royal | f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429[.]zip

Resubmissions

11-02-2023 10:14

230211-l9x16sfa2s 10

Sharing

Copy URL

Twitter E-mail

General

Target

f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429.zip
Size

1.3MB
MD5

e7beb2fcccf55f27ed67eb9870362913
SHA1

c205d6bb2c0f8514ebe625b37fba00df2f09cc94
SHA256

36d84dcb300d9424770b8200a1194311a37ec21872777b42951bd62b3fbe3621
SHA512

14584862960323a081063e9ee72b67eea9707414eae2616d118b26fc0cfd6ae8918a6713abb79793d2ea6a0fed00fea6b9c078667396670bbf785cad3b1ffa55
SSDEEP

24576:WiX4jvT4evgaTAhRCxmpT4ECG01v/hy42wgTFBMZYRzJDHoA7TJ1fmELEx:xX6vkevlshROdX/By44T51DIAh1fpwx

Score

10^/10

ransomware royal

Malware Config

Signatures

Royal Ransomware 1 IoCs

ransomware

resource	yara_rule
static1/unpack001/f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429.exe	family_royal

Royal family
royal

Files

f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429.zip
.zip

Password: infected
f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429.exe
.exe windows x64

150bdf1f53f6260c91ec3fcff5867019

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetQueuedCompletionStatus
CreateIoCompletionPort
SleepConditionVariableCS
ReadFile
GetFileSizeEx
GetCurrentProcess
WakeAllConditionVariable
GetProcessId
SetEndOfFile
CreateToolhelp32Snapshot
GetLastError
Process32NextW
Process32FirstW
GetNativeSystemInfo
SetFilePointerEx
MoveFileExW
FlushFileBuffers
RtlVirtualUnwind
SetLastError
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemDirectoryA
FreeLibrary
GetProcAddress
LoadLibraryA
FormatMessageA
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
VirtualFree
GetEnvironmentVariableW
MultiByteToWideChar
GetACP
GetStdHandle
CancelIo
GetModuleHandleW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
WriteConsoleW
HeapSize
GetTimeZoneInformation
GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
lstrcmpW
WideCharToMultiByte
CreateProcessW
ExitProcess
DeleteCriticalSection
WaitForSingleObject
lstrlenA
InitializeConditionVariable
InitializeCriticalSection
WaitForMultipleObjects
lstrlenW
GetCommandLineW
lstrcmpiW
CreateThread
CloseHandle
Sleep
GetEnvironmentStringsW
GetCommandLineA
FindFirstFileExW
GetFullPathNameW
GetCurrentDirectoryW
SetStdHandle
GetConsoleOutputCP
GetOEMCP
IsValidCodePage
GetStringTypeW
GetCPInfo
HeapReAlloc
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
HeapAlloc
HeapFree
GetModuleFileNameW
SetConsoleCtrlHandler
GetModuleHandleExW
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetFileInformationByHandle
GetDriveTypeW
LoadLibraryExW
InitializeCriticalSectionAndSpinCount
ExitThread
CreateFileW
FindClose
LeaveCriticalSection
WriteFile
FindNextFileW
EnterCriticalSection
FindFirstFileW
GetFileType
GetLogicalDrives
EncodePointer
RaiseException
RtlPcToFileHeader
RtlUnwindEx
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
TerminateProcess
RtlCaptureContext
RtlLookupFunctionEntry
UnhandledExceptionFilter
SetUnhandledExceptionFilter

user32

wsprintfW
GetProcessWindowStation
MessageBoxW
GetUserObjectInformationW

advapi32

DeregisterEventSource
CryptReleaseContext
CryptDestroyKey
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
CryptCreateHash
CryptDestroyHash
ReportEventW
RegisterEventSourceW
CryptAcquireContextW
CryptEnumProvidersW
CryptSignHashW

shell32

CommandLineToArgvW

shlwapi

StrStrIW

ws2_32

WSASetLastError
getservbyname
getservbyport
gethostbyaddr
inet_ntoa
send
WSAGetLastError
WSAStartup
gethostbyname
ntohs
getsockopt
ioctlsocket
bind
WSAIoctl
closesocket
ntohl
WSASocketW
socket
WSAAddressToStringW
htonl
htons
connect
setsockopt
recv
shutdown
inet_addr
WSACleanup

crypt32

CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertGetCertificateContextProperty

iphlpapi

GetIpAddrTable

netapi32

NetShareEnum
NetApiBufferFree

rstrtmgr

RmStartSession
RmGetList
RmRegisterResources
RmShutdown
RmEndSession

bcrypt

BCryptGenRandom

Sections

.text
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 770KB - Virtual size: 770KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 100KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

Password: infected

150bdf1f53f6260c91ec3fcff5867019

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

shlwapi

ws2_32

crypt32

iphlpapi

netapi32

rstrtmgr

bcrypt

Sections

.text Size: 2.0MB - Virtual size: 2.0MB

.rdata Size: 770KB - Virtual size: 770KB

.data Size: 14KB - Virtual size: 26KB

.pdata Size: 100KB - Virtual size: 100KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 36KB - Virtual size: 36KB

.text
Size: 2.0MB - Virtual size: 2.0MB

.rdata
Size: 770KB - Virtual size: 770KB

.data
Size: 14KB - Virtual size: 26KB

.pdata
Size: 100KB - Virtual size: 100KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 36KB - Virtual size: 36KB