Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Ramnit

66
Global rank
98 infographic chevron month
Month rank
103 infographic chevron week
Week rank
0
IOCs

Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud.

Trojan
Type
Unknown
Origin
1 May, 2010
First seen
31 October, 2025
Last seen

How to analyze Ramnit with ANY.RUN

Type
Unknown
Origin
1 May, 2010
First seen
31 October, 2025
Last seen

IOCs

IP addresses
185.80.53.199
46.165.254.203
13.90.196.81
31.192.107.232
185.31.160.55
95.215.108.213
185.154.52.233
46.165.254.200
164.155.160.223
47.245.8.67
192.155.108.151
192.155.108.148
151.106.5.165
151.106.5.174
192.155.108.153
192.155.108.152
192.155.108.155
151.106.5.170
151.106.5.164
192.155.108.157
Hashes
b44e9e12d89090ff2d7786e95d53dbeac7a92492c8379fc07bd22e45ec125b5d
76ffe5e402889e8e95721819160e7b5482fd3d549893604784f5917b0521f93f
1a8c0e53d42df3d0dc4bf148e10a1d8bf931fadced797873617dd1864106e630
5e1ee07b736f1635fcf0edb26244a192614b9ba99827c1d3e4d2956c43de1c5f
c1ec66760930afe69b006de477d8bed4d9d6d4b1db9df192b2739800619dd964
8e110382fff23d9810a99c1679d072e68b781d1df344e3a6b4233f1cb62057fd
ed041d026673fbff15949146e56ae5bbe9a1154c8029f178ba579d0417931998
084cf8aeb40dda3bf733eb263ea227f8a838ece199b48460910e9ff2a28d8f96
4e9e525ee4c30f4928a649791bf0f575b5573c7262000b73e64a2991463d7557
cc146a4474602b27935d36aceda415149218d42caf3baff60c309544e73a6d77
c270d2e0fbae251b0b2297e544d9667057fecfef7c95296ab1d7436e595c4800
7dec40a48b029de50868b1a85573fd1d566084d0ee4935acfb30887e30d1de06
965b195444986a4b761ac923e706dcdbfe293034a997f9c3086a6dd715187ddf
96b0b600677b1957b15c0be532d467f199cc9d979ec5338cc749ade1f22cfc64
0cac8f87e42ab303a4d0c255e7cd6817a1a8fb9c93ac85ab1a2b0ebea25d6cfa
33abc58dda281c7d56ec6a2bc44e542b15e634ba36837498f74f8ba913904132
3e0d9685c8e0bf52b13f2330a3167b049ba3da137da7a54483b7fd42018c5e5e
18d6a66f32480113444a156731359f6416337d549b4399f6211cd65f09aa3b53
93bdf7d92badaa3198010ce430bedb12fb710e091fe6a481e8f9a22b05999830
e1b4dc1a419e73795e791969e0a11770e52adb5ed58414b51ba9e16e46ce906b
Domains
chengduqizhong.58fushi.com
cardboard-box-manufacturers.com
gzyouri.com
ckkdw.com
119sky.com
ckkdw.cn
grb.ckkdw.cn
internetgyp.com
56bf.cn
586fu.com
duolefan.com
flipflopmanufacturers.com
halfearth.com
bsjx2005.com
hcwlzx.top
lemeifan.com
kinhely.com
kaxiwen.com
js.anyixueche.com
0516pk.top
Last Seen at
Last Seen at

Recent blog posts

post image
What is a Malware Sandbox? Everything SOC Ana...
watchers 401
comments 0
post image
Major Cyber Attacks in October 2025: Phishing...
watchers 2939
comments 0
post image
5 SOC Challenges and How Threat Intelligence...
watchers 487
comments 0

What is Ramnit malware

Ramnit emerged in 2010 as a computer virus, initially infecting Windows executable files (EXE, DLL), HTML files, and later expanding to target other file types. Over time, it has evolved to include the functions of a banking trojan, inter alia by incorporating elements from the Zeus banking trojan's source code in 2011.

Now it focuses on financial data theft and is used for financial fraud, credential theft, remote access, and botnet operations. Besides banking credentials, it is able to steal information for various online accounts.

Ramnit analysis in the ANY.RUN Sandbox Analysis of Ramnit malware in the ANY.RUN sandbox

View Ramnit analysis inside ANY.RUN's Interactive sandbox

Ramnit infects and modifies files such as .dll, .exe, and .html on a system to spread itself and establishes backdoors for other malware, providing remote access to attackers. The infected endpoints are added to a botnet for coordinated attacks or further distribution of malware.

Ramnit allows attackers full system control over a device and further propagates through networks, escalating from a single machine infection to an organizational one.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of Ramnit malware

Ramnit is equipped with extensive malicious capabilities:

  • Ramnit infects legitimate system files, ensuring it reloads on every reboot. It creates scheduled tasks or modifies registry keys like (HKCU\Software\Microsoft\Windows\CurrentVersion\Run).
  • Man-in-the-browser (MitB) attacks are used to intercept online banking credentials.
  • Fake login forms on legitimate banking sites are displayed via web injects.
  • Ramnit can steal passwords stored in popular browsers including Chrome and Firefox and in Windows Credential Manager.
  • Persistence is supported by infecting legitimate files, making removal difficult without damaging the OS.
  • It logs keystrokes, captures screenshots, and uploads stolen data to C2 servers.
  • Infected endpoints join a massive botnet used in DDoS attacks, spam campaigns, and further malware distribution.
  • Uses SMB exploits and credential dumping techniques to spread across corporate networks.

Ramnit employs advanced evasion tactics to bypass detection: modifies its code to change its signature with each infection (polymorphism); runs within legitimate system processes (e.g., explorer.exe, svchost.exe); detects virtual machines; encrypts C2 traffic to avoid network detection; continuously generates new C2 domains.

The Execution process of Ramnit

To observe Ramnit’s activities in real time, we can detonate it in the safe environment of ANY.RUN’s Interactive Sandbox.

View analysis

Ramnit analysis in the ANY.RUN Sandbox Analysis of a Ramnit process in the ANY.RUN sandbox

Ramnit typically spreads via phishing campaigns that use multi-stage malware. When a victim opens the initial payload, it downloads additional components and installs the Trojan. Once active, Ramnit harvests financial credentials and other sensitive data (e.g., social media and email).

After installation, Ramnit connects to its command and control (C&C) servers and often uses a domain generation algorithm (DGA), which creates random domain names to evade DNS blocklists. The C&C server uses the same DGA to register and manage these domains, making Ramnit harder to disrupt.

Ramnit analysis in the ANY.RUN Sandbox Detection of Ramnit network connection in the ANY.RUN sandbox

Ramnit’s modular design lets it download extra modules as needed. It can inject malicious code into browsers—often during online banking sessions — to steal data in real time. To evade detection, it uses techniques like process hollowing, injecting code into legitimate processes like “msiexec.exe” and “explorer.exe.” It can also fetch a VNC module for remote access.

Finally, Ramnit creates a proxy network of infected machines, relaying malicious traffic through multiple hosts to hide attacker activity. Overall, its execution chain relies on phishing-based distribution, DGA-powered C&C communication, modular expansion, and proxy networks to evade detection and facilitate broader attacks.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gather Cyber Threat Intelligence on Ramnit Ransomware

Use Threat Intelligence Lookup to get a comprehensive picture of recent Ramnit activity and collect up-to-date indicators of the threat for setting up preemptive defenses. With over 40 search parameters, including IPs, domains, file names, and process artifacts, you can extract data from Ramnit malware samples analyzed in ANY.RUN's Interactive Sandbox by a huge community of security experts.

Leverage TI feeds to track C2 infrastructure, malware hashes, keep a watch over evolving tactics of Ramnit via MITRE ATT&CK mappings, and protect your business from financial and reputational loss.

Ramnit analysis in ANY.RUN's TI Lookup Recent Ramnit samples in ANY.RUN's TI Lookup

For example, submitting the query threaName:"ramnit" will provide you with the latest public sandbox reports on Ramnit samples.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Ramnit malware distribution methods

Ramnit spreads through multiple infection vectors, making it highly persistent and difficult to eradicate. It is delivered via phishing emails containing malicious Word, Excel, or PDF documents with embedded macros or exploit code. Users are infected when visiting compromised websites that host exploit kits targeting browser vulnerabilities.

Besides, Ramnit has been dropped by other malware families, including Emotet and Dridex, to expand its botnet.

It also can spread via USB drives, SMB shares, and network infections, bypassing internet defenses.

Conclusion

Hybrid capabilities of Ramnit make it an especially serious threat to organizations worldwide. It can function as a banking trojan, worm, RAT, and credential stealer simultaneously. To avoid suffering from Ramnit infection, make sure to introduce proper preventive security measures.

One of the essentials tools to help you identify Ramnit early is a malware sandbox. ANY.RUN provides an interactive malware sandbox that lets you safely detonate suspicious files and URLs in a fully functional virtual environment. The service helps you quickly detect cyber threats and collect critical data needed to prevent them from affecting your infrastructure.

Sign up for a free ANY.RUN account now to try advanced malware analysis.

HAVE A LOOK AT

Xeno RAT screenshot
Xeno RAT
xenorat
Xeno RAT is an open-source malware mainly distributed through drive-by downloads. The core capabilities of this threat include remote control, keystroke logging, webcam and microphone access. Equipped with advanced utilities, such as Hidden Virtual Network Computing and Socks5 reverse proxy, Xeno RAT is most frequently used in attacks against individual users.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Botnet screenshot
Botnet
botnet
A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.
Read More
Emmenhtal screenshot
Emmenhtal
emmenhtal
First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.
Read More
Orcus RAT screenshot
Orcus RAT
orcus rat trojan
Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.
Read More
DragonForce screenshot
DragonForce
dragonforce
DragonForce is a ransomware strain operating under the Ransomware-as-a-Service (RaaS) model. First reported in December 2023, it encrypts files with ChaCha8, renames them with random strings, and appends “.dragonforce_encrypted.” By disabling backups, wiping recovery, and spreading across SMB shares, DragonForce maximizes damage and pressures victims into multimillion-dollar ransom negotiations. It has targeted manufacturing, construction, IT, healthcare, and retail sectors worldwide, making it a severe threat to modern enterprises.
Read More