royal | 613daed6d9b8406602f11019ba28d779[.]bin

Resubmissions

24-01-2023 13:38

230124-qxj11aca35 10

23-01-2023 11:18

230123-nea92aef6t 10

20-01-2023 10:30

230120-mjt29sae42 10

Sharing

Copy URL

Twitter E-mail

General

Target

613daed6d9b8406602f11019ba28d779.bin
Size

1.1MB
MD5

27768c1bd67420c2bda7cd2b3c6b6133
SHA1

8a3b0445fdc854c742985ee65976c1b9b4790a1e
SHA256

731f77f9b72e60c73cf4a6bf77b4e9513f65f2af4729d331941a9e87ae1fc32f
SHA512

74bb98019fa57e2cc796392813406258b26008242f31f478f870b38d1bfe07c5228dbb318670277b79af30f9a491fbe26a29dbd363120a0f08b1db64eb7b46b5
SSDEEP

24576:9qJXFk9fiIfHFjr7SEI+HIrLZYB3kzazE8pOQYKA6m5fE+uhgDI4g:9w1k96I9j6EI+Ui5Ia48pObLVDIn

Score

10^/10

ransomware royal

Malware Config

Signatures

Royal Ransomware 1 IoCs

ransomware

Processes:

resource	yara_rule
static1/unpack001/8e01ecf9d804454f34eeceb0f7793f4884be8868886a646526419fc2e2bbb648.dll	family_royal

Royal family
royal

Files

613daed6d9b8406602f11019ba28d779.bin
.zip

Password: infected
8e01ecf9d804454f34eeceb0f7793f4884be8868886a646526419fc2e2bbb648.dll
.dll regsvr32 windows x86

Password: infected

b63353471cfb981ab878fab6e0445c50

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SleepConditionVariableCS
ReadFile
GetFileSizeEx
GetCurrentProcess
WakeAllConditionVariable
GetProcessId
SetEndOfFile
CreateToolhelp32Snapshot
GetLastError
Process32NextW
Process32FirstW
GetNativeSystemInfo
SetFilePointerEx
MoveFileExW
FlushFileBuffers
SetLastError
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemDirectoryA
FreeLibrary
GetProcAddress
LoadLibraryA
FormatMessageA
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
VirtualFree
GetEnvironmentVariableW
MultiByteToWideChar
GetACP
GetStdHandle
GetFileType
CreateIoCompletionPort
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
WriteConsoleW
HeapSize
GetTimeZoneInformation
GetStringTypeW
GetProcessHeap
GetQueuedCompletionStatus
CancelIo
lstrcmpW
WideCharToMultiByte
CreateProcessW
DeleteCriticalSection
WaitForSingleObject
lstrlenA
InitializeConditionVariable
InitializeCriticalSection
WaitForMultipleObjects
lstrlenW
lstrcmpiW
CreateThread
CloseHandle
Sleep
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
DecodePointer
GetCPInfo
GetOEMCP
IsValidCodePage
FindFirstFileExW
GetFullPathNameW
GetCurrentDirectoryW
SetStdHandle
GetConsoleOutputCP
HeapReAlloc
LCMapStringW
CompareStringW
HeapAlloc
HeapFree
GetModuleFileNameW
SetConsoleCtrlHandler
GetModuleHandleExW
ExitProcess
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetFileInformationByHandle
GetDriveTypeW
ExitThread
CreateFileW
FindClose
LeaveCriticalSection
WriteFile
FindNextFileW
EnterCriticalSection
FindFirstFileW
GetModuleHandleW
GetLogicalDrives
EncodePointer
LoadLibraryExW
InitializeCriticalSectionAndSpinCount
RtlUnwind
InterlockedFlushSList
RaiseException
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess

user32

wsprintfW
GetProcessWindowStation
MessageBoxW
GetUserObjectInformationW

advapi32

DeregisterEventSource
CryptReleaseContext
CryptDestroyKey
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
CryptCreateHash
CryptDestroyHash
ReportEventW
RegisterEventSourceW
CryptAcquireContextW
CryptEnumProvidersW
CryptSignHashW

shell32

CommandLineToArgvW

shlwapi

StrStrIW

ws2_32

WSASetLastError
getservbyname
getservbyport
gethostbyaddr
inet_ntoa
send
WSAGetLastError
htons
gethostbyname
select
ntohs
getsockopt
ioctlsocket
bind
WSAIoctl
closesocket
ntohl
WSASocketW
socket
WSAAddressToStringW
htonl
WSAStartup
connect
setsockopt
recv
shutdown
inet_addr
WSACleanup

crypt32

CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertGetCertificateContextProperty

iphlpapi

GetIpAddrTable

netapi32

NetShareEnum
NetApiBufferFree

rstrtmgr

RmStartSession
RmGetList
RmRegisterResources
RmShutdown
RmEndSession

bcrypt

BCryptGenRandom

Exports

Exports

DllInstall
DllRegisterServer

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 500KB - Virtual size: 499KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 78KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

b63353471cfb981ab878fab6e0445c50

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

shlwapi

ws2_32

crypt32

iphlpapi

netapi32

rstrtmgr

bcrypt

Exports

Exports

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

.rdata Size: 500KB - Virtual size: 499KB

.data Size: 7KB - Virtual size: 15KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 78KB - Virtual size: 78KB

.text
Size: 1.6MB - Virtual size: 1.6MB

.rdata
Size: 500KB - Virtual size: 499KB

.data
Size: 7KB - Virtual size: 15KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 78KB - Virtual size: 78KB