SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ramnit (Back to overview)

Ramnit

aka: Nimnul
URLhaus    

There is no description at this point.

References
2020-06-17Youtube (Red Canary)Erika Noerenberg, Matt Graeber, Adam Pennington, David Kaplan
@online{noerenberg:20200617:attck:934d73c, author = {Erika Noerenberg and Matt Graeber and Adam Pennington and David Kaplan}, title = {{ATT&CK® Deep Dive: Process Injection}}, date = {2020-06-17}, organization = {Youtube (Red Canary)}, url = {https://redcanary.com/resources/webinars/deep-dive-process-injection/}, language = {English}, urldate = {2020-06-19} } ATT&CK® Deep Dive: Process Injection
ISFB Ramnit TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-01-10CSISCSIS
@techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2019-05-31Youtube (0verfl0w_)0verfl0w_
@online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit
2019-02-27AkamaiAsaf Nadler
@online{nadler:20190227:ramnit:e00b14d, author = {Asaf Nadler}, title = {{Ramnit in the UK}}, date = {2019-02-27}, organization = {Akamai}, url = {https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html}, language = {English}, urldate = {2020-07-03} } Ramnit in the UK
Ramnit
2018-08-05Check PointAlexey Bukhteyev
@online{bukhteyev:20180805:ramnits:1268bad, author = {Alexey Bukhteyev}, title = {{Ramnit’s Network of Proxy Servers}}, date = {2018-08-05}, organization = {Check Point}, url = {https://research.checkpoint.com/ramnits-network-proxy-servers/}, language = {English}, urldate = {2020-01-09} } Ramnit’s Network of Proxy Servers
Ngioweb Ramnit
2018-02-22Vitali Kremez
@online{kremez:20180222:lets:6fd91bb, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into Ramnit Banker "VNC IFSB" Remote Control Module}}, date = {2018-02-22}, url = {http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html}, language = {English}, urldate = {2019-12-04} } Let's Learn: Deeper Dive into Ramnit Banker "VNC IFSB" Remote Control Module
Ramnit
2018-01-01nao_sec blognao_sec
@online{naosec:20180101:analyzing:0efde89, author = {nao_sec}, title = {{Analyzing Ramnit used in Seamless campaign}}, date = {2018-01-01}, organization = {nao_sec blog}, url = {http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html}, language = {English}, urldate = {2020-01-08} } Analyzing Ramnit used in Seamless campaign
Ramnit
2017-09-29CERT.PLMichał Praszmo
@online{praszmo:20170929:ramnit:0ab2a9e, author = {Michał Praszmo}, title = {{Ramnit – in-depth analysis}}, date = {2017-09-29}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/}, language = {English}, urldate = {2020-01-13} } Ramnit – in-depth analysis
Ramnit
2017-08-23Malware Breakdown
@online{breakdown:20170823:seamless:3a2c794, author = {Malware Breakdown}, title = {{The Seamless Campaign Isn’t Losing Any Steam}}, date = {2017-08-23}, url = {https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/}, language = {English}, urldate = {2019-12-04} } The Seamless Campaign Isn’t Losing Any Steam
Ramnit
2015-02-24SymantecSymantec Security Response
@techreport{response:20150224:w32ramnit:3a2fed3, author = {Symantec Security Response}, title = {{W32.Ramnit analysis}}, date = {2015-02-24}, institution = {Symantec}, url = {https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf}, language = {English}, urldate = {2019-12-17} } W32.Ramnit analysis
Ramnit
2012-01-12Contagio DumpMila Parkour
@online{parkour:20120112:blackhole:c99cf1f, author = {Mila Parkour}, title = {{Blackhole Ramnit - samples and analysis}}, date = {2012-01-12}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html}, language = {English}, urldate = {2019-12-20} } Blackhole Ramnit - samples and analysis
Ramnit
Yara Rules
[TLP:WHITE] win_ramnit_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_ramnit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7420 8945fc 6a00 ff750c ff75fc }
            // n = 5, score = 4200
            //   7420                 | je                  0x22
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   6a00                 | push                0
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_1 = { 894514 8b4d18 8b7d08 8b7510 3b7514 }
            // n = 5, score = 4200
            //   894514               | mov                 dword ptr [ebp + 0x14], eax
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   3b7514               | cmp                 esi, dword ptr [ebp + 0x14]

        $sequence_2 = { 771f 8945fc ff7514 ff7510 ff75fc e8???????? 83f801 }
            // n = 7, score = 4200
            //   771f                 | ja                  0x21
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   83f801               | cmp                 eax, 1

        $sequence_3 = { c9 c20c00 b800000000 59 5f 5e }
            // n = 6, score = 4200
            //   c9                   | leave               
            //   c20c00               | ret                 0xc
            //   b800000000           | mov                 eax, 0
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_4 = { 52 8b4508 8b5d0c 4b }
            // n = 4, score = 4200
            //   52                   | push                edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   4b                   | dec                 ebx

        $sequence_5 = { 47 46 e2f6 b801000000 59 }
            // n = 5, score = 4200
            //   47                   | inc                 edi
            //   46                   | inc                 esi
            //   e2f6                 | loop                0xfffffff8
            //   b801000000           | mov                 eax, 1
            //   59                   | pop                 ecx

        $sequence_6 = { 66bb0000 668918 8b45fc 5e }
            // n = 4, score = 4200
            //   66bb0000             | mov                 bx, 0
            //   668918               | mov                 word ptr [eax], bx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   5e                   | pop                 esi

        $sequence_7 = { 59 5a 5b c9 c20c00 55 }
            // n = 6, score = 4200
            //   59                   | pop                 ecx
            //   5a                   | pop                 edx
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20c00               | ret                 0xc
            //   55                   | push                ebp

        $sequence_8 = { eb02 33c0 5d c20400 55 8bec 83ec14 }
            // n = 7, score = 2300
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec14               | sub                 esp, 0x14

        $sequence_9 = { 8975e4 8975e8 ff15???????? 8bf8 }
            // n = 4, score = 400
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   8975e8               | mov                 dword ptr [ebp - 0x18], esi
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_10 = { ff7514 ff7510 ff750c ff7508 e8???????? 8945f4 }
            // n = 6, score = 400
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax

        $sequence_11 = { e8???????? 6aff ffb714060000 8945b8 ff15???????? }
            // n = 5, score = 200
            //   e8????????           |                     
            //   6aff                 | push                -1
            //   ffb714060000         | push                dword ptr [edi + 0x614]
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax
            //   ff15????????         |                     

        $sequence_12 = { 8b450c 8d0c58 8bc7 0faf4518 8d0441 8945f8 3bc8 }
            // n = 7, score = 200
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8d0c58               | lea                 ecx, [eax + ebx*2]
            //   8bc7                 | mov                 eax, edi
            //   0faf4518             | imul                eax, dword ptr [ebp + 0x18]
            //   8d0441               | lea                 eax, [ecx + eax*2]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   3bc8                 | cmp                 ecx, eax

        $sequence_13 = { 8b3d???????? 83c40c 56 ffd7 8b1d???????? }
            // n = 5, score = 200
            //   8b3d????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   8b1d????????         |                     

        $sequence_14 = { 49 750d ff7004 e8???????? }
            // n = 4, score = 200
            //   49                   | dec                 ecx
            //   750d                 | jne                 0xf
            //   ff7004               | push                dword ptr [eax + 4]
            //   e8????????           |                     

        $sequence_15 = { 3bc3 74e1 8b4e1c 8b571c }
            // n = 4, score = 200
            //   3bc3                 | cmp                 eax, ebx
            //   74e1                 | je                  0xffffffe3
            //   8b4e1c               | mov                 ecx, dword ptr [esi + 0x1c]
            //   8b571c               | mov                 edx, dword ptr [edi + 0x1c]

    condition:
        7 of them and filesize < 470016
}
[TLP:WHITE] win_ramnit_w0   (20180226 | Detects Ramnit banking malware VNC module)
rule win_ramnit_w0 {
    meta:
        author = "@VK_Intel"
        description = "Detects Ramnit banking malware VNC module"
        reference = "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html"
        hash = "888b2c614567fb5b4474ddeeb453f8cd9f44d72efb325f7e3652fd0f748c08f1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit"
        malpedia_version = "20180226"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "Failed mapping a section to the target process, status 0x%x" fullword ascii
        $s1 = "Unable to map the section into the target process, error %u" fullword ascii
        $s2 = "Unable to resolve target process import, error %u" fullword ascii
        $s3 = "No module found for the target process (%u) architecture" fullword ascii
        $s4 = "A section of %u bytes mapped to the target process at 0x%p" fullword ascii
        $s5 = "CreateProcessAsUserA %s->%s failed" fullword ascii
        $s6 = "Dep PsSupGetProcessModules, ModCount = %d " fullword ascii
        $s7 = "ActiveDll: PatchProcessMemory failed, error: %u" fullword ascii
        $s8 = "CreateProcessAsUserW %S->%S failed" fullword ascii
        $s9 = "AcInjectDll: GetOEP failed, error: %u" fullword ascii
        $s10 = "Shared section mapped at 0x%p. Starting within VNC session process." fullword ascii
        $s11 = "CreateToolhelp32Snapshot (of processes) failed err=%lu" fullword ascii
    condition:
        all of them
}
Download all Yara Rules