ioc[.]one - OSINT Cyber Threat Intelligence Database

LOLbins and trojans: How the Ramnit Trojan spreads via sLoad in a cyberattack

Tags

cmtmf-attack-pattern:	Code Injection
country:	Canada Italy
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Code Injection - T1540 Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Domain Generation Algorithms (Dga) - T1323 Domains - T1583.001 Domains - T1584.001 Hardware - T1592.001 Ip Addresses - T1590.005 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 System Information Discovery - T1426 Network Devices - T1584.008 Powershell - T1059.001 Scheduled Task - T1053.005 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Powershell - T1086 Scheduled Task - T1053 Screen Capture - T1113 System Information Discovery - T1082 Windows Management Instrumentation - T1047 Screen Capture

Show in Graph

Common Information

Type	Value
UUID	3612b5a3-94ca-4361-a6e0-206d63e9f0a5
Fingerprint	10830c480977a681
Analysis status	DONE
Considered CTI value	2
Text language
Published	Jan. 3, 2019, midnight
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	LOLbins and trojans: How the Ramnit Trojan spreads via sLoad in a cyberattack
Title	LOLbins and trojans: How the Ramnit Trojan spreads via sLoad in a cyberattack
Detected Hints/Tags/Attributes	113/4/84

Source URLs

	Redirection	Url
Details	Source	https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan

URL Provider

Details	Provider	Source level domain
Details	cybereason.com	www.cybereason.com

Attributes

Details	Type	#Events	Value
Details	Domain	1	levashekhtman.com
Details	Domain	1	documento-aggiornato-fmv-61650861.zip
Details	Domain	2	bureaucratica.org
Details	Domain	1	packerd.me
Details	Domain	1	smokymountainsfineart.com
Details	Domain	2	reasgt.me
Details	Domain	1	imperialsociety.org
Details	Domain	48	baidu.com
Details	Domain	707	google.com
Details	Domain	1	momer.me
Details	Domain	1	documento-aggiornato-pj-27760855kd.zip
Details	Domain	1	documento-aggiornato-dk-ddevwcuz.zip
Details	Domain	1	documento-aggiornato-5d-md2ow1.zip
Details	Domain	1	documento-aggiornato-novembre-vss-6639623058.zip
Details	Domain	1	documento-aggiornato-vx-sr8uvbgb.zip
Details	Domain	1	documento-aggiornato-novembre-ijm0006480.zip
Details	Domain	1	documento-aggiornato-tr000022023.zip
Details	Domain	1	documento-aggiornato-dq00091395.zip
Details	Domain	1	documento-aggiornato-novembre-zn000986350.zip
Details	Domain	1	image.orchas.com
Details	Domain	1	cavintageclothing.com
Details	Domain	1	image.fagorham.com
Details	Domain	1	image.visitacnj.com
Details	Domain	1	image.steampunkvegan.com
Details	Domain	2	firetechnicaladvisor.com
Details	Domain	1	image.sewingagent.com
Details	File	1	documento-aggiornato-fmv-61650861.zip
Details	File	1	oyczpsgnefvqnw.ps1
Details	File	1	vmcprayw.vbs
Details	File	68	config.ini
Details	File	3	web.ini
Details	File	1	vmcprayw.ps1
Details	File	2	f.ini
Details	File	226	certutil.exe
Details	File	1	_uwbwklrfyetxgjtv.exe
Details	File	1	_uwbwklrfyetxgjtv.txt
Details	File	1	_uwbwklrfyetxgjtv_1.txt
Details	File	142	wmiprvse.exe
Details	File	1	mikshpri.vbs
Details	File	1	phnjyubk.ps1
Details	File	1	ibgqbamp.txt
Details	File	8	invoke-reflectivepeinjection.ps1
Details	File	1	runtimecheck.dll
Details	File	4	rmnsoft.dll
Details	File	1	check.dll
Details	File	14	imagingdevices.exe
Details	File	12	wab.exe
Details	File	2	wabimg.exe
Details	File	16	wmplayer.exe
Details	File	90	wordpad.exe
Details	File	1	ramnsoft.dll
Details	File	212	winlogon.exe
Details	File	1	documento-aggiornato-pj-27760855kd.zip
Details	File	1	documento-aggiornato-dk-ddevwcuz.zip
Details	File	1	documento-aggiornato-5d-md2ow1.zip
Details	File	1	documento-aggiornato-novembre-vss-6639623058.zip
Details	File	1	documento-aggiornato-vx-sr8uvbgb.zip
Details	File	1	documento-aggiornato-novembre-ijm0006480.zip
Details	File	1	documento-aggiornato-tr000022023.zip
Details	File	1	documento-aggiornato-dq00091395.zip
Details	File	1	documento-aggiornato-novembre-zn000986350.zip
Details	sha1	1	b564ed3de7a49673ac19b6231e439032ae6eaa68
Details	sha1	1	b6e3c4a528e01b6de055e089e3c0dd2da79cfcbe
Details	sha1	1	82c3a3e1317cd5c671612430ddded79df9398bcc
Details	sha1	1	abc14eb06235a957d3ad66e359dc0b1f1fdfab8a
Details	sha1	1	aeabe11f0496da7e62501a35f4f03059f783c775
Details	sha1	1	41fb1c6542975d47449ef6cb17b26ca8622cf9ae
Details	sha1	1	ae5b322b7586706015d8b3e83334c78b77f8f905
Details	sha1	1	21b729ceee16cf3993d8ddbfeeebb4f960b46f09
Details	sha1	1	9344835036d0fa30b46ef1f4c3c16461e3f9b58f
Details	sha1	1	3544f637f5f53bf14b2a0ce7c24937a2c6bc8efe
Details	sha1	1	e680c19a48d43ab9fb3fcc76e2b05af62fe55f1a
Details	sha1	1	b4b93c740f4058b6607b3c509d50804b6119e010
Details	sha1	1	7fdbcb40e0be3563b7093f32f4b2967a0550437f
Details	sha1	1	1281d1c4b74bceb2f57853537b49622da3626acd
Details	sha1	1	0d2dac7b17c38e4c4695784c8d06ff618ebcc944
Details	sha1	1	4c315904cba72f7961c46d2d3a9661330b88b649
Details	sha1	1	11bead9002f2c0f9e292aa6fd066c8b1d8e4eda7
Details	sha1	1	ec9072840fa94b8b4e9b852d8a8c736caee5031e
Details	sha1	1	53813eddee9c3f5c151340cebe2f75039979da3d
Details	sha1	1	cc6d4dacfa016f3daf8810fc63c1534c1d93d22f
Details	IPv4	2	185.197.75.10
Details	MITRE ATT&CK Techniques	310	T1047
Details	Url	1	https://levashekhtman.com/assistenza-amministrativa/documento-aggiornato-fmv-61650861