SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ramnit (Back to overview)

Ramnit

aka: Nimnul
VTCollection     URLhaus    

According to Check Point, Ramnit is primarily a banking trojan, meaning that its purpose is to steal login credentials for online banking, which cybercriminals can sell or use in future attacks. For this reason, Ramnit primarily targets individuals rather than focusing on particular industries.

Ramnit campaigns have been observed to target organizations in particular industries. For example, a 2019 campaign targeted financial organizations in the United Kingdom, Italy, and Canada.

References
2022-08-18IBMCharlotte Hammond, Ole Villadsen
From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers
BumbleBee Karius Ramnit TrickBot Vawtrak
2022-07-12Artik BlueArtik Blue
Malware analysis with IDA/Radare2 - Multiple unpacking (Ramnit worm)
Ramnit
2022-01-31IBMItzik Chimino, Limor Kessem
Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data
Ramnit
2022-01-12muha2xmadMuhammad Hasan Ali
Unpacking Ramnit malware
Ramnit
2021-10-27MandiantCorey Hildebrandt, Daniel Kapellmann Zafra, Ken Proska, Nathan Brubaker
Portable Executable File Infecting Malware Is Increasingly Found in OT Networks
CCleaner Backdoor Floxif neshta Ramnit Sality Virut
2021-03-31KasperskyKaspersky
Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2021-02-24IBMIBM SECURITY X-FORCE
X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD FAIRFAX
Ramnit GOLD FAIRFAX
2020-12-29Youtube (Guided Hacking)Guided Hacking
How to Unpack Ramnit Dropper - Malware Unpacking Tutorial 2
Ramnit
2020-10-26CheckpointEyal Itkin, Itay Cohen
Exploit Developer Spotlight: The Story of PlayBit
Dyre Maze PyLocky Ramnit REvil
2020-08-09F5 LabsDebbie Walkowski, Remi Cohen
Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-06-17Youtube (Red Canary)Adam Pennington, David Kaplan, Erika Noerenberg, Matt Graeber
ATT&CK® Deep Dive: Process Injection
ISFB Ramnit TrickBot
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-01-10CSISCSIS
Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2019-05-31Youtube (0verfl0w_)0verfl0w_
Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit
2019-02-27AkamaiAsaf Nadler
Ramnit in the UK
Ramnit
2018-08-05Check PointAlexey Bukhteyev
Ramnit’s Network of Proxy Servers
Ngioweb Ramnit
2018-02-22Vitali Kremez
Let's Learn: Deeper Dive into Ramnit Banker "VNC IFSB" Remote Control Module
Ramnit
2018-01-01nao_sec blognao_sec
Analyzing Ramnit used in Seamless campaign
Ramnit
2017-09-29CERT.PLMichał Praszmo
Ramnit – in-depth analysis
Ramnit
2017-08-23Malware Breakdown
The Seamless Campaign Isn’t Losing Any Steam
Ramnit
2017-05-03IEEEAlok Tongaonkar, Gaspar Modelo-Howard, Lorenzo De Carli, Ruben Torres, Somesh Jha
Botnet Protocol Inference in the Presence of Encrypted Traffic
Ramnit Sality ZeroAccess
2015-02-24SymantecSymantec Security Response
W32.Ramnit analysis
Ramnit
2014-12-21bin.reJohannes Bader
The DGA of Ramnit
Ramnit
2012-01-12Contagio DumpMila Parkour
Blackhole Ramnit - samples and analysis
Ramnit
Yara Rules
[TLP:WHITE] win_ramnit_auto (20230808 | Detects win.ramnit.)
rule win_ramnit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.ramnit."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3a06 7512 47 46 e2f6 b801000000 59 }
            // n = 7, score = 4000
            //   3a06                 | cmp                 al, byte ptr [esi]
            //   7512                 | jne                 0x14
            //   47                   | inc                 edi
            //   46                   | inc                 esi
            //   e2f6                 | loop                0xfffffff8
            //   b801000000           | mov                 eax, 1
            //   59                   | pop                 ecx

        $sequence_1 = { 750b 4f 3b7d08 73e7 bf00000000 }
            // n = 5, score = 4000
            //   750b                 | jne                 0xd
            //   4f                   | dec                 edi
            //   3b7d08               | cmp                 edi, dword ptr [ebp + 8]
            //   73e7                 | jae                 0xffffffe9
            //   bf00000000           | mov                 edi, 0

        $sequence_2 = { 57 56 fc 807d1401 }
            // n = 4, score = 4000
            //   57                   | push                edi
            //   56                   | push                esi
            //   fc                   | cld                 
            //   807d1401             | cmp                 byte ptr [ebp + 0x14], 1

        $sequence_3 = { 5f 59 5a 5b c9 c20800 55 }
            // n = 7, score = 4000
            //   5f                   | pop                 edi
            //   59                   | pop                 ecx
            //   5a                   | pop                 edx
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20800               | ret                 8
            //   55                   | push                ebp

        $sequence_4 = { ff750c ff75fc e8???????? 0bc0 7429 }
            // n = 5, score = 4000
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   0bc0                 | or                  eax, eax
            //   7429                 | je                  0x2b

        $sequence_5 = { 8bc7 5a 5b 59 5f }
            // n = 5, score = 4000
            //   8bc7                 | mov                 eax, edi
            //   5a                   | pop                 edx
            //   5b                   | pop                 ebx
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi

        $sequence_6 = { 8bc1 f7d0 48 59 5f 5e }
            // n = 6, score = 4000
            //   8bc1                 | mov                 eax, ecx
            //   f7d0                 | not                 eax
            //   48                   | dec                 eax
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_7 = { f3a4 fc 5e 5f 59 5a }
            // n = 6, score = 4000
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   fc                   | cld                 
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   59                   | pop                 ecx
            //   5a                   | pop                 edx

        $sequence_8 = { 8bd7 2b5508 59 5f 5e }
            // n = 5, score = 4000
            //   8bd7                 | mov                 edx, edi
            //   2b5508               | sub                 edx, dword ptr [ebp + 8]
            //   59                   | pop                 ecx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_9 = { 8b5d0c 4b f7d3 23c3 }
            // n = 4, score = 4000
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   4b                   | dec                 ebx
            //   f7d3                 | not                 ebx
            //   23c3                 | and                 eax, ebx

    condition:
        7 of them and filesize < 470016
}
[TLP:WHITE] win_ramnit_w0   (20180226 | Detects Ramnit banking malware VNC module)
rule win_ramnit_w0 {
    meta:
        author = "@VK_Intel"
        description = "Detects Ramnit banking malware VNC module"
        reference = "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html"
        hash = "888b2c614567fb5b4474ddeeb453f8cd9f44d72efb325f7e3652fd0f748c08f1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit"
        malpedia_version = "20180226"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "Failed mapping a section to the target process, status 0x%x" fullword ascii
        $s1 = "Unable to map the section into the target process, error %u" fullword ascii
        $s2 = "Unable to resolve target process import, error %u" fullword ascii
        $s3 = "No module found for the target process (%u) architecture" fullword ascii
        $s4 = "A section of %u bytes mapped to the target process at 0x%p" fullword ascii
        $s5 = "CreateProcessAsUserA %s->%s failed" fullword ascii
        $s6 = "Dep PsSupGetProcessModules, ModCount = %d " fullword ascii
        $s7 = "ActiveDll: PatchProcessMemory failed, error: %u" fullword ascii
        $s8 = "CreateProcessAsUserW %S->%S failed" fullword ascii
        $s9 = "AcInjectDll: GetOEP failed, error: %u" fullword ascii
        $s10 = "Shared section mapped at 0x%p. Starting within VNC session process." fullword ascii
        $s11 = "CreateToolhelp32Snapshot (of processes) failed err=%lu" fullword ascii
    condition:
        all of them
}
Download all Yara Rules