URL:

http://dmkt-sp.top/

Full analysis: https://app.any.run/tasks/584f93f5-2a72-43d5-b3a5-29c527090061
Verdict: Malicious activity
Threats:

Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud.

Malware Trends Tracker     >>>
Analysis date: August 08, 2019, 10:13:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ramnit
Indicators:
MD5:

C06C821A4B9A9BB3CBA6C65EC8F3E462

SHA1:

E4892E98307D9CD9D4A42A0C4644592A173EA8B5

SHA256:

F0DD6C14BFC98CDC5DD6DDE94DED9BCE56CAD7B62B886A5899881170DAF3EFDD

SSDEEP:

3:N1KaIORp:CazL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RAMNIT was detected

      • iexplore.exe (PID: 3220)

  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3112)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3220)

    • Changes internet zones settings

      • iexplore.exe (PID: 3988)

    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3112)
      • iexplore.exe (PID: 3220)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe #RAMNIT iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3112C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Exit code:
0
Version:
26,0,0,131
Modules
Images
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3220"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3988 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3988"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
564
Read events
462
Write events
100
Delete events
2

Modification events

(PID) Process:(3988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(3988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{25CBB9BB-B9C5-11E9-9885-5254004A04AF}
Value:
0
(PID) Process:(3988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(3988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
2
(PID) Process:(3988) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E3070800040008000A000D0016005E00
Executable files
0
Suspicious files
0
Text files
48
Unknown types
8

Dropped files

PID
Process
Filename
Type
3988iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
3988iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3220iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
3220iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:
SHA256:
3988iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
3220iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SN998937\background_gradient[1]image
MD5:20F0110ED5E4E0D5384A496E4880139B
SHA256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
3220iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\69DLFR0S\httpErrorPagesScripts[1]text
MD5:E7CA76A3C9EE0564471671D500E3F0F3
SHA256:58268CA71A28973B756A48BBD7C9DC2F6B87B62AE343E582CE067C725275B63C
3220iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YNK0QUWZ\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3220iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SN998937\ErrorPageTemplate[1]text
MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
SHA256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
3220iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8QHF11JD\noConnect[1]image
MD5:3CB8FACCD5DE434D415AB75C17E8FD86
SHA256:6976C426E3AC66D66303C114B22B2B41109A7DE648BA55FFC3E5A53BD0DB09E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
18
DNS requests
11
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3220
iexplore.exe
GET
200
45.249.62.123:80
http://dmkt-sp.top/picture/footer_copyright.png
HK
image
4.02 Kb
malicious
3220
iexplore.exe
GET
200
45.249.62.123:80
http://dmkt-sp.top/
HK
html
65.6 Kb
malicious
3220
iexplore.exe
GET
200
45.249.62.123:80
http://dmkt-sp.top/images/bg_spring.png
HK
image
102 b
malicious
3988
iexplore.exe
GET
200
45.249.62.123:80
http://dmkt-sp.top/favicon.ico
HK
image
13.3 Kb
malicious
3988
iexplore.exe
GET
200
45.249.62.123:80
http://dmkt-sp.top/favicon.ico
HK
image
13.3 Kb
malicious
3220
iexplore.exe
GET
200
45.249.62.123:80
http://dmkt-sp.top/js/auth_validation_v5.js
HK
text
8.61 Kb
malicious
3220
iexplore.exe
GET
200
45.249.62.123:80
http://dmkt-sp.top/css/auth_layout_v5_pc.css
HK
text
7.62 Kb
malicious
3220
iexplore.exe
GET
200
45.249.62.123:80
http://dmkt-sp.top/css/auth_layout_v5_style.css
HK
text
20.9 Kb
malicious
3220
iexplore.exe
GET
200
45.249.62.123:80
http://dmkt-sp.top/js/auth_idfps-ij0002_v6.js
HK
text
17.1 Kb
malicious
3220
iexplore.exe
GET
200
45.249.62.123:80
http://dmkt-sp.top/js/auth_dispctl_v2.js
HK
text
738 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3988
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3220
iexplore.exe
45.249.62.123:80
dmkt-sp.top
Vanta Telecommunications Limited
HK
malicious
3220
iexplore.exe
172.217.21.206:80
www.google-analytics.com
Google Inc.
US
whitelisted
3988
iexplore.exe
45.249.62.123:80
dmkt-sp.top
Vanta Telecommunications Limited
HK
malicious
3220
iexplore.exe
216.58.206.8:80
www.googletagmanager.com
Google Inc.
US
whitelisted
3220
iexplore.exe
49.102.154.13:443
id.smt.docomo.ne.jp
NTT DOCOMO, INC.
JP
unknown
3220
iexplore.exe
43.224.153.168:80
www.support-01.info
SG
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dmkt-sp.top
  • 45.249.62.123
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
www.google-analytics.com
  • 172.217.21.206
whitelisted
www.googletagmanager.com
  • 216.58.206.8
whitelisted
id.smt.docomo.ne.jp
  • 49.102.154.13
unknown
www.support-01.info
  • 43.224.153.168
unknown

Threats

PID
Process
Class
Message
1064
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3220
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
3220
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS DRIVEBY EXE Embeded in Page Likely Evil M1
3220
iexplore.exe
A Network Trojan was detected
ET TROJAN PE EXE or DLL Windows file download Text
3220
iexplore.exe
A Network Trojan was detected
ET TROJAN RAMNIT.A M2
3988
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
3220
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS DRIVEBY EXE Embeded in Page Likely Evil M1
3220
iexplore.exe
A Network Trojan was detected
ET TROJAN PE EXE or DLL Windows file download Text
3220
iexplore.exe
A Network Trojan was detected
ET TROJAN RAMNIT.A M2
3220
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://dmkt-sp.top/