SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ramnit (Back to overview)

Ramnit

aka: Nimnul
URLhaus    

According to Check Point, Ramnit is primarily a banking trojan, meaning that its purpose is to steal login credentials for online banking, which cybercriminals can sell or use in future attacks. For this reason, Ramnit primarily targets individuals rather than focusing on particular industries.

Ramnit campaigns have been observed to target organizations in particular industries. For example, a 2019 campaign targeted financial organizations in the United Kingdom, Italy, and Canada.

References
2022-08-18IBMCharlotte Hammond, Ole Villadsen
@online{hammond:20220818:from:501e8ac, author = {Charlotte Hammond and Ole Villadsen}, title = {{From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers}}, date = {2022-08-18}, organization = {IBM}, url = {https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest}, language = {English}, urldate = {2022-08-28} } From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers
BumbleBee Karius Ramnit TrickBot Vawtrak
2022-07-12Artik BlueArtik Blue
@online{blue:20220712:malware:744a58a, author = {Artik Blue}, title = {{Malware analysis with IDA/Radare2 - Multiple unpacking (Ramnit worm)}}, date = {2022-07-12}, organization = {Artik Blue}, url = {https://artik.blue/malware4}, language = {English}, urldate = {2022-07-15} } Malware analysis with IDA/Radare2 - Multiple unpacking (Ramnit worm)
Ramnit
2022-01-31IBMLimor Kessem, Itzik Chimino
@online{kessem:20220131:topranking:4f697c1, author = {Limor Kessem and Itzik Chimino}, title = {{Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data}}, date = {2022-01-31}, organization = {IBM}, url = {https://securityintelligence.com/posts/ramnit-banking-trojan-stealing-card-data/}, language = {English}, urldate = {2022-02-02} } Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data
Ramnit
2022-01-12muha2xmadMuhammad Hasan Ali
@online{ali:20220112:unpacking:035e302, author = {Muhammad Hasan Ali}, title = {{Unpacking Ramnit malware}}, date = {2022-01-12}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/ramnit/}, language = {English}, urldate = {2022-01-25} } Unpacking Ramnit malware
Ramnit
2021-10-27MandiantKen Proska, Corey Hildebrandt, Daniel Kapellmann Zafra, Nathan Brubaker
@online{proska:20211027:portable:437b9c1, author = {Ken Proska and Corey Hildebrandt and Daniel Kapellmann Zafra and Nathan Brubaker}, title = {{Portable Executable File Infecting Malware Is Increasingly Found in OT Networks}}, date = {2021-10-27}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/pe-file-infecting-malware-ot}, language = {English}, urldate = {2021-11-08} } Portable Executable File Infecting Malware Is Increasingly Found in OT Networks
CCleaner Backdoor Floxif neshta Ramnit Sality Virut
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2021-02-24IBMIBM SECURITY X-FORCE
@online{xforce:20210224:xforce:ac9a90e, author = {IBM SECURITY X-FORCE}, title = {{X-Force Threat Intelligence Index 2021}}, date = {2021-02-24}, organization = {IBM}, url = {https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89}, language = {English}, urldate = {2021-03-02} } X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot
2021SecureworksSecureWorks
@online{secureworks:2021:threat:197feaf, author = {SecureWorks}, title = {{Threat Profile: GOLD FAIRFAX}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-fairfax}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD FAIRFAX
Ramnit GOLD FAIRFAX
2020-12-29Youtube (Guided Hacking)Guided Hacking
@online{hacking:20201229:how:401dbfb, author = {Guided Hacking}, title = {{How to Unpack Ramnit Dropper - Malware Unpacking Tutorial 2}}, date = {2020-12-29}, organization = {Youtube (Guided Hacking)}, url = {https://www.youtube.com/watch?v=l6ZunH6YG0A}, language = {English}, urldate = {2021-01-11} } How to Unpack Ramnit Dropper - Malware Unpacking Tutorial 2
Ramnit
2020-10-26CheckpointItay Cohen, Eyal Itkin
@online{cohen:20201026:exploit:9ec173c, author = {Itay Cohen and Eyal Itkin}, title = {{Exploit Developer Spotlight: The Story of PlayBit}}, date = {2020-10-26}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/}, language = {English}, urldate = {2020-10-27} } Exploit Developer Spotlight: The Story of PlayBit
Dyre Maze PyLocky Ramnit REvil
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-06-17Youtube (Red Canary)Erika Noerenberg, Matt Graeber, Adam Pennington, David Kaplan
@online{noerenberg:20200617:attck:934d73c, author = {Erika Noerenberg and Matt Graeber and Adam Pennington and David Kaplan}, title = {{ATT&CK® Deep Dive: Process Injection}}, date = {2020-06-17}, organization = {Youtube (Red Canary)}, url = {https://redcanary.com/resources/webinars/deep-dive-process-injection/}, language = {English}, urldate = {2020-06-19} } ATT&CK® Deep Dive: Process Injection
ISFB Ramnit TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-01-10CSISCSIS
@techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2019-05-31Youtube (0verfl0w_)0verfl0w_
@online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit
2019-02-27AkamaiAsaf Nadler
@online{nadler:20190227:ramnit:e00b14d, author = {Asaf Nadler}, title = {{Ramnit in the UK}}, date = {2019-02-27}, organization = {Akamai}, url = {https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html}, language = {English}, urldate = {2020-07-03} } Ramnit in the UK
Ramnit
2018-08-05Check PointAlexey Bukhteyev
@online{bukhteyev:20180805:ramnits:1268bad, author = {Alexey Bukhteyev}, title = {{Ramnit’s Network of Proxy Servers}}, date = {2018-08-05}, organization = {Check Point}, url = {https://research.checkpoint.com/ramnits-network-proxy-servers/}, language = {English}, urldate = {2020-01-09} } Ramnit’s Network of Proxy Servers
Ngioweb Ramnit
2018-02-22Vitali Kremez
@online{kremez:20180222:lets:6fd91bb, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into Ramnit Banker "VNC IFSB" Remote Control Module}}, date = {2018-02-22}, url = {http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html}, language = {English}, urldate = {2019-12-04} } Let's Learn: Deeper Dive into Ramnit Banker "VNC IFSB" Remote Control Module
Ramnit
2018-01-01nao_sec blognao_sec
@online{naosec:20180101:analyzing:0efde89, author = {nao_sec}, title = {{Analyzing Ramnit used in Seamless campaign}}, date = {2018-01-01}, organization = {nao_sec blog}, url = {http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html}, language = {English}, urldate = {2020-01-08} } Analyzing Ramnit used in Seamless campaign
Ramnit
2017-09-29CERT.PLMichał Praszmo
@online{praszmo:20170929:ramnit:0ab2a9e, author = {Michał Praszmo}, title = {{Ramnit – in-depth analysis}}, date = {2017-09-29}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/}, language = {English}, urldate = {2020-01-13} } Ramnit – in-depth analysis
Ramnit
2017-08-23Malware Breakdown
@online{breakdown:20170823:seamless:3a2c794, author = {Malware Breakdown}, title = {{The Seamless Campaign Isn’t Losing Any Steam}}, date = {2017-08-23}, url = {https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/}, language = {English}, urldate = {2019-12-04} } The Seamless Campaign Isn’t Losing Any Steam
Ramnit
2017-05IEEELorenzo De Carli, Ruben Torres, Gaspar Modelo-Howard, Alok Tongaonkar, Somesh Jha
@online{carli:201705:botnet:18f6b9a, author = {Lorenzo De Carli and Ruben Torres and Gaspar Modelo-Howard and Alok Tongaonkar and Somesh Jha}, title = {{Botnet Protocol Inference in the Presence of Encrypted Traffic}}, date = {2017-05}, organization = {IEEE}, url = {https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail}, language = {English}, urldate = {2021-10-11} } Botnet Protocol Inference in the Presence of Encrypted Traffic
Ramnit Sality ZeroAccess
2015-02-24SymantecSymantec Security Response
@techreport{response:20150224:w32ramnit:3a2fed3, author = {Symantec Security Response}, title = {{W32.Ramnit analysis}}, date = {2015-02-24}, institution = {Symantec}, url = {https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf}, language = {English}, urldate = {2019-12-17} } W32.Ramnit analysis
Ramnit
2012-01-12Contagio DumpMila Parkour
@online{parkour:20120112:blackhole:c99cf1f, author = {Mila Parkour}, title = {{Blackhole Ramnit - samples and analysis}}, date = {2012-01-12}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html}, language = {English}, urldate = {2019-12-20} } Blackhole Ramnit - samples and analysis
Ramnit
Yara Rules
[TLP:WHITE] win_ramnit_auto (20230125 | Detects win.ramnit.)
rule win_ramnit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.ramnit."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945fc ff7508 e8???????? ff75fc ff7508 e8???????? }
            // n = 6, score = 4000
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_1 = { e8???????? 8b45fc 8b16 83c204 5e 5f 59 }
            // n = 7, score = 4000
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   83c204               | add                 edx, 4
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   59                   | pop                 ecx

        $sequence_2 = { 5e 8a9c0501ffffff 881f 8ac3 50 52 ff7518 }
            // n = 7, score = 4000
            //   5e                   | pop                 esi
            //   8a9c0501ffffff       | mov                 bl, byte ptr [ebp + eax - 0xff]
            //   881f                 | mov                 byte ptr [edi], bl
            //   8ac3                 | mov                 al, bl
            //   50                   | push                eax
            //   52                   | push                edx
            //   ff7518               | push                dword ptr [ebp + 0x18]

        $sequence_3 = { 8a9c0501ffffff 881f 8ac3 50 52 ff7518 }
            // n = 6, score = 4000
            //   8a9c0501ffffff       | mov                 bl, byte ptr [ebp + eax - 0xff]
            //   881f                 | mov                 byte ptr [edi], bl
            //   8ac3                 | mov                 al, bl
            //   50                   | push                eax
            //   52                   | push                edx
            //   ff7518               | push                dword ptr [ebp + 0x18]

        $sequence_4 = { 8a06 50 e8???????? 38d8 751a 47 46 }
            // n = 7, score = 4000
            //   8a06                 | mov                 al, byte ptr [esi]
            //   50                   | push                eax
            //   e8????????           |                     
            //   38d8                 | cmp                 al, bl
            //   751a                 | jne                 0x1c
            //   47                   | inc                 edi
            //   46                   | inc                 esi

        $sequence_5 = { 5e 5f 59 5a }
            // n = 4, score = 4000
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   59                   | pop                 ecx
            //   5a                   | pop                 edx

        $sequence_6 = { 8b36 8906 eb14 837d1400 740e }
            // n = 5, score = 4000
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   8906                 | mov                 dword ptr [esi], eax
            //   eb14                 | jmp                 0x16
            //   837d1400             | cmp                 dword ptr [ebp + 0x14], 0
            //   740e                 | je                  0x10

        $sequence_7 = { b02d 8807 47 6a0a 57 e8???????? 83c70a }
            // n = 7, score = 4000
            //   b02d                 | mov                 al, 0x2d
            //   8807                 | mov                 byte ptr [edi], al
            //   47                   | inc                 edi
            //   6a0a                 | push                0xa
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c70a               | add                 edi, 0xa

        $sequence_8 = { c9 c20800 55 8bec 52 53 8b5508 }
            // n = 7, score = 4000
            //   c9                   | leave               
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   52                   | push                edx
            //   53                   | push                ebx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_9 = { 6a08 ff35???????? e8???????? 83f800 743e }
            // n = 5, score = 4000
            //   6a08                 | push                8
            //   ff35????????         |                     
            //   e8????????           |                     
            //   83f800               | cmp                 eax, 0
            //   743e                 | je                  0x40

    condition:
        7 of them and filesize < 470016
}
[TLP:WHITE] win_ramnit_w0   (20180226 | Detects Ramnit banking malware VNC module)
rule win_ramnit_w0 {
    meta:
        author = "@VK_Intel"
        description = "Detects Ramnit banking malware VNC module"
        reference = "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html"
        hash = "888b2c614567fb5b4474ddeeb453f8cd9f44d72efb325f7e3652fd0f748c08f1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit"
        malpedia_version = "20180226"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "Failed mapping a section to the target process, status 0x%x" fullword ascii
        $s1 = "Unable to map the section into the target process, error %u" fullword ascii
        $s2 = "Unable to resolve target process import, error %u" fullword ascii
        $s3 = "No module found for the target process (%u) architecture" fullword ascii
        $s4 = "A section of %u bytes mapped to the target process at 0x%p" fullword ascii
        $s5 = "CreateProcessAsUserA %s->%s failed" fullword ascii
        $s6 = "Dep PsSupGetProcessModules, ModCount = %d " fullword ascii
        $s7 = "ActiveDll: PatchProcessMemory failed, error: %u" fullword ascii
        $s8 = "CreateProcessAsUserW %S->%S failed" fullword ascii
        $s9 = "AcInjectDll: GetOEP failed, error: %u" fullword ascii
        $s10 = "Shared section mapped at 0x%p. Starting within VNC session process." fullword ascii
        $s11 = "CreateToolhelp32Snapshot (of processes) failed err=%lu" fullword ascii
    condition:
        all of them
}
Download all Yara Rules