{
	"id": "7dc130ed-4765-41af-bf46-20e08a189f51",
	"created_at": "2026-04-06T00:11:58.733032Z",
	"updated_at": "2026-04-10T13:12:29.808784Z",
	"deleted_at": null,
	"sha1_hash": "c52e1c9d13da07be5bb9e75b4833d09cd3e4264c",
	"title": "Trojan.Win32/Spy.Ranbyus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 824702,
	"plain_text": "Trojan.Win32/Spy.Ranbyus\r\nArchived: 2026-04-05 20:22:21 UTC\r\n Received a mail with an interesting exe\r\nhttps://www.virustotal.com/file/17a3ee51492b9b2ba155f54be61f2c305b090cee8d604d1df616ca3ba881b372/analysis/1359049655\r\nThanks creep.\r\nThis bot is used by one group of Russian carders and is not for sale, they call it 'triton'\r\nIDA Map file imported to Olly, without IDA i got huge problem to understand the exe:\r\nInjects:\r\nDecoded strings (some, not everything):\r\n\u0026pp=1\r\nreg add \"\r\n\u0026files=1\r\nhttp://www.xylibox.com/2013/01/trojanwin32spyranbyus.html\r\nPage 1 of 13\n\nnabagent.exe\r\nputty.exe\r\n[MOUSE R %dx%d]\r\nPOST\r\nSeShutdownPrivilege\r\nUniStream.exe\r\ncbsmain.exe\r\nHKLM\\\r\njawt.dll\r\n\u0026net=1\r\ndisk%u.xml\r\n\u0026scrn=1\r\n\u0026cmd=1\r\nUZ.DB3\r\nGET\r\niexplore.exe\r\nThunderRT6FormDC\r\ncom.bifit.harver.core.DocumentBrowserFrame\r\ndrweb.exe\r\nnabwatcher.exe\r\nWINNT\r\nbc_loader.exe\r\navfwsvc.exe\r\n[VK_END]\r\n.iBank*\r\naswupdsv.exe\r\n%s\\tmp%xa%04d.$$$\r\n\\/servlets\\/ibc\r\nbclient.exe\r\nEnableLUA\r\nsecring\r\nclient7.exe\r\nWestern Union® Translink™\r\nTiny Client-Bank\r\n/bsi.dll\r\nContent-type: multipart/form-data, boundary=%s\r\nEdit\r\njava.exe\r\nsign.key\r\n\\\\.\\PhysicalDrive0\r\ninbank-start-ff.exe\r\nhttp://([^:/]+):*([^/]*)(.+)\r\nContent-Disposition: form-data; name=\"data\"; filename=\"1\"\r\nclbank.exe\r\nBBClient.exe\r\nWS2_32.DLL\r\nComSpec\r\nhttp://www.xylibox.com/2013/01/trojanwin32spyranbyus.html\r\nPage 2 of 13\n\niscc.exe\r\nSOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\r\navengine.exe\r\nhttps:\\/\\/ibank.alfabank.ru\r\nWebMoney Keeper Classic » Âõîä\r\na:\\keys.dat\r\nhttps:\\/\\/ibank.prbb.ru\r\noncbcli.exe\r\nlogs\r\nnortonantibot.exe\r\nContactNG.exe\r\nBUTTON\r\nwclnt.exe\r\nashwebsv.exe\r\nmj=%u\u0026mi=%u\u0026pt=%u\u0026b=%u\u0026dc=%u\r\nsgbclient.exe\r\ncbsmain.dll\r\navmailc.exe\r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion\\\r\nwinlogon.exe\r\nwebmoney.exe\r\negui.exe\r\n/c del\r\n--%s--\r\nauth-attr-\\d+-param1=.*\u0026auth-attr-\\d+-param2=.*\r\nintpro.exe\r\nvshwin32.exe\r\nfirefox.exe\r\nmcshield.exe\r\nPassword:\r\nnabmonitor.exe\r\nUNIStream®. Àóòåíòèôèêàöèÿ.\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\n\u0026file=2\r\nhttp://e71koapi.org/lc5dx/index.php\r\nrclient.exe\r\n.jks\r\ncfp.exe\r\ntranslink.exe\r\nhttp://pulden376-seven3.in/doEst71beG/index.php\r\nContent-Transfer-Encoding: binary\r\nntvdm.exe\r\nSysDebug32\r\n%s?id=%s\u0026session=%u\u0026v=%u\u0026name=%s\r\n\u0026av=\r\nhttp://www.xylibox.com/2013/01/trojanwin32spyranbyus.html\r\nPage 3 of 13\n\navp.exe\r\nSystem\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List\r\ncmdagent.exe\r\nWINSCARD.DLL\r\n\" /v EnableLUA /t REG_DWORD /d 0 /f\r\nbankcl.exe\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\r\nsafari.exe\r\navconsol.exe\r\nelbank.exe\r\nusername=.*\u0026password=.*\r\npubring=(.*)\r\njavax.swing.JFrame\r\nsecring=(.*)\r\njavaw.exe\r\nISClient.exe\r\nJVM.DLL\r\nbk.exe\r\nhttp://([^:/]+)/.+\r\nauth-attr-\\d+-param1=(.*)\u0026auth-attr-\\d+-param2=([^\u0026]*)\r\nekrn.exe\r\nsched.exe\r\navgnt.exe\r\navwebgrd.exe\r\nstartclient7.exe\r\nmaster.key\r\navsynmgr.exe\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\nAleksandr Matrosov know better than me this threat go have a look his article: http://blog.eset.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs\r\nLet's do directly to the panel...\r\nLogin:\r\nStatistics:\r\nhttp://www.xylibox.com/2013/01/trojanwin32spyranbyus.html\r\nPage 4 of 13\n\nActive bots with smartcard:\r\nScreenshots (SR):\r\nClicking on a random day:\r\nhttp://www.xylibox.com/2013/01/trojanwin32spyranbyus.html\r\nPage 5 of 13\n\nA screenshot took by the bot:\r\nFilelist (FL):\r\n File (F):\r\nhttp://www.xylibox.com/2013/01/trojanwin32spyranbyus.html\r\nPage 6 of 13\n\nKeys (K):\r\n Bot informations:\r\n Orders to send:\r\nhttp://www.xylibox.com/2013/01/trojanwin32spyranbyus.html\r\nPage 7 of 13\n\nDownload list:\r\nSome task urls:\r\nhxxp://whispers.ru/upload/term.exe\r\nhxxp://178.18.249.11/cono.exe\r\nhxxp://hoombauls.com/cono.exe\r\nhxxp://deluxe1924.com/cc/d.exe\r\nhxxp://deluxe1924.com/cc/car2.exe\r\nhxxp://hoombauls.com/cono.exe\r\nhxxp://gramma.pro/update.exe\r\nhxxp://girgrozn.narod2.ru/01/CONO.exe\r\nhxxp://deluxe1924.com/cc/picpic.exe\r\nhxxp://gramma.pro/update.exe\r\nhttp://www.xylibox.com/2013/01/trojanwin32spyranbyus.html\r\nPage 8 of 13\n\nhxxp://deluxe1924.com/cc/fun2101.exe\r\nhxxp://www.mobi-sys.ru/en/lox.exe\r\nhxxp://likeme.pro/update.exe\r\nhxxp://ejdovberk.org/MRD.exe\r\nhxxp://www.enmtp.com/admin/lunt30.exe\r\nhxxp://178.18.249.10/exel.exe\r\nhxxp://deluxe1924.com/cc/picpic.exe\r\nhxxp://orlik.pro/update1.exe\r\nhxxp://whispers.ru/upload/MLN1.exe\r\nhxxp://www.enmtp.com/admin/termclean.exe\r\nhxxp://www.enmtp.com/admin/IMRD.exe\r\nSome files can be found here: http://vxvault.siri-urz.net/ViriList.php?IP=209.61.202.242\r\n Hide:\r\n Lookup:\r\n add:\r\nhttp://www.xylibox.com/2013/01/trojanwin32spyranbyus.html\r\nPage 9 of 13\n\nBanks:\r\nDownload:\r\n Comments:\r\nhttp://www.xylibox.com/2013/01/trojanwin32spyranbyus.html\r\nPage 10 of 13\n\nOthers:\r\n Search via IP:\r\nSearch via ID:\r\nhttp://www.xylibox.com/2013/01/trojanwin32spyranbyus.html\r\nPage 11 of 13\n\nDaemon:\r\nUpdate:\r\nSettings:\r\nhttp://www.xylibox.com/2013/01/trojanwin32spyranbyus.html\r\nPage 12 of 13\n\nSource: http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html\r\nhttp://www.xylibox.com/2013/01/trojanwin32spyranbyus.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html"
	],
	"report_names": [
		"trojanwin32spyranbyus.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434318,
	"ts_updated_at": 1775826749,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c52e1c9d13da07be5bb9e75b4833d09cd3e4264c.pdf",
		"text": "https://archive.orkl.eu/c52e1c9d13da07be5bb9e75b4833d09cd3e4264c.txt",
		"img": "https://archive.orkl.eu/c52e1c9d13da07be5bb9e75b4833d09cd3e4264c.jpg"
	}
}