Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Ramnit.AAA

Trojan.Ramnit.AAA

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Ramnit.AAA
Signature status: No Signature

Known Samples

MD5: 2a524785d4865194b0f9d039710fc15d
SHA1: 73051c7be68907c19b3625b5e953e27cbf3411eb
SHA256: 2E5D80F99BF307EC4BA097905FE2CAF498EA03C0E9ED5478E11B551A3D14F42C
File Size: 753.68 KB, 753678 bytes
MD5: d22f7d3f1ae19648555eca52ab5f5d5f
SHA1: b4e360075dd737a8c7b8f1f21bc960ab7c51f0d8
SHA256: 315D44652EDFEA85499D09C559314B32EABE8FA386D16F85A33E0F1957C776C6
File Size: 529.42 KB, 529421 bytes
MD5: 92fc6a6228cb8a5974f8c120f6423ba9
SHA1: 20281d29af2fd7097fbd42c142ccf57e0fab8baf
SHA256: C943D4C47840C325C92B357277FDF1C7FD8B9237CF37E9E7A5EADEC13C3E54D5
File Size: 946.69 KB, 946693 bytes
MD5: be6ba990bbd75cafebf7602fc29e6c50
SHA1: 5598bd07174812b4f7807a9077e81b1b2eda811e
SHA256: 329EA88265F25051340B11B7424D00E9888CB9CB579DB301DA6325880114B759
File Size: 623.10 KB, 623104 bytes
MD5: 5a1b513dbf518bf23bc51bbbb819ad3f
SHA1: 9b899c3238ccb586c924368d5fbadc718e9b167e
SHA256: D36AD13927EB7AF9FE8A9EB109FDECFC207E9A5617220ECABC3D0FD40787A07D
File Size: 9.24 MB, 9242473 bytes
Show More
MD5: afbf3eccbf16fe92f6d6eb80c5d1380f
SHA1: 7c3aa21a36604dab86eb1a94aea8b8379aa195d1
SHA256: 369D7D8FEF4356D86F681A9BD9A5B69702CC38EEC02AB98BFF98CDA1462286BD
File Size: 1.85 MB, 1848203 bytes
MD5: f027b7336663280fc0f396394a5ea68b
SHA1: 0df41dcd4ee4e59b4d38d9da9dc7ea243493fc4f
SHA256: CD49A109FCC6F4A01E7FF38B6D7DC8D43BC29D550650235A63DD65226732E0D7
File Size: 8.73 MB, 8729511 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • BCGSoft Ltd
  • CANON INC.
  • Cisco Systems, Inc.
  • NEXIQ Technologies
File Description
  • BCGControlBar Professional DLL
  • Cisco PEAP Module
  • IJ Printer Dependence File
  • USB-Link Drivers
File Version
  • 24, 2, 0, 0
  • 9.5.0.1
  • 1.05.2.10
  • 1, 1, 6, 0
Internal Name
  • BCGCBPro
  • Cisco PEAP Module
  • CNMCPxx.DLL
Legal Copyright
  • Copyright (c) 1998-2015 BCGSoft Ltd. All rights reserved
  • Copyright (C) 2006-2009
  • Copyright (c) 2015 IDSC Holdings LLC
  • Copyright CANON INC. 2017
Original Filename
  • BCGCBPro.DLL
  • CiscoEapPeap.dll
  • CNMCPxx.DLL
Product Name
  • BCGControlBar Professional Dynamic Link Library
  • Canon IJ Printer Assistant Tool
  • Cisco PEAP Module
Product Version
  • 24, 2, 0, 0
  • 1.05.2.10
  • 1, 1, 6, 0

File Traits

  • .adata
  • .aspack
  • 2+ executable sections
  • CryptUnprotectData
  • dll
  • HighEntropy
  • No Version Info
  • ntdll
  • Wise
  • x86

Block Information

Total Blocks: 24,559
Potentially Malicious Blocks: 24
Whitelisted Blocks: 19,495
Unknown Blocks: 5,040

Visual Map

0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 ? 0 ? ? 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 ? ? 0 0 ? 0 ? 0 0 0 0 0 ? ? 0 0 0 0 ? 0 0 0 0 0 ? 0 ? ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? ? ? ? 0 ? 0 0 0 0 0 0 0 0 ? 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? ? ? ? ? 0 ? ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 1 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 ? 0 0 0 1 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 1 1 0 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 ? 0 ? 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? ? 0 0 ? 0 ? 0 0 ? ? ? 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 1 ? 0 1 1 0 0 1 1 0 1 1 0 1 0 0 0 1 0 1 1 1 1 0 1 1 1 0 0 1 1 1 0 1 1 0 1 1 1 0 1 0 0 0 1 1 1 1 1 0 0 1 0 1 1 1 1 0 1 1 0 1 1 1 0 0 ? ? 0 ? 1 1 1 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0 1 1 1 1 1 1 1 0 0 0 0 0 1 1 1 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 ? ? 0 0 0 ? ? 0 ? ? ? ? ? ? ? ? ? 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 ? 0 ? ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 ? 0 0 0 0 ? 0 0 0 0 ? ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 1 1 0 0 ? 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 ? ? ? ? 0 ? ? ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? ? 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 1 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 ? 0 1 1 0 1 1 1 1 1 1 0 0 0 0 0 0 1 ? ? ? 1 0 0 0 0 1 0 0 0 0 0 0 0 1 ? ? 1 0 ? 0 0 0 ? 0 0 0 0 ? ? 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 1 1 1 1 1 1 1 1 1 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 ? 0 0 ? 0 ? 0 0 ? 1 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.MAC
  • Agent.MX
  • Banker.G
  • Banker.GF
  • ConvertAd.RA
Show More
  • DataStealer.A
  • DataStealer.B
  • Floxif.D
  • Injector.KPP
  • Malat.A
  • Quasar.U
  • Sqwire.AA
  • Swisyn.B
  • Wacapew.CB

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glb1ab3.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glc1c59.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\cmgr.exe Generic Write,Read Attributes
c:\users\user\gupd.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\syswow64\rundll32mgr.exe Generic Write,Read Attributes
c:\windows\syswow64\temp\shsandbox-win32.dll-5.22.1.9999-x86.dmp Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden  RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list::c:\users\user\downloads\5598bd07174812b4f7807a9077e81b1b2eda811e_0000623104 c:\users\user\downloads\5598bd07174812b4f7807a9077e81b1b2eda811e_0000623104:*:enabled:@shell32.dll,-1 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::gtalkupdate C:\Users\Kkhfqgzv\gupd.exe RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtQueryAttributesFile
Show More
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWriteFile
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
User Data Access
  • GetUserObjectInformation
Network Wininet
  • InternetOpen
  • InternetOpenUrl

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\73051c7be68907c19b3625b5e953e27cbf3411eb_0000753678.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\b4e360075dd737a8c7b8f1f21bc960ab7c51f0d8_0000529421.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\20281d29af2fd7097fbd42c142ccf57e0fab8baf_0000946693.,LiQMAxHB
C:\Users\Uikvmcqb\AppData\Local\Temp\GLB1AB3.tmp C:\Users\Uikvmcqb\AppData\Local\Temp\GLB1AB3.tmp 4736 c:\users\user\DOWNLO~1\9B899C~1
cmgr.exe
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0df41dcd4ee4e59b4d38d9da9dc7ea243493fc4f_0008729511.,LiQMAxHB

Trending

Most Viewed

Loading...