Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Ramnit

51
Global rank
60 infographic chevron month
Month rank
54 infographic chevron week
Week rank
0
IOCs

Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud.

Trojan
Type
Unknown
Origin
1 May, 2010
First seen
22 March, 2025
Last seen

How to analyze Ramnit with ANY.RUN

Type
Unknown
Origin
1 May, 2010
First seen
22 March, 2025
Last seen

IOCs

IP addresses
185.80.53.199
195.201.179.207
46.165.254.203
13.90.196.81
31.192.107.232
185.31.160.55
95.215.108.213
185.154.52.233
46.165.254.200
194.67.71.17
164.155.160.223
47.245.8.67
192.155.108.151
192.155.108.148
151.106.5.174
151.106.5.165
192.155.108.152
192.155.108.153
192.155.108.155
151.106.5.170
Domains
fwllkforvkuqjclvy.com
lcddsotgdgqoba.com
asxlemnbyioy.com
cmdptnkxqgxxtbk.com
jyokjogwr.com
barmfrpkvhohj.com
famous-zopa.com
lntxwsbivuiwiymt.com
bpoungre.com
ymkdsynulihl.com
lajlfdbqqr.com
ttploevnivtsybduyb.com
ntmhavejb.com
fmtqkxcirxxgbupuxq.com
xtnpcdvpk.com
rqdumbol.com
kjtrmwnxbk.com
bvwecxcfobr.com
jrkaxdlkvhgsiyknhw.com
fjicwyuyyppsei.com
Last Seen at

Recent blog posts

post image
TI Lookup Named Best Threat Intelligence Serv...
watchers 384
comments 0
post image
Decoding a Malware Analyst: Essential Skills...
watchers 444
comments 0
post image
Expose Android Malware in Seconds: ANY.RUN Sa...
watchers 3022
comments 0

What is Ramnit malware

Ramnit emerged in 2010 as a computer virus, initially infecting Windows executable files (EXE, DLL), HTML files, and later expanding to target other file types. Over time, it has evolved to include the functions of a banking trojan, inter alia by incorporating elements from the Zeus banking trojan's source code in 2011.

Now it focuses on financial data theft and is used for financial fraud, credential theft, remote access, and botnet operations. Besides banking credentials, it is able to steal information for various online accounts.

Ramnit analysis in the ANY.RUN Sandbox Analysis of Ramnit malware in the ANY.RUN sandbox

View Ramnit analysis inside ANY.RUN's Interactive sandbox

Ramnit infects and modifies files such as .dll, .exe, and .html on a system to spread itself and establishes backdoors for other malware, providing remote access to attackers. The infected endpoints are added to a botnet for coordinated attacks or further distribution of malware.

Ramnit allows attackers full system control over a device and further propagates through networks, escalating from a single machine infection to an organizational one.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of Ramnit malware

Ramnit is equipped with extensive malicious capabilities:

  • Ramnit infects legitimate system files, ensuring it reloads on every reboot. It creates scheduled tasks or modifies registry keys like (HKCU\Software\Microsoft\Windows\CurrentVersion\Run).
  • Man-in-the-browser (MitB) attacks are used to intercept online banking credentials.
  • Fake login forms on legitimate banking sites are displayed via web injects.
  • Ramnit can steal passwords stored in popular browsers including Chrome and Firefox and in Windows Credential Manager.
  • Persistence is supported by infecting legitimate files, making removal difficult without damaging the OS.
  • It logs keystrokes, captures screenshots, and uploads stolen data to C2 servers.
  • Infected endpoints join a massive botnet used in DDoS attacks, spam campaigns, and further malware distribution.
  • Uses SMB exploits and credential dumping techniques to spread across corporate networks.

Ramnit employs advanced evasion tactics to bypass detection: modifies its code to change its signature with each infection (polymorphism); runs within legitimate system processes (e.g., explorer.exe, svchost.exe); detects virtual machines; encrypts C2 traffic to avoid network detection; continuously generates new C2 domains.

The Execution process of Ramnit

To observe Ramnit’s activities in real time, we can detonate it in the safe environment of ANY.RUN’s Interactive Sandbox.

View analysis

Ramnit analysis in the ANY.RUN Sandbox Analysis of a Ramnit process in the ANY.RUN sandbox

Ramnit typically spreads via phishing campaigns that use multi-stage malware. When a victim opens the initial payload, it downloads additional components and installs the Trojan. Once active, Ramnit harvests financial credentials and other sensitive data (e.g., social media and email).

After installation, Ramnit connects to its command and control (C&C) servers and often uses a domain generation algorithm (DGA), which creates random domain names to evade DNS blocklists. The C&C server uses the same DGA to register and manage these domains, making Ramnit harder to disrupt.

Ramnit analysis in the ANY.RUN Sandbox Detection of Ramnit network connection in the ANY.RUN sandbox

Ramnit’s modular design lets it download extra modules as needed. It can inject malicious code into browsers—often during online banking sessions — to steal data in real time. To evade detection, it uses techniques like process hollowing, injecting code into legitimate processes like “msiexec.exe” and “explorer.exe.” It can also fetch a VNC module for remote access.

Finally, Ramnit creates a proxy network of infected machines, relaying malicious traffic through multiple hosts to hide attacker activity. Overall, its execution chain relies on phishing-based distribution, DGA-powered C&C communication, modular expansion, and proxy networks to evade detection and facilitate broader attacks.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gather Cyber Threat Intelligence on Ramnit Ransomware

Use Threat Intelligence Lookup to get a comprehensive picture of recent Ramnit activity and collect up-to-date indicators of the threat for setting up preemptive defenses. With over 40 search parameters, including IPs, domains, file names, and process artifacts, you can extract data from Ramnit malware samples analyzed in ANY.RUN's Interactive Sandbox by a huge community of security experts.

Leverage TI feeds to track C2 infrastructure, malware hashes, keep a watch over evolving tactics of Ramnit via MITRE ATT&CK mappings, and protect your business from financial and reputational loss.

Ramnit analysis in ANY.RUN's TI Lookup Recent Ramnit samples in ANY.RUN's TI Lookup

For example, submitting the query threaName:"ramnit" will provide you with the latest public sandbox reports on Ramnit samples.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Ramnit malware distribution methods

Ramnit spreads through multiple infection vectors, making it highly persistent and difficult to eradicate. It is delivered via phishing emails containing malicious Word, Excel, or PDF documents with embedded macros or exploit code. Users are infected when visiting compromised websites that host exploit kits targeting browser vulnerabilities.

Besides, Ramnit has been dropped by other malware families, including Emotet and Dridex, to expand its botnet.

It also can spread via USB drives, SMB shares, and network infections, bypassing internet defenses.

Conclusion

Hybrid capabilities of Ramnit make it an especially serious threat to organizations worldwide. It can function as a banking trojan, worm, RAT, and credential stealer simultaneously. To avoid suffering from Ramnit infection, make sure to introduce proper preventive security measures.

One of the essentials tools to help you identify Ramnit early is a malware sandbox. ANY.RUN provides an interactive malware sandbox that lets you safely detonate suspicious files and URLs in a fully functional virtual environment. The service helps you quickly detect cyber threats and collect critical data needed to prevent them from affecting your infrastructure.

Sign up for a free ANY.RUN account now to try advanced malware analysis.

HAVE A LOOK AT

PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More
Balada Injector screenshot
Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities.
Read More