Sonicwall Signatures


Go to All Categories list.

Ramnit.D is a multicomponent malware that targets Microsoft Windows operating systems. It was first seen in January 2010. It steals sensitive information such as banking credentials and infects executables, HTML and Microsoft Office files. It opens a backdoor and communicates with the C&C server for updates. It propagates via removable drives.

File Related Changes
It drops the following file(s) on the system:
  • "c:\Users\Admin\AppData\Local\Temp\yhvbteknujtldjir.exe"
  • "c:\Users\Admin\AppData\Local\yvgteycq\hyxgoclh.exe"
  • "c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hyxgoclh.exe"

Process Related Changes
It creates the following mutex(es):
  • "{54521A76-89E7-D5D6-94CC-53CFCEA1470A}"
  • "{54521A77-89E7-D5D6-94CC-53CFCEA1470A}"
  • "{54522463-89E7-D5D6-94CC-53CFCEA1470A}"
  • "{54520D92-89E7-D5D6-94CC-53CFCEA1470A}"
  • "{545219A0-89E7-D5D6-94CC-53CFDB7D470A}"

It creates the following process(es):
  • C:\Users\Admin\AppData\Local\Temp\yhvbteknujtldjir.exe
  • C:\Windows\system32\svchost.exe

Network Activity
It attempts to connect to the following remote servers:
  • (74.125.xxxxxx)
  • (69.164.xxxxxx)
  • (69.164.xxxxxx)
  • (190.93.xxxxxx)
  • (69.164.xxxxxx)
  • (94.126.xxxxxx)
  • (69.43.1xxxxxx)
  • (166.78xxxxxx)

We observed the following DNS query/queries:

Registry Related Changes
It makes the following registry modifications to ensure infection after system reboot:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\hyxgoclh = C:\Users\Admin\AppData\Local\yvgteycq\hyxgoclh.exe

Relevant Information