Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Ramnit

66
Global rank
90 infographic chevron month
Month rank
86 infographic chevron week
Week rank
0
IOCs

Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud.

Trojan
Type
Unknown
Origin
1 May, 2010
First seen
10 October, 2025
Last seen

How to analyze Ramnit with ANY.RUN

Type
Unknown
Origin
1 May, 2010
First seen
10 October, 2025
Last seen

IOCs

IP addresses
185.80.53.199
46.165.254.203
13.90.196.81
31.192.107.232
185.31.160.55
95.215.108.213
185.154.52.233
46.165.254.200
164.155.160.223
47.245.8.67
192.155.108.151
192.155.108.148
151.106.5.165
151.106.5.174
192.155.108.153
192.155.108.152
192.155.108.155
151.106.5.170
151.106.5.164
192.155.108.157
Hashes
b44e9e12d89090ff2d7786e95d53dbeac7a92492c8379fc07bd22e45ec125b5d
76ffe5e402889e8e95721819160e7b5482fd3d549893604784f5917b0521f93f
1a8c0e53d42df3d0dc4bf148e10a1d8bf931fadced797873617dd1864106e630
5e1ee07b736f1635fcf0edb26244a192614b9ba99827c1d3e4d2956c43de1c5f
c1ec66760930afe69b006de477d8bed4d9d6d4b1db9df192b2739800619dd964
8e110382fff23d9810a99c1679d072e68b781d1df344e3a6b4233f1cb62057fd
ed041d026673fbff15949146e56ae5bbe9a1154c8029f178ba579d0417931998
084cf8aeb40dda3bf733eb263ea227f8a838ece199b48460910e9ff2a28d8f96
4e9e525ee4c30f4928a649791bf0f575b5573c7262000b73e64a2991463d7557
cc146a4474602b27935d36aceda415149218d42caf3baff60c309544e73a6d77
c270d2e0fbae251b0b2297e544d9667057fecfef7c95296ab1d7436e595c4800
7dec40a48b029de50868b1a85573fd1d566084d0ee4935acfb30887e30d1de06
965b195444986a4b761ac923e706dcdbfe293034a997f9c3086a6dd715187ddf
96b0b600677b1957b15c0be532d467f199cc9d979ec5338cc749ade1f22cfc64
0cac8f87e42ab303a4d0c255e7cd6817a1a8fb9c93ac85ab1a2b0ebea25d6cfa
33abc58dda281c7d56ec6a2bc44e542b15e634ba36837498f74f8ba913904132
3e0d9685c8e0bf52b13f2330a3167b049ba3da137da7a54483b7fd42018c5e5e
18d6a66f32480113444a156731359f6416337d549b4399f6211cd65f09aa3b53
93bdf7d92badaa3198010ce430bedb12fb710e091fe6a481e8f9a22b05999830
e1b4dc1a419e73795e791969e0a11770e52adb5ed58414b51ba9e16e46ce906b
Domains
chengduqizhong.58fushi.com
b90182ax.beget.tech
cardboard-box-manufacturers.com
ckkdw.com
119sky.com
ckkdw.cn
bsjx2005.com
flipflopmanufacturers.com
2600199.com
56bf.cn
denglong999.com
586fu.com
duolefan.com
chuanqihj.xyz
flhulan.com
gzyouri.com
grb.ckkdw.cn
gaogandeng1688.com
flzhaoming.com
0516pk.top
Last Seen at
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 388
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 2118
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 5068
comments 0

What is Ramnit malware

Ramnit emerged in 2010 as a computer virus, initially infecting Windows executable files (EXE, DLL), HTML files, and later expanding to target other file types. Over time, it has evolved to include the functions of a banking trojan, inter alia by incorporating elements from the Zeus banking trojan's source code in 2011.

Now it focuses on financial data theft and is used for financial fraud, credential theft, remote access, and botnet operations. Besides banking credentials, it is able to steal information for various online accounts.

Ramnit analysis in the ANY.RUN Sandbox Analysis of Ramnit malware in the ANY.RUN sandbox

View Ramnit analysis inside ANY.RUN's Interactive sandbox

Ramnit infects and modifies files such as .dll, .exe, and .html on a system to spread itself and establishes backdoors for other malware, providing remote access to attackers. The infected endpoints are added to a botnet for coordinated attacks or further distribution of malware.

Ramnit allows attackers full system control over a device and further propagates through networks, escalating from a single machine infection to an organizational one.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of Ramnit malware

Ramnit is equipped with extensive malicious capabilities:

  • Ramnit infects legitimate system files, ensuring it reloads on every reboot. It creates scheduled tasks or modifies registry keys like (HKCU\Software\Microsoft\Windows\CurrentVersion\Run).
  • Man-in-the-browser (MitB) attacks are used to intercept online banking credentials.
  • Fake login forms on legitimate banking sites are displayed via web injects.
  • Ramnit can steal passwords stored in popular browsers including Chrome and Firefox and in Windows Credential Manager.
  • Persistence is supported by infecting legitimate files, making removal difficult without damaging the OS.
  • It logs keystrokes, captures screenshots, and uploads stolen data to C2 servers.
  • Infected endpoints join a massive botnet used in DDoS attacks, spam campaigns, and further malware distribution.
  • Uses SMB exploits and credential dumping techniques to spread across corporate networks.

Ramnit employs advanced evasion tactics to bypass detection: modifies its code to change its signature with each infection (polymorphism); runs within legitimate system processes (e.g., explorer.exe, svchost.exe); detects virtual machines; encrypts C2 traffic to avoid network detection; continuously generates new C2 domains.

The Execution process of Ramnit

To observe Ramnit’s activities in real time, we can detonate it in the safe environment of ANY.RUN’s Interactive Sandbox.

View analysis

Ramnit analysis in the ANY.RUN Sandbox Analysis of a Ramnit process in the ANY.RUN sandbox

Ramnit typically spreads via phishing campaigns that use multi-stage malware. When a victim opens the initial payload, it downloads additional components and installs the Trojan. Once active, Ramnit harvests financial credentials and other sensitive data (e.g., social media and email).

After installation, Ramnit connects to its command and control (C&C) servers and often uses a domain generation algorithm (DGA), which creates random domain names to evade DNS blocklists. The C&C server uses the same DGA to register and manage these domains, making Ramnit harder to disrupt.

Ramnit analysis in the ANY.RUN Sandbox Detection of Ramnit network connection in the ANY.RUN sandbox

Ramnit’s modular design lets it download extra modules as needed. It can inject malicious code into browsers—often during online banking sessions — to steal data in real time. To evade detection, it uses techniques like process hollowing, injecting code into legitimate processes like “msiexec.exe” and “explorer.exe.” It can also fetch a VNC module for remote access.

Finally, Ramnit creates a proxy network of infected machines, relaying malicious traffic through multiple hosts to hide attacker activity. Overall, its execution chain relies on phishing-based distribution, DGA-powered C&C communication, modular expansion, and proxy networks to evade detection and facilitate broader attacks.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gather Cyber Threat Intelligence on Ramnit Ransomware

Use Threat Intelligence Lookup to get a comprehensive picture of recent Ramnit activity and collect up-to-date indicators of the threat for setting up preemptive defenses. With over 40 search parameters, including IPs, domains, file names, and process artifacts, you can extract data from Ramnit malware samples analyzed in ANY.RUN's Interactive Sandbox by a huge community of security experts.

Leverage TI feeds to track C2 infrastructure, malware hashes, keep a watch over evolving tactics of Ramnit via MITRE ATT&CK mappings, and protect your business from financial and reputational loss.

Ramnit analysis in ANY.RUN's TI Lookup Recent Ramnit samples in ANY.RUN's TI Lookup

For example, submitting the query threaName:"ramnit" will provide you with the latest public sandbox reports on Ramnit samples.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Ramnit malware distribution methods

Ramnit spreads through multiple infection vectors, making it highly persistent and difficult to eradicate. It is delivered via phishing emails containing malicious Word, Excel, or PDF documents with embedded macros or exploit code. Users are infected when visiting compromised websites that host exploit kits targeting browser vulnerabilities.

Besides, Ramnit has been dropped by other malware families, including Emotet and Dridex, to expand its botnet.

It also can spread via USB drives, SMB shares, and network infections, bypassing internet defenses.

Conclusion

Hybrid capabilities of Ramnit make it an especially serious threat to organizations worldwide. It can function as a banking trojan, worm, RAT, and credential stealer simultaneously. To avoid suffering from Ramnit infection, make sure to introduce proper preventive security measures.

One of the essentials tools to help you identify Ramnit early is a malware sandbox. ANY.RUN provides an interactive malware sandbox that lets you safely detonate suspicious files and URLs in a fully functional virtual environment. The service helps you quickly detect cyber threats and collect critical data needed to prevent them from affecting your infrastructure.

Sign up for a free ANY.RUN account now to try advanced malware analysis.

HAVE A LOOK AT

Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
MassLogger screenshot
MassLogger
masslogger
MassLogger is a credential stealer and keylogger first identified in April 2020. It has been actively used in cyber campaigns to exfiltrate sensitive information from compromised systems. It is designed for easy use by less tech-savvy actors and is prominent for the capability of spreading via USB drives. It targets both individuals and organizations in various industries, mostly in Europe and the USA.
Read More
Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
BTMOB RAT screenshot
BTMOB RAT
btmob
BTMOB RAT is a remote access Trojan (RAT) designed to give attackers full control over infected devices. It targets Windows and Android endpoints. Its modular structure allows operators to tailor capabilities, making it suitable for espionage, credential theft, financial fraud, and establishing long-term footholds in corporate networks.
Read More