Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Ramnit

53
Global rank
67 infographic chevron month
Month rank
71 infographic chevron week
Week rank
0
IOCs

Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud.

Trojan
Type
Unknown
Origin
1 May, 2010
First seen
24 April, 2025
Last seen

How to analyze Ramnit with ANY.RUN

Type
Unknown
Origin
1 May, 2010
First seen
24 April, 2025
Last seen

IOCs

IP addresses
185.80.53.199
195.201.179.207
46.165.254.203
13.90.196.81
31.192.107.232
185.31.160.55
185.154.52.233
95.215.108.213
46.165.254.200
164.155.160.223
47.245.8.67
192.155.108.151
192.155.108.148
151.106.5.174
192.155.108.153
151.106.5.165
192.155.108.152
192.155.108.155
151.106.5.170
151.106.5.164
Domains
severug.com
asxlemnbyioy.com
fwllkforvkuqjclvy.com
lcddsotgdgqoba.com
cmdptnkxqgxxtbk.com
barmfrpkvhohj.com
famous-zopa.com
lntxwsbivuiwiymt.com
ymkdsynulihl.com
bpoungre.com
jyokjogwr.com
lajlfdbqqr.com
ntmhavejb.com
fmtqkxcirxxgbupuxq.com
xtnpcdvpk.com
ttploevnivtsybduyb.com
rqdumbol.com
kjtrmwnxbk.com
bvwecxcfobr.com
jrkaxdlkvhgsiyknhw.com
Last Seen at

Recent blog posts

post image
How Threat Intelligence Feeds Help During Inc...
watchers 667
comments 0
post image
PE32 Ransomware: A New Telegram-Based Threat...
watchers 3440
comments 0
post image
Seamlessly Integrate ANY.RUN’s Services into...
watchers 519
comments 0

What is Ramnit malware

Ramnit emerged in 2010 as a computer virus, initially infecting Windows executable files (EXE, DLL), HTML files, and later expanding to target other file types. Over time, it has evolved to include the functions of a banking trojan, inter alia by incorporating elements from the Zeus banking trojan's source code in 2011.

Now it focuses on financial data theft and is used for financial fraud, credential theft, remote access, and botnet operations. Besides banking credentials, it is able to steal information for various online accounts.

Ramnit analysis in the ANY.RUN Sandbox Analysis of Ramnit malware in the ANY.RUN sandbox

View Ramnit analysis inside ANY.RUN's Interactive sandbox

Ramnit infects and modifies files such as .dll, .exe, and .html on a system to spread itself and establishes backdoors for other malware, providing remote access to attackers. The infected endpoints are added to a botnet for coordinated attacks or further distribution of malware.

Ramnit allows attackers full system control over a device and further propagates through networks, escalating from a single machine infection to an organizational one.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of Ramnit malware

Ramnit is equipped with extensive malicious capabilities:

  • Ramnit infects legitimate system files, ensuring it reloads on every reboot. It creates scheduled tasks or modifies registry keys like (HKCU\Software\Microsoft\Windows\CurrentVersion\Run).
  • Man-in-the-browser (MitB) attacks are used to intercept online banking credentials.
  • Fake login forms on legitimate banking sites are displayed via web injects.
  • Ramnit can steal passwords stored in popular browsers including Chrome and Firefox and in Windows Credential Manager.
  • Persistence is supported by infecting legitimate files, making removal difficult without damaging the OS.
  • It logs keystrokes, captures screenshots, and uploads stolen data to C2 servers.
  • Infected endpoints join a massive botnet used in DDoS attacks, spam campaigns, and further malware distribution.
  • Uses SMB exploits and credential dumping techniques to spread across corporate networks.

Ramnit employs advanced evasion tactics to bypass detection: modifies its code to change its signature with each infection (polymorphism); runs within legitimate system processes (e.g., explorer.exe, svchost.exe); detects virtual machines; encrypts C2 traffic to avoid network detection; continuously generates new C2 domains.

The Execution process of Ramnit

To observe Ramnit’s activities in real time, we can detonate it in the safe environment of ANY.RUN’s Interactive Sandbox.

View analysis

Ramnit analysis in the ANY.RUN Sandbox Analysis of a Ramnit process in the ANY.RUN sandbox

Ramnit typically spreads via phishing campaigns that use multi-stage malware. When a victim opens the initial payload, it downloads additional components and installs the Trojan. Once active, Ramnit harvests financial credentials and other sensitive data (e.g., social media and email).

After installation, Ramnit connects to its command and control (C&C) servers and often uses a domain generation algorithm (DGA), which creates random domain names to evade DNS blocklists. The C&C server uses the same DGA to register and manage these domains, making Ramnit harder to disrupt.

Ramnit analysis in the ANY.RUN Sandbox Detection of Ramnit network connection in the ANY.RUN sandbox

Ramnit’s modular design lets it download extra modules as needed. It can inject malicious code into browsers—often during online banking sessions — to steal data in real time. To evade detection, it uses techniques like process hollowing, injecting code into legitimate processes like “msiexec.exe” and “explorer.exe.” It can also fetch a VNC module for remote access.

Finally, Ramnit creates a proxy network of infected machines, relaying malicious traffic through multiple hosts to hide attacker activity. Overall, its execution chain relies on phishing-based distribution, DGA-powered C&C communication, modular expansion, and proxy networks to evade detection and facilitate broader attacks.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gather Cyber Threat Intelligence on Ramnit Ransomware

Use Threat Intelligence Lookup to get a comprehensive picture of recent Ramnit activity and collect up-to-date indicators of the threat for setting up preemptive defenses. With over 40 search parameters, including IPs, domains, file names, and process artifacts, you can extract data from Ramnit malware samples analyzed in ANY.RUN's Interactive Sandbox by a huge community of security experts.

Leverage TI feeds to track C2 infrastructure, malware hashes, keep a watch over evolving tactics of Ramnit via MITRE ATT&CK mappings, and protect your business from financial and reputational loss.

Ramnit analysis in ANY.RUN's TI Lookup Recent Ramnit samples in ANY.RUN's TI Lookup

For example, submitting the query threaName:"ramnit" will provide you with the latest public sandbox reports on Ramnit samples.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Ramnit malware distribution methods

Ramnit spreads through multiple infection vectors, making it highly persistent and difficult to eradicate. It is delivered via phishing emails containing malicious Word, Excel, or PDF documents with embedded macros or exploit code. Users are infected when visiting compromised websites that host exploit kits targeting browser vulnerabilities.

Besides, Ramnit has been dropped by other malware families, including Emotet and Dridex, to expand its botnet.

It also can spread via USB drives, SMB shares, and network infections, bypassing internet defenses.

Conclusion

Hybrid capabilities of Ramnit make it an especially serious threat to organizations worldwide. It can function as a banking trojan, worm, RAT, and credential stealer simultaneously. To avoid suffering from Ramnit infection, make sure to introduce proper preventive security measures.

One of the essentials tools to help you identify Ramnit early is a malware sandbox. ANY.RUN provides an interactive malware sandbox that lets you safely detonate suspicious files and URLs in a fully functional virtual environment. The service helps you quickly detect cyber threats and collect critical data needed to prevent them from affecting your infrastructure.

Sign up for a free ANY.RUN account now to try advanced malware analysis.

HAVE A LOOK AT

Zloader screenshot
Zloader
zloader trojan loader
Zloader is a banking trojan that uses webinjects and VNC clients to still banking credentials. This Trojan is based on leaked code from 2011, but despite its age, Zloader’s popularity has been only increasing through early 2020, when it relied on COVID-19 themed attacks.
Read More
Quasar RAT screenshot
Quasar RAT
quasar trojan rat
Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.
Read More
Rootkit screenshot
Rootkit
rootkit bootkit
A rootkit is a type of malicious software designed to provide unauthorized administrative-level access to a computer or network while concealing its presence. Rootkits are tools used by cybercriminals to hide their activities, including keyloggers, spyware, and other malware, often enabling long-term system exploitation.
Read More