{ "id": "e0f1ad2e-49e3-4f62-8c33-9754426b1b27", "created_at": "2026-04-06T00:15:35.647201Z", "updated_at": "2026-04-10T03:26:19.247229Z", "deleted_at": null, "sha1_hash": "222a2bd14a8e02ccd9e54972480219d6528901d6", "title": "Blackhole Ramnit - samples and analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 661113, "plain_text": "Blackhole Ramnit - samples and analysis\r\nArchived: 2026-04-05 16:14:52 UTC\r\nRamnit - a Zeus-like trojan/worm/file infector with rootkit capabilities has been in the wild for a long time but\r\nrecently made news because Seculert reported about a financial variant of this malware aimed at stealing\r\nFacebook credentials.\r\nWhile I did not see any Facebook related activity in my samples, I am posting them anyway for your research as\r\ntheir functionality is the same.\r\nThe samples I have are being spread not via Facebook but via Blackhole exploit kit, which is a very effective\r\nmethod. Blackhole exploit kit was associated with the spread of ZeuS, Spyeye, and it is not surprising that Ramnit\r\nis being spread in the same manner by the same groups. The group of command and control servers that I\r\nresearched is associated with pharma spam and \"Canadian\" online pharmacies.\r\nGeneral File Information\r\nFile: 607B2219FBCFBFE8E6AC9D7F3FB8D50E\r\nMD5:  607B2219FBCFBFE8E6AC9D7F3FB8D50E\r\nFile: c33e7ed929760020820e8808289c240e\r\nMD5:  C33E7ED929760020820E8808289C240E\r\nFile: 76991eefea6cb01e1d7435ae973858e6   -  not analysed\r\nMD5:  76991EEFEA6CB01E1D7435AE973858E6\r\nFile: 2ff2c8ada4fc6291846f0d66ae57ca37  -not analysed\r\nMD5:  2FF2C8ADA4FC6291846F0D66AE57CA37\r\nhttp://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html\r\nPage 1 of 9\n\nDownload\r\nDownload all the binaries and dropped files as a password protected archive (email me if you need the\r\npassword)\r\nDistribution\r\nThe files analysed were / are being distributed via Blackhole exploit pack. It starts with the usual large letter\r\nmessage \"Please wait page is loading\" -then Java exploit launches and compromise takes place if the machine is\r\nvulnerable. . Here you can see the Blackhole domains spreading Ramnit in the Malwaredomainlist .\r\nAmberfreda.com domain belongs to a legitimate company and is registered in Arizona, while a subdomain\r\nbest.amberfreda.com is registered by some Ukranian guy. Not sure how they managed that.\r\namberfreda.com\r\n173.201.97.1\r\np3nlhg49c090.shr.prod.phx3.secureserver.net\r\nDomains By Proxy, LLC\r\nDomainsByProxy.com\r\n15111 N. Hayden Rd., Ste 160, PMB 353\r\nScottsdale, Arizona 85260\r\nUnited States\r\nbest.amberfreda.com\r\n178.162.145.184\r\n178-162-145-184.local\r\nHost unreachable\r\n178.162.145.128 - 178.162.145.255\r\nVPS services\r\nUkraine\r\nVladimir Gubarenko\r\np/o box 8967\r\n61106, Kharkov\r\nUkraine\r\nphone: +7 4956637354\r\nhttp://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html\r\nPage 2 of 9\n\nfax: +7 4956637354\r\nadmin@imhoster.net\r\n http://www.malwaredomainlist.com/mdl.php?search=amberfreda.com\u0026colsearch=All\u0026quantity=50\r\nBrief Analysis\r\n 607B2219FBCFBFE8E6AC9D7F3FB8D50E\r\n Hendrik Adrian from Japan posted his analysis of the same sample ( 0day.JP - Ramnit) where he described the\r\nfiles created by the malware and  the spam sending capabilities of the bot .\r\nThe bot deletes registry settings for the safe boot, which\r\ncauses BSOD and prevents one from removing the malicious files in the safe mode.\r\n2. Adds a Windows service  \r\nMicorsoft Windows Service - note the spelling\r\n3. Adds the following files (names vary)\r\n\\Application Data\\nvamibiv\\vcryserj.exe - copy of the original http://www.virustotal.com/file-scan/report.html?id=f52bfac9637aea189ec918d05113c36f5bcf580f3c0de8a934fe3438107d3f0c-1326310185\r\nFile: vcryserj.exe\r\nSize: 135680\r\nMD5:  607B2219FBCFBFE8E6AC9D7F3FB8D50E\r\n\\Application Data\\wduqtdai.log  - number of logs varies, contain encrypted data\r\n\\Application Data\\xtyepaef.log number of logs varies, contain encrypted data\r\n \\Temp\\nhptugtstukgwpyi.exe - copy of the original\r\nhttp://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html\r\nPage 3 of 9\n\nFile: nhptugtstukgwpyi.exe\r\nSize: 135680\r\nMD5:  607B2219FBCFBFE8E6AC9D7F3FB8D50E\r\n\\Start Menu\\Programs\\Startup\\vcryserj.exe - copy of the original \r\nFile: vcryserj.exe\r\nSize: 1356\r\nMD5:  607B2219FBCFBFE8E6AC9D7F3FB8D50E\r\n\\Local Settings\\Temp\\dnsgvbny.sys  the rootkit  http://www.virustotal.com/file-scan/report.html?\r\nid=c1293f8dd8a243391d087742fc22c99b8263f70c6937f784c15e9e20252b38ae-1326346542\r\n File: dnsgvbny.sys\r\nSize: 15360\r\nMD5:  A6D351093F75D16C574DB31CDF736153\r\n Ramnit injects itself into two  svchost.exe processes and you  can see them if you sort all processes by PID, the\r\nlast two will those created by Ramnit.\r\n It generates spam that it sends out on port 25, Hendrik already described this behavior in his post.\r\nC33E7ED929760020820E8808289C240E\r\n The second file has file infector features I did not observe in 607B2219FBCFBFE8E6AC9D7F3FB8D50E.\r\nAs you see in the log below, malicious svchost.exe modifies or tries to modify every binary and HTML file by\r\nappending malicious code to each file or a vbs script to HTML files   -  like described in this post by ESET\r\nWin32/Ramnit.A. and here in the post by Avira  - Closer look at W32/Ramnit.C\r\nThis does not break the infected binaries, all files continue to work as designed, except they infect or reinfect the\r\ncomputer they are running on. Webmasters may upload infected html files and visitors of their sites may get\r\ninfected as well. For an average user, it is impossible to clean a system compromised with Ramnit file injector and\r\nuse it confidence. The only way is say good bye to all the HTM(L), DLL and EXE files and build a new system\r\nwithout trying to copy any hrml files, bookmark or applications.\r\nhttp://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html\r\nPage 4 of 9\n\nThsi is what happens with VirustotalUpload2.exe (and most other Programs including Adobe, MS Office and\r\nWindows files)\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=a40aacca731c142148733786cae64d45df2e740e3fb744ffc513d251ec121cf7-1326169765\r\nVirusTotalUpload2.exe\r\nSubmission date:\r\n2012-01-10 04:29:25 (UTC)\r\nResult:37 /43 (86.0%)\r\nPrint results\r\nAntivirus     Version     Last Update     Result\r\nAhnLab-V3     2012.01.09.00     2012.01.09     Win32/Ramnit.O\r\nAntiVir     7.11.20.218     2012.01.10     W32/Ramnit.E\r\nAvast     6.0.1289.0     2012.01.09     Win32:Ramnit-H\r\nAVG     10.0.0.1190     2012.01.10     Win32/Zbot.G\r\nBitDefender     7.2     2012.01.10     Win32.Ramnit.N\r\nByteHero     1.0.0.1     2011.12.31     Trojan.Win32.Heur.Gen\r\nCAT-QuickHeal     12.00     2012.01.09     W32.Ramnit.C\r\nClamAV     0.97.3.0     2012.01.10     Trojan.Patched-168\r\nCommtouch     5.3.2.6     2012.01.10     W32/Ramnit.E\r\nComodo     11229     2012.01.10     TrojWare.Win32.Patched.SM\r\nDrWeb     5.0.2.03300     2012.01.09     Win32.Rmnet.8\r\nEmsisoft     5.1.0.11     2012.01.10     Virus.Win32.Zbot!IK\r\neTrust-Vet     37.0.9672     2012.01.09     Win32/Ramnit.AJ\r\nF-Prot     4.6.5.141     2012.01.09     W32/Ramnit.E\r\nF-Secure     9.0.16440.0     2012.01.09     Win32.Ramnit.N\r\nFortinet     4.3.388.0     2012.01.10     W32/Ramnit.B\r\nGData     22     2012.01.09     Win32.Ramnit.N\r\nIkarus     T3.1.1.109.0     2012.01.10     Virus.Win32.Zbot\r\nJiangmin     13.0.900     2012.01.09     Win32/PatchFile.gg\r\nK7AntiVirus     9.124.5897     2012.01.09     Trojan\r\nKaspersky     9.0.0.837     2012.01.10     Trojan.Win32.Patched.md\r\nMcAfee     5.400.0.1158     2012.01.10     W32/Ramnit.b\r\nMcAfee-GW-Edition     2010.1E     2012.01.09     W32/Ramnit.b\r\nMicrosoft     1.7903     2012.01.09     Virus:Win32/Ramnit.AF\r\nNOD32     6780     2012.01.10     Win32/Ramnit.H\r\nNorman     6.07.13     2012.01.09     W32/Ramnit.AB\r\nnProtect     2012-01-09.01     2012.01.10     Win32.Ramnit.N\r\nPanda     10.0.3.5     2012.01.09     W32/Cosmu.L\r\nPCTools     8.0.0.5     2012.01.10     Malware.Ramnit\r\nRising     23.92.01.01     2012.01.10     Win32.Ramnit.c\r\nSymantec     20111.2.0.82     2012.01.10     W32.Ramnit.B!inf\r\nTrendMicro     9.500.0.1008     2012.01.10     PE_RAMNIT.KC\r\nhttp://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html\r\nPage 5 of 9\n\nTrendMicro-HouseCall     9.500.0.1008     2012.01.10     PE_RAMNIT.KC\r\nViRobot     2012.1.10.4872     2012.01.10     Win32.Ramnit.A\r\nVirusBuster     14.1.158.1     2012.01.09     Win32.Ramnit.Gen.3\r\nAdditional information\r\nMD5   : 25f6ee42d37e3f2f7dbe795e836d52e2\r\nTraffic\r\n607B2219FBCFBFE8E6AC9D7F3FB8D50E - C\u0026C is sinkholedC33E7ED929760020820E8808289C240E  -\r\nC\u0026C is active\r\nDespite the fact that the C\u0026C for 607B2219FBCFBFE8E6AC9D7F3FB8D50E is sinkholed, it is still interesting\r\nto see the malware behavior when it tries to establish a connection with the server.\r\nRamnit samples used by the same group of attackers have overlapping set of C\u0026C servers - the list is not the same\r\nbut I found that my samples that are supposedly later version that Ramnit.AK have approximately 80% overlap in\r\nC\u0026C list used by this RamnitAK binary described by Sophos .  I have combined the two lists and ran WHOIS\r\nqueries to establish active C\u0026C and their location and registration.\r\nThe communications with the sinkholed server below show that once the bot receives SYN command from the\r\nC\u0026C, it sends 6 bytes of data. Exact same behavior is described in this analysis of  the binaries from Summer\r\n2011  - with the only difference that the second packet sent by the bot was not 75 bytes but 149 bytes Bot of the\r\nDay: Ramnit/NinmulMonday, July 18th, 2011. If connection with the server is established, the traffic continues on\r\non port 443, it is encoded but it is not SSL, it is some sort of custom protocol.\r\nThe bot is going through the list of domains trying to find those that are active. Most of the domains are not\r\nregistered yet but the two currently active domains were registered on January 5 and 6, 2011. It appears that the\r\nattackers register new domains as soon as the lose any due to sinkholing and domain cancellations. Since all the\r\ndomains have the most random names, they are not likely to be registered by someone else before they are needed.\r\nHaving each binary to check a long list of domains makes the bot very noisy (consider making IDS signatures\r\nbased on UDP port 53 thresholds) but it prevents the death of the botnet in case of the C\u0026C loss. I have complied\r\na list of approximately 400 domains with only 21 of them registered.   If you created DNS blocks or sinkhole\r\ndomains, consider blocking or sinkholing all of them, not only active.\r\nDomain name: rjordulltl.com\r\n89.149.242.185  - Leaseweb Germany GmbH (previously netdirekt e. K.)\r\nGermany\r\nhttp://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html\r\nPage 6 of 9\n\nRegistrar: Regtime Ltd.\r\nCreation date: 2012-01-05\r\nExpiration date: 2013-01-05\r\nDomain Name: goopndlgvy.com\r\nRegistrant:\r\n    PrivacyProtect.org\r\n    Domain Admin        (contact@privacyprotect.org)\r\n    ID#10760, PO Box 16\r\n    Note - All Postal Mails Rejected, visit Privacyprotect.org\r\n    Nobby Beach\r\n    null,QLD 4218\r\n    AU\r\n    Tel. +45.36946676\r\n89.149.242.185  - Leaseweb Germany GmbH (previously netdirekt e. K.)\r\nGermany\r\nCreation Date: 06-Jan-2012 \r\nExpiration Date: 06-Jan-2013\r\n Communications with a sinkholed C\u0026C and search for a new active server:\r\nhttp://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html\r\nPage 7 of 9\n\nBot \u003c-\u003e C\u0026C communications on port 443\r\nhttp://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html\r\nPage 8 of 9\n\nList of domains used by Ramnit binaries - feel free to pre-emptively sinkhole them. Part of them are from this\r\nSophos analysis and part is from running these two binaries\r\nSource: http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html\r\nhttp://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html\r\nPage 9 of 9\n\nPrint results Antivirus Version Last Update Result\nAhnLab-V3 2012.01.09.00 2012.01.09 Win32/Ramnit.O\nAntiVir 7.11.20.218 2012.01.10 W32/Ramnit.E\nAvast 6.0.1289.0 2012.01.09 Win32:Ramnit-H \nAVG 10.0.0.1190 2012.01.10 Win32/Zbot.G \nBitDefender 7.2 2012.01.10 Win32.Ramnit.N \nByteHero 1.0.0.1 2011.12.31 Trojan.Win32.Heur.Gen \nCAT-QuickHeal 12.00 2012.01.09 W32.Ramnit.C\nClamAV 0.97.3.0 2012.01.10 Trojan.Patched-168 \nCommtouch 5.3.2.6 2012.01.10 W32/Ramnit.E\nComodo 11229 2012.01.10 TrojWare.Win32.Patched.SM \nDrWeb 5.0.2.03300 2012.01.09 Win32.Rmnet.8\nEmsisoft 5.1.0.11 2012.01.10 Virus.Win32.Zbot!IK \neTrust-Vet 37.0.9672 2012.01.09 Win32/Ramnit.AJ\nF-Prot 4.6.5.141 2012.01.09 W32/Ramnit.E \nF-Secure 9.0.16440.0 2012.01.09 Win32.Ramnit.N\nFortinet 4.3.388.0 2012.01.10 W32/Ramnit.B \nGData 22 2012.01.09 Win32.Ramnit.N \nIkarus T3.1.1.109.0 2012.01.10 Virus.Win32.Zbot\nJiangmin 13.0.900 2012.01.09 Win32/PatchFile.gg\nK7AntiVirus 9.124.5897 2012.01.09 Trojan\nKaspersky 9.0.0.837 2012.01.10 Trojan.Win32.Patched.md\nMcAfee 5.400.0.1158 2012.01.10 W32/Ramnit.b\nMcAfee-GW-Edition 2010.1E 2012.01.09 W32/Ramnit.b\nMicrosoft 1.7903 2012.01.09 Virus:Win32/Ramnit.AF \nNOD32 6780 2012.01.10 Win32/Ramnit.H \nNorman 6.07.13 2012.01.09 W32/Ramnit.AB \nnProtect 2012-01-09.01 2012.01.10 Win32.Ramnit.N\nPanda 10.0.3.5 2012.01.09 W32/Cosmu.L \nPCTools 8.0.0.5 2012.01.10 Malware.Ramnit \nRising 23.92.01.01 2012.01.10 Win32.Ramnit.c\nSymantec 20111.2.0.82 2012.01.10 W32.Ramnit.B!inf\nTrendMicro 9.500.0.1008 2012.01.10 PE_RAMNIT.KC\n Page 5 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html" ], "report_names": [ "blackhole-ramnit-samples-and-analysis.html" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434535, "ts_updated_at": 1775791579, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/222a2bd14a8e02ccd9e54972480219d6528901d6.pdf", "text": "https://archive.orkl.eu/222a2bd14a8e02ccd9e54972480219d6528901d6.txt", "img": "https://archive.orkl.eu/222a2bd14a8e02ccd9e54972480219d6528901d6.jpg" } }