SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Ramnit.A_14
Ramnit.A_14 is a multicomponent malware that targets Microsoft Windows operating systems. It was first seen in January 2010. It steals sensitive information such as banking credentials and infects executables, HTML and Microsoft Office files. It opens a backdoor and communicates with the C&C server for updates. It propagates via removable drives.

File Related Changes
It drops the following file(s) on the system:
  • "c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyxgoclh.exe"

Process Related Changes
It creates the following mutex(es):
  • "{545219A0-89E7-D5D6-94CC-53CFDB7D470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD379470A}"
  • "{545219A0-89E7-D5D6-94CC-53CFCFFD470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD679470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD025470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD8C9470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFCFFD470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFCF7D470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD241470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD4E5470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFCFD1470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD5ED470A}"
  • "{545219A0-89E7-D5D6-94CC-53CFD8B5470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD065470A}"
  • "{545219A0-89E7-D5D6-94CC-53CFDCB1470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD285470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD585470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFCF91470A}"
  • "{54521389-89E7-D5D6-94CC-53CFCEA1470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD8B5470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD85D470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD51D470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFDB29470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFCEA5470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD6AD470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD119470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFDB65470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD3C5470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFCFF1470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD1F5470A}"
  • "{545219A0-89E7-D5D6-94CC-53CFD379470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD349470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFDB75470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD735470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD00D470A}"
  • "{545219A0-89E7-D5D6-94CC-53CFD421470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD339470A}"
  • "{54520D92-89E7-D5D6-94CC-53CFCEA1470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD1A5470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFDCB1470A}"
  • "{545219A0-89E7-D5D6-94CC-53CFDB65470A}"
  • "{545219A0-89E7-D5D6-94CC-53CFD349470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD509470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD421470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD0D5470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD485470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD05D470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD5C9470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFCEA1470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD5A5470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFCFF5470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD071470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD569470A}"
  • "{54521ED3-89E7-D5D6-94CC-53CFD14D470A}"
  • "{545219A0-89E7-D5D6-94CC-53CFD339470A}"
  • "{545219A0-89E7-D5D6-94CC-53CFDB75470A}"

It creates the following process(es):
  • c:\Program Files\Internet Explorer\iexplore.exe [ \c:\Program Files\Internet Explorer\iexplore.exe ]

It injects malicious code into the following process(es):
  • "C:\Windows\system32\UI0Detect.exe"
  • "C:\Windows\system32\Dwm.exe"
  • "C:\Windows\system32\csrss.exe"
  • "C:\Windows\system32\psxss.exe"
  • "C:\Windows\System32\tcpsvcs.exe"
  • "C:\Windows\system32\SearchFilterHost.exe"
  • "c:\windows\system32\tlntsrv.exe"
  • "C:\Windows\system32\wininit.exe"
  • "C:\Windows\system32\SearchProtocolHost.exe"
  • "C:\Windows\System32\spoolsv.exe"
  • "C:\Windows\System32\mobsync.exe"
  • "C:\Windows\system32\taskhost.exe"
  • "C:\Windows\system32\nfsclnt.exe"
  • "C:\Windows\system32\lsass.exe"
  • "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
  • "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"
  • "C:\Windows\system32\SearchIndexer.exe"
  • "C:\Windows\system32\inetsrv\inetinfo.exe"
  • "C:\Windows\system32\lsm.exe"

Network Activity
It attempts to connect to the following remote servers:
  • supnewdmn.com:447 (91.233.xxxxxx)
  • tvrstrynyvwstrtve.com:447 (109.74.xxxxxx)
  • google.com:80 (173.194xxxxxx)

We observed the following DNS query/queries:
  • supnewdmn.com
  • tvrstrynyvwstrtve.com


Relevant Information


© SonicWall 2020 | Privacy Policy | Conditions for use Version: 10.0