Worm.Ramnit

By CagedTech in Worms

Threat Scorecard

Threat Level:	50 % (Medium)
Infected Computers:	65

First Seen:	November 12, 2010
Last Seen:	April 28, 2022
OS(es) Affected:	Windows

Table of Contents

File System Details

Worm.Ramnit may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	$R1PTAK7.exe	ce99b549382dbfc4f41efe99b5dbcd54	29
Name: $R1PTAK7.exe MD5: ce99b549382dbfc4f41efe99b5dbcd54 Size: 53.76 KB (53760 bytes) Detections: 29 Type: Executable File Path: J:\$Recycle.Bin\S-1-5-21-4280012986-1309315051-253067505-1000\$R1PTAK7.exe Group: Malware file Last Updated: February 23, 2023
2.	rundll32srv.exe	e79f2388f25b81d3544c861fb99acd23	2
Name: rundll32srv.exe MD5: e79f2388f25b81d3544c861fb99acd23 Size: 69.63 KB (69632 bytes) Detections: 2 Type: Executable File Path: %WINDIR%\system32 Group: Malware file Last Updated: November 12, 2010
3.	desktoplayer.exe	fbf3d2e793ee27f19e15b791ee867c62	1
Name: desktoplayer.exe MD5: fbf3d2e793ee27f19e15b791ee867c62 Size: 41.98 KB (41984 bytes) Detections: 1 Type: Executable File Path: %PROGRAMFILES%\microsoft Group: Malware file Last Updated: November 12, 2010

More files

Analysis Report

General information

Family Name:	Virus.Ramnit
Signature status:	No Signature

Known Samples

MD5: f305e5a2ff175bf983884368839116fa

SHA1: e36ec4af9138c68e6476550bbbec5d48ab1aed62

File Size: 3.35 MB, 3348992 bytes

MD5: 742e7d98a7f49e08628df00aef522641

SHA1: d8231479b45354fd1fb2493a3191c9cde37eeb1e

File Size: 94.72 KB, 94720 bytes

MD5: bb5f75fdde57f5829a402e184bfaf5c9

SHA1: cbb3468b047cdd428e973f39d04907c6e6cd22d6

SHA256: CC7CBFE42D5D1D8AB5F677BAEEB2E70B672B06A01D78FB0D76F2147B879202B4

File Size: 908.80 KB, 908800 bytes

MD5: c5bf3a8e7d5d659dd863af243f8e0028

SHA1: 563ec51c5d0eb06f04296b4ffd97de6968c8a286

SHA256: DB2FF4A37B3B5BC0B0B916B53D4CC74489A24D8F356D738307D4669005472003

File Size: 128.51 KB, 128512 bytes

MD5: bbd7303565715bd5a70aca166e5d1008

SHA1: 85274b3a3f2b4c1dd9bd08d3e525c264554f9df0

SHA256: 29B80D0D1B16D71BDE0BCBF992CB9E8841B7C14B6AA523B4E39521F74D2C470D

File Size: 8.91 MB, 8906131 bytes

MD5: 23f4ea05999cef1b072cd29d3f7b2985

SHA1: c2c1196513d90e862de8c658349e197ed55ba71f

SHA256: 0F0064777BF29B845B22816D96A73D34E5E565E463E2676AA279D33F305787C7

File Size: 419.84 KB, 419840 bytes

MD5: 15fad0087fa950670d11ad23ea286c5f

SHA1: caba7f5c2d46d5b1a6f3cbb3e1c10e9bae7ef8b1

SHA256: 7B6386448B0DE1196DBDBB9C1444458302D4B5654AE96D99303D1FABBF2457A2

File Size: 3.55 MB, 3547136 bytes

MD5: 47774d335319a79a5062f8f8105c13ab

SHA1: e2d5b432e6634e84c289534ff0e529dbac5e06a4

SHA256: 4F239DC9D2F5AA842B3D24DE939A17D64F09B71084A68E3D3E3B7A630DF152B6

File Size: 167.94 KB, 167936 bytes

MD5: 1a6da5e5f2c5a31c016f965f5d4a3646

SHA1: 50623038165328fa063e5792efc036cd043c8061

SHA256: 61BC845F599F5BB0A6636AB8FA8C41FE68BA4104AA79325715834DD9DB2F881D

File Size: 2.40 MB, 2400104 bytes

MD5: ed7083abd0308bc8fe598094d34692c1

SHA1: 00c8ff728d2290e9378a6d61bdabb4f134abb087

SHA256: C377AF25CD6FF1EDD2191F3E54EE3A15F87B8BB3F9FC7E20DDD1C4F5D7B43443

File Size: 2.38 MB, 2380631 bytes

MD5: a54cc533634f5c11a5482dcd111afd49

SHA1: 94d05772a2f011cc9376ed5886b0d4ff04bd57c0

SHA256: 8D6CF93E7082F1B3B1739FC584131B96058B537BB66D03C58BCBF1C5C6A52610

File Size: 6.58 MB, 6578176 bytes

MD5: 833ecba7a10684d834f651affc86ae67

SHA1: 4981f7ff076e61f1f04c4bb2e5754333721dc154

SHA256: 4492762BD38EA5399E5FA4C7EB232996A41EC6D0BD51A5A189515E5B45F140A8

File Size: 2.21 MB, 2211328 bytes

MD5: cf99fdafe133a55641aca8ccd84b3b8b

SHA1: 82927e5a6116fd826eb80d14a29cd0b81a24f8f5

SHA256: 5133802B8898F9F05F28DE8D3A687CF9D2440F6FF0B45B5413DB7ACD2C8427D7

File Size: 507.90 KB, 507904 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have resources
File doesn't have security information
File has been packed
File has exports table
File has TLS information
File is 32-bit executable

File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Comments	Created with AutoPlay Media Studio Elder Scrolls 3 GUI Version
Company Name	Bethesda Softworks CANON INC. FTDI Ltd. Hewlett-Packard Company Inprise Corporation Microsoft Corporation SOFTWIN S The OpenSSL Project, https://www.openssl.org/
File Description	AutoPlay Application BitDefen Canon IJ Printer Assistant Tool Dynamic Link Run Time Library (VCL MT) Español by rade FTBUSUI Property Page Provider Morrowind Launcher OpenSSL library Windows Easy Transfer
File Version	106.42.73 8.5.0.0 6.2.9200.16384 (win8_rtm.120725-1247) 4.50.0000 2, 0, 6, 0 1.1.1d 1.05.2.10 1.0.0.5 1, 0, 0, 1
Internal Name	ams_runtime CNMPAUI.DLL FTBUSUI.dll HPUSBFW libcrypto Morrowind Launcher Run Time Library wet.dll фжзрюкшэщ
Legal Copyright	2528-6 Copyright 1998-2019 The OpenSSL Authors. All rights reserved. Copyright CANON INC. 2017 Copyright Inprise Corporation 1994,1999 Copyright © 2001 Copyright © 2003-2004 Hewlett-Packard Development Company, L.P. All rights reserved. Copyright © 2006 FTDI Ltd. Runtime Engine Copyright © 2015 Indigo Rose Corporation (www.indigorose.com) © Microsoft Corporation. All rights reserved.
Legal Trademarks	AutoPlay Media Studio is a Trademark of Indigo Rose Corporation
Original Filename	ams_runtime.exe CNMPAUI.DLL FTBUSUI.dll HPUSBFW.exe libcrypto Morrowind Launcher nedwp wet.dll
Private Build	Jan 21, 2004 Build 006
Product Name	AutoPlay Media Studio Runtime Bethesda Softworks Morrowind Launcher Borland C++ Builder 4.0 Canon IJ Printer Assistant Tool FTDIChip CDM Drivers HP USB Disk Storage Format Tool Microsoft® Windows® Operating System The OpenSSL Toolkit люзанх
Product Version	106.4 8.5.0.0 6.2.9200.16384 4.5 2.00.00.1 2, 0, 6, 0 1.1.1d 1.05.2.10 1, 0, 0, 1

File Traits

2+ executable sections
AMS
dll
HighEntropy
imgui
No Version Info
ntdll
packed
PEC2
x86

Block Information

Total Blocks:	159
Potentially Malicious Blocks:	1
Whitelisted Blocks:	151
Unknown Blocks:	7

Visual Map

x ? ? ? ? 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 ? ? ?

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

Rugmi.RC
ZBot.NA
ZBot.NB
Zbot.N

Files Modified

File	Attributes
\device\harddisk0\dr0	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\gmdasllogger	Generic Write,Read Attributes
c:	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\hmxtkl.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\hmxtkl.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\hmxtkl.exe	Synchronize,Write Attributes
c:\users\user\downloads\cmgr.exe	Generic Write,Read Attributes
c:\users\user\downloads\csrv.exe	Generic Write,Read Attributes
c:\users\user\downloads\e36ec4af9138c68e6476550bbbec5d48ab1aed62_0003348992srv.exe	Generic Write,Read Attributes
c:\users\user\downloads\temp\shsandbox-win32.dll-5.21.4.9999-x86.dmp	Generic Read,Write Data,Write Attributes,Write extended,Append data

c:\users\user\downloads\temp\shsandbox-win32.dll-5.22.1.9999-x86.dmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\2ca2e1	Generic Write,Read Attributes
c:\windows\system.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\syswow64\rundll32mgr.exe	Generic Write,Read Attributes
c:\windows\syswow64\rundll32srv.exe	Generic Write,Read Attributes
c:\windows\syswow64\temp\shsandbox-win32.dll-5.22.1.9999-x86.dmp	Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusoverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::uacdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify		RegNtPreCreateKey

HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\direct3d\mostrecentapplication::name	caba7f5c2d46d5b1a6f3cbb3e1c10e9bae7ef8b1_0003547136	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline		RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications		RegNtPreCreateKey
HKCU\software\jguh::u1_0	啕啕	RegNtPreCreateKey
HKCU\software\jguh::u2_0	ᖍ	RegNtPreCreateKey
HKCU\software\jguh::u3_0	権ă	RegNtPreCreateKey
HKCU\software\jguh::u4_0		RegNtPreCreateKey
HKCU\software\jguh::u1_1	䴜㱃	RegNtPreCreateKey
HKCU\software\jguh::u2_1	書牥	RegNtPreCreateKey
HKCU\software\jguh::u3_1	ᥜ獦	RegNtPreCreateKey
HKCU\software\jguh::u4_1	獵牥	RegNtPreCreateKey
HKCU\software\jguh::u1_2	ꋏꁼ	RegNtPreCreateKey
HKCU\software\jguh::u2_2		RegNtPreCreateKey
HKCU\software\jguh::u3_2	賃	RegNtPreCreateKey
HKCU\software\jguh::u4_2		RegNtPreCreateKey
HKCU\software\jguh::u1_3	婯䁹	RegNtPreCreateKey
HKCU\software\jguh::u2_3	俒地	RegNtPreCreateKey
HKCU\software\jguh::u3_3	ぶ嘳	RegNtPreCreateKey
HKCU\software\jguh::u4_3	婟地	RegNtPreCreateKey
HKCU\software\jguh::u1_4	鼭ⷤ	RegNtPreCreateKey
HKCU\software\jguh::u2_4		RegNtPreCreateKey
HKCU\software\jguh::u3_4	ꟽ좖	RegNtPreCreateKey
HKCU\software\jguh::u4_4	췔즕	RegNtPreCreateKey
HKCU\software\jguh::u1_5	綁ׂ	RegNtPreCreateKey
HKCU\software\jguh::u2_5	哄㯻	RegNtPreCreateKey
HKCU\software\jguh::u3_5	⭠㫸	RegNtPreCreateKey
HKCU\software\jguh::u4_5	䅉㯻	RegNtPreCreateKey
HKCU\software\jguh::u1_6	ⷨ𢡄	RegNtPreCreateKey
HKCU\software\jguh::u2_6	ꄳ깠	RegNtPreCreateKey
HKCU\software\jguh::u3_6		RegNtPreCreateKey
HKCU\software\jguh::u4_6	뒾깠	RegNtPreCreateKey
HKCU\software\jguh::u1_7	穠峕	RegNtPreCreateKey
HKCU\software\jguh::u2_7	㶾⃆	RegNtPreCreateKey
HKCU\software\jguh::u3_7	䈚⇅	RegNtPreCreateKey
HKCU\software\jguh::u4_7	⠳⃆	RegNtPreCreateKey
HKCU\software\jguh::u1_8	騍橎	RegNtPreCreateKey
HKCU\software\jguh::u2_8	踥錫	RegNtPreCreateKey
HKCU\software\jguh::u3_8	鈨	RegNtPreCreateKey
HKCU\software\jguh::u4_8	鮨錫	RegNtPreCreateKey
HKCU\software\jguh::u1_9	驄깽	RegNtPreCreateKey
HKCU\software\jguh::u2_9	᪐֑	RegNtPreCreateKey
HKCU\software\jguh::u3_9	攴Ғ	RegNtPreCreateKey
HKCU\software\jguh::u4_9	༝֑	RegNtPreCreateKey
HKCU\software\jguh::u1_10	옯쟌	RegNtPreCreateKey
HKCU\software\jguh::u2_10	鷺矶	RegNtPreCreateKey
HKCU\software\jguh::u3_10	盵	RegNtPreCreateKey
HKCU\software\jguh::u4_10	芒矶	RegNtPreCreateKey
HKCU\software\jguh::u1_11	䡖騅	RegNtPreCreateKey
HKCU\software\jguh::u2_11		RegNtPreCreateKey
HKCU\software\jguh::u3_11	鰮	RegNtPreCreateKey
HKCU\software\jguh::u4_11		RegNtPreCreateKey
HKCU\software\jguh::u1_12	ጱ	RegNtPreCreateKey
HKCU\software\jguh::u2_12	稠峁	RegNtPreCreateKey
HKCU\software\jguh::u3_12	͕巂	RegNtPreCreateKey
HKCU\software\jguh::u4_12	楼峁	RegNtPreCreateKey
HKCU\software\jguh::u1_13	摂	RegNtPreCreateKey
HKCU\software\jguh::u2_13	왕켦	RegNtPreCreateKey
HKCU\software\jguh::u3_13	뛘츥	RegNtPreCreateKey
HKCU\software\jguh::u4_13		RegNtPreCreateKey
HKCU\software\jguh::u1_14	ᚿ쳲	RegNtPreCreateKey
HKCU\software\jguh::u2_14	䖘䆌	RegNtPreCreateKey
HKCU\software\jguh::u3_14	㩏䂏	RegNtPreCreateKey
HKCU\software\jguh::u4_14	偦䆌	RegNtPreCreateKey
HKCU\software\jguh\1214104697::1919251317		RegNtPreCreateKey
HKCU\software\jguh\1214104697::-456464662		RegNtPreCreateKey
HKCU\software\jguh\1214104697::1462786655		RegNtPreCreateKey
HKCU\software\jguh\1214104697::-912929324		RegNtPreCreateKey
HKCU\software\jguh\1214104697::1006321993	K	RegNtPreCreateKey
HKCU\software\jguh\1214104697::-1369393986	http://padrup.com/sobaka1.gifhttp://190.120.227.91:8080/sobak	RegNtPreCreateKey
HKCU\software\jguh\1214104697::549857331		RegNtPreCreateKey

Windows API Usage

Category	API
Process Shell Execute	CreateProcess
Encryption Used	CryptAcquireContext
Syscall Use	ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtClose ntdll.dll!NtCreateFile ntdll.dll!NtCreateSection ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenProcessToken ntdll.dll!NtProtectVirtualMemory Show More ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtReadFile ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory win32u.dll!NtUserGetKeyboardLayout win32u.dll!NtUserGetThreadState
Anti Debug	NtQuerySystemInformation OutputDebugString
Process Manipulation Evasion	NtUnmapViewOfSection

Shell Command Execution


							c:\users\user\downloads\e36ec4af9138c68e6476550bbbec5d48ab1aed62_0003348992Srv.exe


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\cbb3468b047cdd428e973f39d04907c6e6cd22d6_0000908800.,LiQMAxHB


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\85274b3a3f2b4c1dd9bd08d3e525c264554f9df0_0008906131.,LiQMAxHB


							cSrv.exe


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\e2d5b432e6634e84c289534ff0e529dbac5e06a4_0000167936.,LiQMAxHB


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\50623038165328fa063e5792efc036cd043c8061_0002400104.,LiQMAxHB


									cmgr.exe


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\4981f7ff076e61f1f04c4bb2e5754333721dc154_0002211328.,LiQMAxHB

Worm.Ramnit

Threat Scorecard

EnigmaSoft Threat Scorecard

File System Details

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Related Posts

Trending

Most Viewed