royal | blksuit_111_exe_14100521684[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

blksuit_111_exe_14100521684.zip
Size

1.1MB
MD5

579ec868f277205c37eec6a9af2f12e9
SHA1

2be7553e628b179bfcf8c507303ad59d064f244c
SHA256

64246877499ad8da8a6b8ed84c9833ac9bd4ebd0cea28e2cb5a5e7a81137513d
SHA512

2ef634c2e51245dc866a4ab3582d20b52ce1c827edc2339a8964c0ec21d601ef7fa31e38d6eee42bd574f507ef4240c15cbb286df94e91eca0971dc53c237ed1
SSDEEP

24576:hSspRdCfPUemaW0+jHvoz77HMZ5MZgPOqd07uhie46BEWGpBHqIvj+ynN5xZ:hpNCX/PwvozHHMZvhf46eWG68qynNXZ

Score

10^/10

ransomware royal

Malware Config

Signatures

Royal Ransomware 1 IoCs

ransomware

resource	yara_rule
static1/unpack001/4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99	family_royal

Royal family
royal

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99

Files

blksuit_111_exe_14100521684.zip
.zip

Password: infected
4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99
.exe windows:6 windows x86 arch:x86

07a5f14fabca497d51b3abff84669c94

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetQueuedCompletionStatus
CreateIoCompletionPort
SleepConditionVariableCS
ReadFile
GetFileSizeEx
GetCurrentProcess
WakeAllConditionVariable
GetProcessId
SetEndOfFile
CreateToolhelp32Snapshot
GetLastError
Process32NextW
Process32FirstW
GetNativeSystemInfo
SetFilePointerEx
MoveFileExW
FlushFileBuffers
SetLastError
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemDirectoryA
FreeLibrary
GetProcAddress
LoadLibraryA
FormatMessageA
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
VirtualFree
GetEnvironmentVariableW
MultiByteToWideChar
GetACP
GetStdHandle
CancelIo
GetModuleHandleW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
WriteConsoleW
HeapSize
GetTimeZoneInformation
GetProcessHeap
GetStringTypeW
SetEnvironmentVariableW
lstrcmpW
WideCharToMultiByte
CreateProcessW
ExitProcess
DeleteCriticalSection
WaitForSingleObject
lstrlenA
InitializeConditionVariable
InitializeCriticalSection
WaitForMultipleObjects
lstrlenW
GetCommandLineW
lstrcmpiW
CreateThread
CloseHandle
Sleep
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
DecodePointer
GetCPInfo
GetOEMCP
IsValidCodePage
FindFirstFileExW
GetFullPathNameW
GetCurrentDirectoryW
SetStdHandle
GetConsoleOutputCP
HeapReAlloc
LCMapStringW
CompareStringW
HeapAlloc
HeapFree
GetModuleFileNameW
SetConsoleCtrlHandler
GetModuleHandleExW
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetFileInformationByHandle
GetDriveTypeW
EncodePointer
LoadLibraryExW
ExitThread
CreateFileW
FindClose
LeaveCriticalSection
WriteFile
FindNextFileW
EnterCriticalSection
FindFirstFileW
GetFileType
GetLogicalDrives
InitializeCriticalSectionAndSpinCount
RtlUnwind
RaiseException
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter

user32

wsprintfW
GetUserObjectInformationW
MessageBoxW
GetProcessWindowStation

advapi32

DeregisterEventSource
CryptReleaseContext
CryptDestroyKey
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
CryptCreateHash
CryptDestroyHash
ReportEventW
RegisterEventSourceW
CryptAcquireContextW
CryptEnumProvidersW
CryptSignHashW

shell32

CommandLineToArgvW

shlwapi

StrStrIW

ws2_32

WSASetLastError
getservbyname
getservbyport
gethostbyaddr
inet_ntoa
inet_addr
send
WSACleanup
gethostbyname
select
ntohs
getsockopt
ioctlsocket
bind
WSAIoctl
closesocket
ntohl
WSASocketW
socket
WSAAddressToStringW
htonl
htons
WSAStartup
connect
recv
setsockopt
shutdown
WSAGetLastError

crypt32

CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertGetCertificateContextProperty

iphlpapi

GetIpAddrTable

netapi32

NetShareEnum
NetApiBufferFree

rstrtmgr

RmStartSession
RmGetList
RmRegisterResources
RmShutdown
RmEndSession

bcrypt

BCryptGenRandom

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 500KB - Virtual size: 499KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 78KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

07a5f14fabca497d51b3abff84669c94

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

shlwapi

ws2_32

crypt32

iphlpapi

netapi32

rstrtmgr

bcrypt

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

.rdata Size: 500KB - Virtual size: 499KB

.data Size: 7KB - Virtual size: 15KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 78KB - Virtual size: 78KB

.text
Size: 1.6MB - Virtual size: 1.6MB

.rdata
Size: 500KB - Virtual size: 499KB

.data
Size: 7KB - Virtual size: 15KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 78KB - Virtual size: 78KB