{
	"id": "504df559-c8a4-4957-a544-eabc52fb8546",
	"created_at": "2026-04-06T00:21:44.724587Z",
	"updated_at": "2026-04-10T03:36:00.161042Z",
	"deleted_at": null,
	"sha1_hash": "fc45e2de80c00a40bb20085c2b1ffa7eeb009fda",
	"title": "LOLbins and trojans: How the Ramnit Trojan spreads via sLoad in a cyberattack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3821181,
	"plain_text": "LOLbins and trojans: How the Ramnit Trojan spreads via sLoad\r\nin a cyberattack\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 12:49:53 UTC\r\nResearch by Eli Salem, Lior Rochberger, \u0026 Niv Yona\r\nIntroduction\r\nCybereason’s Nocturnus and Active Hunting Service are two teams dedicated to easily detect threats on demand\r\nand proactively seek out malicious activity. The Ramnit Trojan research is a result of the Cybereason\r\nplatform's capabilities presenting themselves during a threat hunting demonstration to one of our customers’\r\nsecurity teams. We uncovered a severe threat to the customer while onboarding the customer onto our Active\r\nThreat Hunting Service. The customer in question was infiltrated by a variant of the Ramnit banking Trojan.\r\nAlthough banking trojans typically target individuals to steal bank account credentials, the Ramnit banking Trojan\r\ncan, and has, targeted users within organizations.\r\nWant to hear about more trojans? Check out our webinar on the Ursnif trojan.\r\nIn Proofpoint’s recently published report, sLoad and Ramnit pairing in sustained campaigns against the UK and\r\nItaly, they explain how threat actor TA554 used the sLoad dropper to distribute the Ramnit banking Trojan to\r\ntarget financial institutions across Italy, Canada, and the UK. Cybereason detected a similar evasive infection\r\ntechnique used to spread a variant of the Ramnit banking Trojan as part of an Italian spam campaign. \r\nThe Ramnit Trojan is a type of malware able to exfiltrate sensitive data. This kind of data can include anything\r\nranging from banking credentials, FTP passwords, session cookies, and personal data. Leaking this information\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 1 of 30\n\ncan easily destroy user trust in a business, and in the process lose customers and ruin reputations. Luckily,\r\nour onboarding was timely, and was able to detect the trojan just as it was beginning to exfiltrate information. Our\r\ncustomer used our remediation tool immediately to stop the exfiltration in its tracks.\r\nOne of the main techniques used to minimize detection, as observed by our services team, was living off the land\r\nbinaries (LOLbins). In this research, we investigate this attack, its use of sLoad, and its adoption of LOLbins.\r\nThe attackers used a combination of built-in Windows products including PowerShell, BITSAdmin, and certutil to\r\navoid detection.\r\nUsing a legitimate native windows process to download malware is not novel in the security world. In fact, using\r\nlegitimate products to perform malicious activities is steadily gaining in popularity. However, using LOLbins in\r\nthis spam campaign is an intriguing, and, as you shall see, effective way to minimize the detection of the Ramnit\r\nbanking Trojan.\r\nWe divided the attack into different phases, which we then mapped to the MITRE ATT\u0026CK knowledge base.\r\nPhase one: Initial Infection and sLoad Payload Downloader\r\n \r\nSpearphishing Link: MITRE Technique T1192\r\nInitially, the target receives a spearphishing email as part of an Italian spam campaign. This spam campaign\r\nspecifically focused on Italian users. The email contains a link to a compromised website\r\n(https://levashekhtman[.]com/assistenza-amministrativa/documento-aggiornato-FMV-61650861).\r\nDownload Additional Payload\r\nOnce the target connects to the compromised website, the site initiates the download of an additional payload.\r\nThis payload is a compressed ZIP file (documento-aggiornato-FMV-61650861.zip(B564ED3DE7A49673AC19B6231E439032AE6EAA68)). The ZIP file contains a non-malicious .jpg\r\nfile and a .lnk shortcut file that has the nondescript icon of a typical Windows folder.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 2 of 30\n\nThe contents of the zipped file.\r\nShortcut Modification: MITRE Technique T1023\r\nWhen the target opens the .lnk shortcut file, a CMD spawns a PowerShell with obfuscated commands.\r\nPowershell Obfuscation: MITRE Technique T1027\r\nThe PowerShell spawned by opening the .lnk file subsequently downloads the sLoad dropper. sLoad is a\r\nPowerShell-based banking Trojan downloader that features reconnaissance, information gathering, screen\r\ncapturing, and C2 abilities.\r\nIt starts the download by executing a PowerShell command that creates an empty .ps1 file\r\n (oyCZpsgNEFvQnW.ps1, SHA1: B6E3C4A528E01B6DE055E089E3C0DD2DA79CFCBE) in the %AppData%\r\nfolder.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 3 of 30\n\nThe ZIP file uses the .lnk that links to a PowerShell with a malicious obfuscated encoded command.\r\nThe malicious PowerShell script uses several escape characters such as “, * in order to avoid detection. This\r\ntechnique is a JavaScript language exploitation that is able to bypass antivirus product defenses.\r\nBITSAdmin Abuse: MITRE Technique T1197\r\nThe malicious PowerShell script uses BITSAdmin to download sLoad from bureaucratica[.]org/bureaux/tica and\r\nwrite it to the empty .ps1 file it created previously. BITSAdmin is a built-in Windows command-line tool for\r\ndownloading, uploading, and monitoring jobs. Once the malicious PowerShell script is done writing sLoad into\r\nthe .ps1 file, the file is executed.\r\nPersistence Using Scheduled Task: MITRE Technique T1053\r\nThe malicious PowerShell script creates a scheduled task (AppRunLog). This task executes a malicious VBScript\r\n(vmcpRAYW.vbs).\r\nsLoad Analysis\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 4 of 30\n\nAnti-debugging and Analysis Techniques\r\nThe .ps1 file (oyCZpsgNEFvQnW.ps1) contains sLoad and is essentially a malicious PowerShell script. The script\r\nis able to check to see if it is being debugged or run in a test environment by looking at the names of running\r\nprocesses and comparing them to a list of analysis tools, including:\r\nSysInternals Tools\r\nPacket Sniffing Tools\r\nDebuggers and Disassemblers\r\n \r\nThe malicious sLoad script also contains a key (1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16) that will be used to encrypt\r\nand decrypt the main payload.\r\noyCZpsgNEFvQnW.ps1 checks security products and contains the payload key.\r\nThe malicious sLoad script contains two encrypted files:\r\nConfig.ini (82C3A3E1317CD5C671612430DDDED79DF9398BCC)\r\nWeb.ini (ABC14EB06235A957D3AD66E359DC0B1F1FDFAB8A)\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 5 of 30\n\noyCZpsgNEFvQnW.ps1 contains encrypted Config.ini \u0026 Web.ini files.\r\nIt is interesting to note that the malicious sLoad script uses the computer’s GUID as the directory for all of its files\r\nand as part of the payload name.\r\noyCZpsgNEFvQnW.ps1  reads the computer’s GUID.\r\nsLoad Persistence\r\nsLoad ensures persistence by creating a scheduled task that allows sLoad to download the payload repeatedly.\r\noyCZpsgNEFvQnW.ps1 guarantees persistence using a scheduled task.\r\nWhen the scheduled task runs, it spawns a malicious VBScript with a random name (vmcpRAYW.vbs)\r\n(AEABE11F0496DA7E62501A35F4F03059F783C775). The script executes a .ps1 file with the same name\r\n(vmcpRAYW.ps1) (41FB1C6542975D47449EF6CB17B26CA8622CF9AE) that decrypts config.ini with the key\r\nfrom the malicious sLoad script (oyCZpsgNEFvQnW.ps1). The decryption subsequently executes the sLoad\r\npayload.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 6 of 30\n\nExecution of the wscript and the .ps1 in the Cybereason UI.\r\nPhase Two: Decryption of config.ini and Execution of the sLoad Payload\r\nExecution\r\nOnce config.ini is decrypted and executed, the second phase of sLoad takes place. The decrypted config.ini\r\nmanages the functionality of the encrypted web.ini and contains the following instructions of the malware: screen\r\ncapturing, collecting information about the infected machine, and downloading and uploading data. As part\r\nof its LOLbins technique, the payload maliciously executes using legitimate processes, including BITSAdmin \u0026\r\ncertutil.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 7 of 30\n\nAnalyzing the decoded Config.ini file, including getting data from web.ini and using the same key.\r\nThe decoded web.ini contains the list of malicious URLs, delimited by ‘,’ . The deobfuscated Config.ini splits the\r\nURLS by ‘,’ and runs BITSAdmin in the command line for each URL in the file.\r\nExecuting the commands from Config.ini in order to decode web.ini.\r\nweb.ini content, which includes malicious URLs as a combination of 2 different web.ini files.\r\nAs mentioned above, sLoad creates persistence through a scheduled task. Interestingly, sLoad domains stored in\r\nweb.ini change every time sLoad is downloaded by the scheduled task. This ability to self-update allows sLoad to\r\nbe more stealthy and nullifies defense tactics like detection by blacklisting domains.  \r\nDiscovery \u0026 Internal Reconnaissance\r\nAs part of the sLoad attack lifecycle, it collects information about the infected machine through multiple different\r\nattack vectors.\r\nsLoad attempts to collect information regarding Win32_LogicalDisk, a data source that resolves to a local storage\r\ndevice on a computer system running Windows. It also attempts to extract information about network shares and\r\nphysical devices by using the NET VIEW command.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 8 of 30\n\nsLoad collecting information about the hardware and the network.\r\nThe NET VIEW command shows a list of computers and network devices on the network. This is a legitimate\r\ncommand that can be used for internal reconnaissance and system information discovery. Using this command,\r\nattackers may attempt to get detailed information about the operating system and hardware, including version\r\nnumber, patches, hotfixes, service packs, and architecture, all through a legitimate command.\r\nsLoad uses the NET VIEW command and saves the output to a file as part of its reconnaissance activities.\r\nNET VIEW command as detected in the Cybereason platform.\r\nAfter obtaining information about the victim’s network, the payload collects additional information about the local\r\noperating system and processor.\r\nsLoad checking the local operating system and processor.\r\nData Exfiltration\r\nThe main method sLoad uses to collect information is via screen capturing. It continues to capture the\r\nscreen throughout its entire execution, and exfiltrates the data using BITSAdmin and certutil.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 9 of 30\n\nThe sLoad main screen capturing function.\r\nOne of the most unique ways sLoad is able to steal information is in the way it searches and exfiltrates .ICA files.\r\nICA is a settings file format developed by Citrix Systems, a multinational software company that provides server,\r\napplication, and desktop virtualization. Independent Computing Architecture (ICA) file types are used by Citrix\r\nSystems application servers to configure information between servers and clients. ICA files are a CITRIX\r\nconnection profile used to store relevant connection details including username, passwords, and server IP\r\naddresses. If they contain all of this information, they can be used to authenticate and control a Citrix remote\r\ndesktop.\r\nsLoad attempts to extract .ICA files from the infected machine, with a particular focus on files in Outlook's user\r\ndirectory. It stores the information in a file (f.ini), and eventually sends the information to a remote C2 server\r\nusing BITSAdmin.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 10 of 30\n\nSearching and storing .ICA files.\r\nHow sLoad Manipulates BITSAdmin and certutil to Download the Ramnit Banking Trojan\r\nsLoad spawns a PowerShell script that uses BITSAdmin to download an encoded .txt payload from several\r\nmalicious domains, including:\r\nPackerd[.]me\r\nSmokymountainsfineart[.]com\r\nReasgt[.]me\r\nimperialsociety[.]org.\r\nAll of these domains were observed within the attack frame days.\r\nThe BITSAdmin command line.\r\ncertutil.exe is a command-line program that is installed as part of Certificate Services. An attacker can use this\r\nbuilt-in Windows utility to bypass the application locker and download and decode malicious files.\r\nThe encoded payloads were decoded into a malicious executable using certutil.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 11 of 30\n\ncertutil decodes the .txt file.\r\nAfter being decoded by certutil, the malicious executable ( _UWBwKlrFyeTXGjtV.exe)\r\n(ae5b322b7586706015d8b3e83334c78b77f8f905) is executed by PowerShell. This is the Ramnit banking Trojan.\r\nPowerShell executes the Ramnit executable.\r\nsLoad creates five .jpg files named [ScreenCapture +\u003cincremented number\u003e] using the Get-ScreenCapture\r\nfunction and saves them to the folder created by the malware. It then continues to exploit BITSAdmin by using it\r\nto upload all five .jpg files to the malicious C2 server.\r\nsLoad takes six screen capture images.\r\nsLoad screen capture function creating five images.\r\nAfter the executable is initiated, the malware hides its tracks using CMD with the del command to delete three\r\nfiles, including the encoded and decoded payloads, and the Ramnit banking Trojan executable ((\r\n_UWBwKlrFyeTXGjtV.txt), ( _UWBwKlrFyeTXGjtV_1.txt), and ( _UWBwKlrFyeTXGjtV.exe)) .\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 12 of 30\n\nsLoad hides evidence of the Ramnit executable.\r\nThe full chain of instructions displayed in the Cybereason platform can be seen in the sLoad payload deobfuscated\r\ncode (config.ini).\r\nThe sLoad deobfuscated chain of actions.\r\nIn addition to downloading an executable, sLoad includes a secondary, fileless attack vector that executes a\r\nPowerShell command from remote servers.\r\nsLoad’s fileless command execution.\r\nPhase Three: The Ramnit Banking Trojan\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 13 of 30\n\nRamnit Analysis\r\nThe payload of the BITSAdmin download (\u003cGUID\u003e_UWBwKlrFyeTXGjtV.exe,\r\nSHA1:ae5b322b7586706015d8b3e83334c78b77f8f905) was an unknown version of the Ramnit banking Trojan at\r\nthe time of initial analysis. It was first submitted to VirusTotal after execution on the machine, not to Cybereason.\r\nOn execution, the Ramnit banking Trojan initiates its malicious activity through one of its persistence techniques.\r\nIt creates scheduled tasks through the COM API that uses the WMI process wmiprvse.exe. This process ensures\r\nthe author of the task will be Microsoft, adding legitimacy to the operation. This is a LOL technique that\r\nensures the Ramnit banking Trojan will stay hidden.\r\nThe Ramnit banking Trojan loads the COM API task module and initiates a scheduled task (mikshpri).\r\nRamnit executable loads the COM API task module.\r\nThe scheduled task using the WMI process.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 14 of 30\n\nAfter the tasks are scheduled, wmiprvse.exe spawns CMDs that create three files:  \r\nAn empty .txt file.\r\nA VBS file.\r\nA PS file.\r\nWMI spawn command lines that creates three files. (as seen in the Cybereason attack tree)\r\nWMI creates three files through the command line.\r\nThese three files are saved to the %AppData% folder and have names that depend on the computer they are\r\nexecuted on. After the files are created, the Ramnit banking Trojan executable writes a malicious script to the\r\nempty .txt file. This .txt file contains the additional Ramnit payload that will be loaded reflectively to the targeted\r\nprocesses\r\nActivation of the Scheduled Task\r\nAfter the three files are created and the .txt file is populated, the scheduled task (mikshpri) executes a VBScript\r\n(mikshpri.vbs,  SHA1:21B729CEEE16CF3993D8DDBFEEEBB4F960B46F09) using wscript.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 15 of 30\n\nThe VBScript executes the PowerShell script (phnjyubk.ps1) in the same folder. The .ps1 file decodes the encoded\r\n.txt file (ibgqbamp.txt) and executes it. In this process, the PowerShell script reads the encoded .txt file and puts it\r\ninto a variable. The PowerShell script uses the Unprotect command to decode the file, then saves it as another\r\nvariable and executes its content.\r\nphnjyubk.ps1:  SHA1: 9344835036D0FA30B46EF1F4C3C16461E3F9B58F\r\nIbgqbamp.txt:  SHA1: 3544F637F5F53BF14B2A0CE7C24937A2C6BC8EFE\r\nExecution of the wscript.\r\nThe contents of the VBScript.\r\nThe contents of the Powershell script.\r\nAnalysis of the .txt File\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 16 of 30\n\nAfter establishing its persistence using scheduled tasks, the Ramnit banking Trojan executes its reflective code\r\ninjection.\r\nThe script decoded from the .txt file (ibgqbamp.txt) is a modified version of an open source script (Invoke-ReflectivePEInjection.ps1). It is a PowerShell post-exploitation framework developed by PowerSploit. This script\r\nhas two modes: it can reflectively load a DLL/EXE into the PowerShell process, or it can reflectively load a DLL\r\ninto a remote process.\r\nAfter investigating the malicious .txt file (ibgqbamp.txt), it appears to extract two DLLs:\r\n1. RuntimeCheck.dll is a module that was added by the attacker to the open source script in order to bypass\r\nthe Anti Malware Scan Interface (AMSI) defense (SHA1:e680c19a48d43ab9fb3fcc76e2b05af62fe55f1a).\r\n2. rmnsoft.dll is the network mechanism that connects with the C2 server\r\n(SHA1:b4b93c740f4058b6607b3c509d50804b6119e010).\r\nRuntime.check.dll  bypassing the AMSI module.\r\nRmnsoft.dll, the ramnit module.\r\nRuntimeCheck.dll and Bypassing AMSI\r\nAs mentioned above, the attacker modified the (Invoke-ReflectivePEInjection.ps1) script and added a module to\r\ncontrol and verify bypassing the AMSI defense mechanism. This module consists of five different functions, but\r\nmost of them execute from the main function of the Disable() module.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 17 of 30\n\nRuntimeCheck.dll\r\nAs described in the Microsoft Developer Network (MSDN):\r\n“AMSI is a generic interface standard that allows applications and services to integrate with any anti malware\r\nproduct present on a machine. It provides enhanced malware protection for users and their data, applications, and\r\nworkloads.\r\nAMSI is anti malware vendor agnostic, designed to allow for the most common malware scanning and protection\r\ntechniques provided by today’s anti malware products that can be integrated into applications. It supports a\r\ncalling structure allowing for file and memory or stream scanning, content source URL/IP reputation checks, and\r\nother techniques.”\r\nThe Anti Malware Scan Interface (AMSI) is designed for application developers that want to make requests to anti\r\nmalware products from within their applications, as well as for third-party creators of anti malware products that\r\nwant their products to offer the best features to applications.\r\nBy default, AMSI works with Windows Defender to scan relevant data. However, if another antivirus engine\r\nregisters itself as an AMSI Provider, Windows Defender will unregister itself and shut down.\r\nIn the Disable() module, there are several functions that work together to bypass AMSI. A similar technique was\r\ndescribed earlier this year by CyberArk.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 18 of 30\n\nIn this instance, the attacker tries to bypass AMSI in order to evade its functionality. The attacker attempts to use\r\nhard-coded memory manipulation with bytes of arrays to change the AmsiScanBuffer function arguments.\r\nThe technique used to bypass AMSI.\r\nOnce the attacker is able to bypass the AMSI defense system, they can lay the groundwork for the Ramnit banking\r\nTrojan module. This module is stored in the script as shellcode that will be injected reflectively.\r\nRmnsoft.dll Analysis\r\nAs mentioned above, the .txt file contains a second payload stored as shellcode, which is the Ramnit banking\r\nTrojan module.\r\nRamnit is one of the oldest banking Trojans, and has been used by attackers since as early as 2010. Originally, it\r\nwas used as a worm spreader. It was adapted for banking shortly after its developers adopted the leaked Zeus\r\nsource code.\r\nTraditionally, the Ramnit banking Trojan module (rmnsoft.dll) is responsible for multiple core malicious activities\r\nthat are related to the network and communication of the banking Trojan. The module is also responsible for\r\ndownloading several malicious modules that, when combined, expand the Ramnit features. These malicious\r\nactivities include:\r\nMan-in-the-Browser Attacks\r\nScreen Capturing\r\nMonitoring Keystrokes\r\nStealing Stored Credentials from FTP Clients\r\nStealing Cookies\r\nDownloading Additional Malicious Files\r\nUploading Sensitive Data to a Remote C2 server\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 19 of 30\n\nAfter extracting the main module (rmnsoft.dll), it appears to have a list of targeted processes:\r\nImagingDevices.exe\r\nWab.exe\r\nwabimg.exe\r\nwmplayer.exe\r\nwordpad.exe\r\nThese processes eventually become the injected processes that contain the main module (rmnsoft.dll).\r\nStrings of targeted processes found in rmnsoft.dl.\r\nrmnsoft.dll and Reflective Injection\r\nAs mentioned above, the main purpose of the modified script (Invoke-ReflectivePEInjection.ps1) stored as a .txt\r\nfile is to either reflectively inject a selected payload into the PowerShell or remotely into a chosen process.\r\nOnce the wscript executes the PowerShell script (phnjyubk.ps1), the rmnsoft.dll module is reflectively injected\r\ninto the PowerShell process.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 20 of 30\n\nThe shellcode reflectively injected into PowerShell process.\r\nAfter being reflected into the PowerShell process, the script (phnjyubk.ps1) executes a function to search for the\r\nchosen processes. Once it identifies the processes, it injects its malicious module (rmnsoft.dll) into one of them .\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 21 of 30\n\nThe script selects where to inject the Ramnit module according to the targeted strings.\r\nAs mentioned above, once the PowerShell script ends its execution, wmiprvse.exe spawns a new process from the\r\ntargeted list and performs its reflective DLL injection. Windows Management Instrumentation (WMI), as\r\ndescribed in MSDN, is the infrastructure for data management and operations on Windows-based operating\r\nsystems. Attackers can use WMI (MITRE Technique T1047) to interact with local and remote systems and use\r\nthem to perform many offensive tactics, such as gathering information for discovery and remote execution of files\r\nas part of lateral movement.\r\nThe wmiprvse.exe injecting the  module reflectively to the targeted processes, as seen in the Cybereason platform.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 22 of 30\n\nExecution of the injected wordpad.exe by WmiPrvSE.exe in Process Hacker.\r\nWhen inspecting the memory section of any of the identified processes, we discovered a read-write-execute\r\nsection that appears to be a Portable Executable file of size 116 kB. This section is where the module (rmnsoft.dll)\r\nis injected and is responsible for the malicious network activity of the injected process.\r\nrmnsoft.dll injected into ImagingDevices.exe. baidu.com is the address that the malware uses to check\r\nconnectivity.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 23 of 30\n\nBy checking any of the injected processes using the Cybereason platform, we can easily detect the presence of the\r\nmodule (rmnsoft.dll) associated with Ramnit banking Trojan.\r\nRamnit banking Trojan malicious DLL loaded reflectively.\r\nCommand and Control\r\nAs mentioned above, the module (ramnsoft.dll) is responsible for the network ability of the Ramnit banking\r\nTrojan.\r\nThe module contains several network functions that allow the malware to initiate a remote connection with a C2\r\nserver.\r\nAfter the PowerShell script ends its execution, the new process is injected with the Ramnit banking Trojan DLL to\r\ncollect information about the local system using the CreateToolhelp32Snapshot function. It sends this data to a\r\nC2 server using Domain Generation Algorithms (DGA).\r\nDGA are algorithms that periodically generate a large number of domain names that can be used as rendezvous\r\npoints with their C2 servers. They are generally used by malware to evade domain-based firewall controls.\r\nMalware that uses DGAs will constantly probe for short-lived, registered domains that match the domain\r\ngenerated by the DGA to complete the C2 communication.\r\nAfter the injection, Ramnit checks connectivity using several hardcoded and legitimate domains such as\r\nbaidu.com and google.com. After it verifies the connection externally, it sends data using DGA.\r\nThe injected process is able to scan the infected machine and map the running processes using the\r\nCreateToolhelp32Snapshot function.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 24 of 30\n\nThe malware snapshot winlogon.exe during its process.\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 25 of 30\n\nResolved and unresolved DNS queries generated by the injected processes.\r\nCONCLUSION\r\nOur Active Hunting Service was able to detect both the PowerShell script and the malicious use of certutil. Our\r\ncustomer was able to immediately stop the attack using the remediation section of our platform. From there, our\r\nhunting team pulled the rest of the attack together and completed the analysis\r\nWe were able to detect and evaluate an evasive infection technique used to spread a variant of the Ramnit banking\r\nTrojan as part of an Italian spam campaign. In our discovery, we highlighted the use of legitimate, built-in\r\nproducts used to perform malicious activities through LOLbins, as well as how sLoad operates and installs various\r\npayloads. The analysis of the tools and techniques used in the spam campaign show how truly effective these\r\nmethods are at evading antivirus products. We anticipate using the sLoad PowerShell downloader and its variants\r\nas an infection vector won’t stop with just delivering Ramnit. It will soon be used to deliver more advanced and\r\nsophisticated attacks. This is an example of an undercover, under-the-radar way to more effectively attack, which\r\nwe see as having dangerous potential in future use.\r\nAs a result of this activity, the customer was able to contain an advanced attack before any damage was done. The\r\nRamnit trojan was contained, as well as the sLoad dropper, which has a high potential for damage as well.\r\nPersistence was disabled, and the entire attack was halted in its tracks.\r\nPart of the difficulty identifying this attack is in how it evades detection. It is difficult to detect, even for security\r\nteams aware of the difficulty ensuring a secure system, as with our customer above. LOLbins are deceptive\r\nbecause their execution seems benign at first. As the use of LOLbins become more commonplace, we suspect this\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 26 of 30\n\ncomplex method of attack will become more common as well. The potential for damage will grow, as attackers\r\nwill look to other, more destructive payloads.\r\nWant to start threat hunting?\r\nCheck out our webinar on how to generate a hypothesis in a threat hunt.\r\nIndicators of Compromise\r\nIOC Type Description\r\nbureaucratica[.]org Domain sLoad downloader\r\nSmokymountainsfineart[.]com Domain sLoad downloader\r\npackerd[.]me Domain sLoad payload\r\nreasgt[.]me Domain sLoad payload\r\nmomer[.]me Domain sLoad payload\r\nimperialsociety[.]org Domain sLoad payload\r\n185.197.75[.]10 IP sLoad payload\r\nSHA1\r\nB564ED3DE7A49673AC19B6231E439032AE6EAA68\r\nHash\r\ndocumento-aggiornato-PJ-27760855KD.zip\r\nSHA1\r\n7FDBCB40E0BE3563B7093F32F4B2967A0550437F\r\nHash\r\ndocumento-aggiornato-DK-DDEVWCUZ.zip\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 27 of 30\n\nSHA1\r\n1281D1C4B74BCEB2F57853537B49622DA3626ACD\r\nHash\r\ndocumento-aggiornato-5D-MD2OW1.zip\r\nSHA1\r\n0D2DAC7B17C38E4C4695784C8D06FF618EBCC944\r\nHash\r\ndocumento-aggiornato-novembre-VSS-6639623058.zip\r\nSHA1\r\n4C315904CBA72F7961C46D2D3A9661330B88B649\r\nHash\r\ndocumento-aggiornato-VX-SR8Uvbgb.zip\r\nSHA1\r\n11BEAD9002F2C0F9E292AA6FD066C8B1D8E4EDA7\r\nHash\r\ndocumento-aggiornato-novembre-IJM0006480.zip\r\nSHA1\r\nEC9072840FA94B8B4E9B852D8A8C736CAEE5031E\r\nHash\r\ndocumento-aggiornato-TR000022023.zip\r\nSHA1\r\n53813EDDEE9C3F5C151340CEBE2F75039979DA3D\r\nHash\r\ndocumento-aggiornato-DQ00091395.zip\r\nSHA1\r\nCC6D4DACFA016F3DAF8810FC63C1534C1D93D22F\r\nHash\r\ndocumento-aggiornato-novembre-ZN000986350.zip\r\nSHA1\r\nB6E3C4A528E01B6DE055E089E3C0DD2DA79CFCBE\r\nHash oyCZpsgNEFvQnW.ps1\r\nSHA1\r\nAEABE11F0496DA7E62501A35F4F03059F783C775\r\nHash vmcpRAYW.vbs\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 28 of 30\n\nSHA1\r\nae5b322b7586706015d8b3e83334c78b77f8f905\r\nHash _uwbwklrfyetxgjtv.exe\r\nSHA1\r\n82C3A3E1317CD5C671612430DDDED79DF9398BCC\r\nHash config.ini\r\nSHA1\r\nABC14EB06235A957D3AD66E359DC0B1F1FDFAB8A\r\nHash web.ini\r\nSHA1\r\n9344835036D0FA30B46EF1F4C3C16461E3F9B58F\r\nHash phnjyubk.ps1\r\nSHA1\r\n21B729CEEE16CF3993D8DDBFEEEBB4F960B46F09\r\nHash mikshpri.vbs\r\nSHA1\r\n3544F637F5F53BF14B2A0CE7C24937A2C6BC8EFE\r\nHash ibgqbamp.txt\r\nSHA1\r\ne680c19a48d43ab9fb3fcc76e2b05af62fe55f1a\r\nHash RuntimeCheck.dll\r\nSHA1\r\nb4b93c740f4058b6607b3c509d50804b6119e010\r\nHash rmnsoft.dll\r\nimage.orchas[.]com Domain Domain related to the .zip files\r\ncavintageclothing[.]com Domain Domain related to the .zip files\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 29 of 30\n\nimage.fagorham[.]com Domain Domain related to the .zip files\r\nimage.visitacnj[.]com Domain Domain related to the .zip files\r\nimage.steampunkvegan[.]com Domain Domain related to the .zip files\r\nfiretechnicaladvisor[.]com Domain Domain related to the .zip files\r\nimage.sewingagent[.]com Domain Domain related to the .zip files\r\nSource: https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nhttps://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan\r\nPage 30 of 30",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan"
	],
	"report_names": [
		"banking-trojan-delivered-by-lolbins-ramnit-trojan"
	],
	"threat_actors": [
		{
			"id": "a3808e4f-c7fd-4d25-aa84-aacc27061826",
			"created_at": "2023-01-06T13:46:39.316216Z",
			"updated_at": "2026-04-10T02:00:03.285437Z",
			"deleted_at": null,
			"main_name": "TA554",
			"aliases": [
				"TH-163"
			],
			"source_name": "MISPGALAXY:TA554",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9be98f84-4a93-41c7-90bd-3ea66ba5bfd7",
			"created_at": "2022-10-25T16:07:24.581954Z",
			"updated_at": "2026-04-10T02:00:05.040995Z",
			"deleted_at": null,
			"main_name": "TA554",
			"aliases": [
				"TH-163"
			],
			"source_name": "ETDA:TA554",
			"tools": [
				"DarkVNC",
				"Godzilla",
				"Godzilla Loader",
				"Gootkit",
				"Gootloader",
				"Gozi ISFB",
				"ISFB",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Nimnul",
				"Pandemyia",
				"PsiX",
				"PsiXBot",
				"Ramnit",
				"StarsLord",
				"Waldek",
				"Xswkit",
				"sLoad",
				"talalpek"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434904,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc45e2de80c00a40bb20085c2b1ffa7eeb009fda.pdf",
		"text": "https://archive.orkl.eu/fc45e2de80c00a40bb20085c2b1ffa7eeb009fda.txt",
		"img": "https://archive.orkl.eu/fc45e2de80c00a40bb20085c2b1ffa7eeb009fda.jpg"
	}
}