit used in Seamless campaign}}, date = {2018-01-01}, organization = {nao_sec blog}, url = {http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html}, language = {English}, urldate = {2020-01-08} } Analyzing Ramnit used in Seamless campaign
Ramnit
2017-09-29 ⋅ CERT.PLMichał Praszmo
@online{praszmo:20170929:ramnit:0ab2a9e, author = {Michał Praszmo}, title = {{Ramnit – in-depth analysis}}, date = {2017-09-29}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/}, language = {English}, urldate = {2020-01-13} } Ramnit – in-depth analysis
Ramnit
2017-08-23 ⋅ Malware Breakdown
@online{breakdown:20170823:seamless:3a2c794, author = {Malware Breakdown}, title = {{The Seamless Campaign Isn’t Losing Any Steam}}, date = {2017-08-23}, url = {https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/}, language = {English}, urldate = {2019-12-04} } The Seamless Campaign Isn’t Losing Any Steam
Ramnit
2015-02-24 ⋅ SymantecSymantec Security Response
@techreport{response:20150224:w32ramnit:3a2fed3, author = {Symantec Security Response}, title = {{W32.Ramnit analysis}}, date = {2015-02-24}, institution = {Symantec}, url = {https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf}, language = {English}, urldate = {2019-12-17} } W32.Ramnit analysis
Ramnit
2012-01-12 ⋅ Contagio DumpMila Parkour
@online{parkour:20120112:blackhole:c99cf1f, author = {Mila Parkour}, title = {{Blackhole Ramnit - samples and analysis}}, date = {2012-01-12}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html}, language = {English}, urldate = {2019-12-20} } Blackhole Ramnit - samples and analysis
Ramnit
Yara Rules
[TLP:WHITE] win_ramnit_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_ramnit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 8a4510 f2ae 47 b800000000 8a5d10 381f }
            // n = 6, score = 3400
            //   8a4510               | mov                 al, byte ptr [ebp + 0x10]
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   47                   | inc                 edi
            //   b800000000           | mov                 eax, 0
            //   8a5d10               | mov                 bl, byte ptr [ebp + 0x10]
            //   381f                 | cmp                 byte ptr [edi], bl

        $sequence_1 = { 56 68a7000000 ff7508 e8???????? b8a7000000 }
            // n = 5, score = 3400
            //   56                   | push                esi
            //   68a7000000           | push                0xa7
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   b8a7000000           | mov                 eax, 0xa7

        $sequence_2 = { 42 47 e2cd b000 8806 b801000000 eb05 }
            // n = 7, score = 3400
            //   42                   | inc                 edx
            //   47                   | inc                 edi
            //   e2cd                 | loop                0xffffffcf
            //   b000                 | mov                 al, 0
            //   8806                 | mov                 byte ptr [esi], al
            //   b801000000           | mov                 eax, 1
            //   eb05                 | jmp                 7

        $sequence_3 = { 8d45f8 50 e8???????? 8b36 0375fc 83c604 }
            // n = 6, score = 3400
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   0375fc               | add                 esi, dword ptr [ebp - 4]
            //   83c604               | add                 esi, 4

        $sequence_4 = { 8b45fc 03450c 66bb0000 668918 8b45fc }
            // n = 5, score = 3400
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   03450c               | add                 eax, dword ptr [ebp + 0xc]
            //   66bb0000             | mov                 bx, 0
            //   668918               | mov                 word ptr [eax], bx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_5 = { e8???????? 8b36 83c604 eb4c 6a00 }
            // n = 5, score = 3400
            //   e8????????           |                     
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   83c604               | add                 esi, 4
            //   eb4c                 | jmp                 0x4e
            //   6a00                 | push                0

        $sequence_6 = { b02d 8807 47 6a0a 57 e8???????? 83c70a }
            // n = 7, score = 3400
            //   b02d                 | mov                 al, 0x2d
            //   8807                 | mov                 byte ptr [edi], al
            //   47                   | inc                 edi
            //   6a0a                 | push                0xa
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c70a               | add                 edi, 0xa

        $sequence_7 = { 7402 8916 be00000000 0bd2 7403 897204 8955fc }
            // n = 7, score = 3400
            //   7402                 | je                  4
            //   8916                 | mov                 dword ptr [esi], edx
            //   be00000000           | mov                 esi, 0
            //   0bd2                 | or                  edx, edx
            //   7403                 | je                  5
            //   897204               | mov                 dword ptr [edx + 4], esi
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_8 = { f7f1 8bca 8bd6 5e }
            // n = 4, score = 3400
            //   f7f1                 | div                 ecx
            //   8bca                 | mov                 ecx, edx
            //   8bd6                 | mov                 edx, esi
            //   5e                   | pop                 esi

        $sequence_9 = { 57 56 e8???????? 837d1400 7410 6a00 ff7518 }
            // n = 7, score = 3400
            //   57                   | push                edi
            //   56                   | push                esi
            //   e8????????           |                     
            //   837d1400             | cmp                 dword ptr [ebp + 0x14], 0
            //   7410                 | je                  0x12
            //   6a00                 | push                0
            //   ff7518               | push                dword ptr [ebp + 0x18]

    condition:
        7 of them
}
[TLP:WHITE] win_ramnit_w0   (20180226 | Detects Ramnit banking malware VNC module)
rule win_ramnit_w0 {
    meta:
        author = "@VK_Intel"
        description = "Detects Ramnit banking malware VNC module"
        reference = "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html"
        hash = "888b2c614567fb5b4474ddeeb453f8cd9f44d72efb325f7e3652fd0f748c08f1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit"
        malpedia_version = "20180226"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "Failed mapping a section to the target process, status 0x%x" fullword ascii
        $s1 = "Unable to map the section into the target process, error %u" fullword ascii
        $s2 = "Unable to resolve target process import, error %u" fullword ascii
        $s3 = "No module found for the target process (%u) architecture" fullword ascii
        $s4 = "A section of %u bytes mapped to the target process at 0x%p" fullword ascii
        $s5 = "CreateProcessAsUserA %s->%s failed" fullword ascii
        $s6 = "Dep PsSupGetProcessModules, ModCount = %d " fullword ascii
        $s7 = "ActiveDll: PatchProcessMemory failed, error: %u" fullword ascii
        $s8 = "CreateProcessAsUserW %S->%S failed" fullword ascii
        $s9 = "AcInjectDll: GetOEP failed, error: %u" fullword ascii
        $s10 = "Shared section mapped at 0x%p. Starting within VNC session process." fullword ascii
        $s11 = "CreateToolhelp32Snapshot (of processes) failed err=%lu" fullword ascii
    condition:
        all of them
}
Download all Yara Rules