Ramnit (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.ramnit (Back to overview)

Ramnit

aka: Nimnul

VTCollection URLhaus

According to Check Point, Ramnit is primarily a banking trojan, meaning that its purpose is to steal login credentials for online banking, which cybercriminals can sell or use in future attacks. For this reason, Ramnit primarily targets individuals rather than focusing on particular industries.

Ramnit campaigns have been observed to target organizations in particular industries. For example, a 2019 campaign targeted financial organizations in the United Kingdom, Italy, and Canada.

References

2022-08-18 ⋅ IBM ⋅ Charlotte Hammond, Ole Villadsen
From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers
BumbleBee Karius Ramnit TrickBot Vawtrak

2022-07-12 ⋅ Artik Blue ⋅ Artik Blue
Malware analysis with IDA/Radare2 - Multiple unpacking (Ramnit worm)
Ramnit

2022-01-31 ⋅ IBM ⋅ Itzik Chimino, Limor Kessem
Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data
Ramnit

2022-01-12 ⋅ muha2xmad ⋅ Muhammad Hasan Ali
Unpacking Ramnit malware
Ramnit

2021-10-27 ⋅ Mandiant ⋅ Corey Hildebrandt, Daniel Kapellmann Zafra, Ken Proska, Nathan Brubaker
Portable Executable File Infecting Malware Is Increasingly Found in OT Networks
CCleaner Backdoor Floxif neshta Ramnit Sality Virut

2021-03-31 ⋅ Kaspersky ⋅ Kaspersky
Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus

2021-02-24 ⋅ IBM ⋅ IBM SECURITY X-FORCE
X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot

2021-01-01 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD FAIRFAX
Ramnit GOLD FAIRFAX

2020-12-29 ⋅ Youtube (Guided Hacking) ⋅ Guided Hacking
How to Unpack Ramnit Dropper - Malware Unpacking Tutorial 2
Ramnit

2020-10-26 ⋅ Checkpoint ⋅ Eyal Itkin, Itay Cohen
Exploit Developer Spotlight: The Story of PlayBit
Dyre Maze PyLocky Ramnit REvil

2020-08-09 ⋅ F5 Labs ⋅ Debbie Walkowski, Remi Cohen
Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus

2020-06-17 ⋅ Youtube (Red Canary) ⋅ Adam Pennington, David Kaplan, Erika Noerenberg, Matt Graeber
ATT&CK® Deep Dive: Process Injection
ISFB Ramnit TrickBot

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle

2020-01-10 ⋅ CSIS ⋅ CSIS
Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot

2019-05-31 ⋅ Youtube (0verfl0w_) ⋅ 0verfl0w_
Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit

2019-02-27 ⋅ Akamai ⋅ Asaf Nadler
Ramnit in the UK
Ramnit

2018-08-05 ⋅ Check Point ⋅ Alexey Bukhteyev
Ramnit’s Network of Proxy Servers
Ngioweb Ramnit

2018-02-22 ⋅ Vitali Kremez
Let's Learn: Deeper Dive into Ramnit Banker "VNC IFSB" Remote Control Module
Ramnit

2018-01-01 ⋅ nao_sec blog ⋅ nao_sec
Analyzing Ramnit used in Seamless campaign
Ramnit

2017-09-29 ⋅ CERT.PL ⋅ Michał Praszmo
Ramnit – in-depth analysis
Ramnit

2017-08-23 ⋅ Malware Breakdown
The Seamless Campaign Isn’t Losing Any Steam
Ramnit

2017-05-03 ⋅ IEEE ⋅ Alok Tongaonkar, Gaspar Modelo-Howard, Lorenzo De Carli, Ruben Torres, Somesh Jha
Botnet Protocol Inference in the Presence of Encrypted Traffic
Ramnit Sality ZeroAccess

2015-02-24 ⋅ Symantec ⋅ Symantec Security Response
W32.Ramnit analysis
Ramnit

2014-12-21 ⋅ bin.re ⋅ Johannes Bader
The DGA of Ramnit
Ramnit

2012-01-12 ⋅ Contagio Dump ⋅ Mila Parkour
Blackhole Ramnit - samples and analysis
Ramnit

Yara Rules

[TLP:WHITE] win_ramnit_auto (20251219 | Detects win.ramnit.)

rule win_ramnit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.ramnit."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b7d08 b000 f2ae 8bc1 }
            // n = 4, score = 4000
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   b000                 | mov                 al, 0
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   8bc1                 | mov                 eax, ecx

        $sequence_1 = { 5f 59 5a 5b c9 c20800 55 }
            // n = 7, score = 4000
            //   5f                   | pop                 edi
            //   59                   | pop                 ecx
            //   5a                   | pop                 edx
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20800               | ret                 8
            //   55                   | push                ebp

        $sequence_2 = { fd 8b4d10 8b7d0c 8b7508 f3a4 }
            // n = 5, score = 4000
            //   fd                   | std                 
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]

        $sequence_3 = { 3a4510 7407 b800000000 eb02 8bc7 5a }
            // n = 6, score = 4000
            //   3a4510               | cmp                 al, byte ptr [ebp + 0x10]
            //   7407                 | je                  9
            //   b800000000           | mov                 eax, 0
            //   eb02                 | jmp                 4
            //   8bc7                 | mov                 eax, edi
            //   5a                   | pop                 edx

        $sequence_4 = { ba00000000 59 5f 5e 5b c9 }
            // n = 6, score = 4000
            //   ba00000000           | mov                 edx, 0
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c9                   | leave               

        $sequence_5 = { ff7514 ff7510 e8???????? 83f800 750b 4f 3b7d08 }
            // n = 7, score = 4000
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   e8????????           |                     
            //   83f800               | cmp                 eax, 0
            //   750b                 | jne                 0xd
            //   4f                   | dec                 edi
            //   3b7d08               | cmp                 edi, dword ptr [ebp + 8]

        $sequence_6 = { fc 8b4d0c 8b7d08 b000 f3aa }
            // n = 5, score = 4000
            //   fc                   | cld                 
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   b000                 | mov                 al, 0
            //   f3aa                 | rep stosb           byte ptr es:[edi], al

        $sequence_7 = { 52 8b4508 8b5d0c 4b 23d8 83fb00 740e }
            // n = 7, score = 4000
            //   52                   | push                edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   4b                   | dec                 ebx
            //   23d8                 | and                 ebx, eax
            //   83fb00               | cmp                 ebx, 0
            //   740e                 | je                  0x10

        $sequence_8 = { 8bf8 037d14 3b7df8 771f 8945fc ff7514 ff7510 }
            // n = 7, score = 4000
            //   8bf8                 | mov                 edi, eax
            //   037d14               | add                 edi, dword ptr [ebp + 0x14]
            //   3b7df8               | cmp                 edi, dword ptr [ebp - 8]
            //   771f                 | ja                  0x21
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff7510               | push                dword ptr [ebp + 0x10]

        $sequence_9 = { 8bec 83c4f8 56 57 51 53 52 }
            // n = 7, score = 4000
            //   8bec                 | mov                 ebp, esp
            //   83c4f8               | add                 esp, -8
            //   56                   | push                esi
            //   57                   | push                edi
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   52                   | push                edx

    condition:
        7 of them and filesize < 470016
}

[TLP:WHITE] win_ramnit_w0 (20180226 | Detects Ramnit banking malware VNC module)

rule win_ramnit_w0 {
    meta:
        author = "@VK_Intel"
        description = "Detects Ramnit banking malware VNC module"
        reference = "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html"
        hash = "888b2c614567fb5b4474ddeeb453f8cd9f44d72efb325f7e3652fd0f748c08f1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit"
        malpedia_version = "20180226"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "Failed mapping a section to the target process, status 0x%x" fullword ascii
        $s1 = "Unable to map the section into the target process, error %u" fullword ascii
        $s2 = "Unable to resolve target process import, error %u" fullword ascii
        $s3 = "No module found for the target process (%u) architecture" fullword ascii
        $s4 = "A section of %u bytes mapped to the target process at 0x%p" fullword ascii
        $s5 = "CreateProcessAsUserA %s->%s failed" fullword ascii
        $s6 = "Dep PsSupGetProcessModules, ModCount = %d " fullword ascii
        $s7 = "ActiveDll: PatchProcessMemory failed, error: %u" fullword ascii
        $s8 = "CreateProcessAsUserW %S->%S failed" fullword ascii
        $s9 = "AcInjectDll: GetOEP failed, error: %u" fullword ascii
        $s10 = "Shared section mapped at 0x%p. Starting within VNC session process." fullword ascii
        $s11 = "CreateToolhelp32Snapshot (of processes) failed err=%lu" fullword ascii
    condition:
        all of them
}

Download all Yara Rules

Ramnit Propose Change

References

Yara Rules

Ramnit