2024-01-25_da9aeed98e4b824431fafb62b14336a9_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-01-25_da9aeed98e4b824431fafb62b14336a9_ryuk
Size

1.5MB
MD5

da9aeed98e4b824431fafb62b14336a9
SHA1

7e9767bffae7f11f12959f3ff117ef8369bab19e
SHA256

9a0d7fc8691cb6ce3ce0c6dfc06492decc69dfdeab1240f6374eac98eaa0fd09
SHA512

3dfc0cfbd649a8da7ff5da4a792a6ba3c54498dd61b7fa622fadde0c28940e247ddd9401d0dcb6550dd17c4e72ea7ee9ff9c94215d1ce854f60a4a2a0ee3ddef
SSDEEP

49152:VO93+xxnqmcblKaTefLFAKh/1jZFUCtKi:0uXqv57yfh5RZ7

Score

10^/10

Malware Config

Signatures

Detects executables packed with VMProtect. 1 IoCs

resource	yara_rule
sample	INDICATOR_EXE_Packed_VMProtect

Files

2024-01-25_da9aeed98e4b824431fafb62b14336a9_ryuk
.exe windows:6 windows x64 arch:x64

f770bdd1fecee3554bca7cf3bfe6792e

Code Sign

28:77:79:fb:66:62:61:cb:73:17:47:92:9a:62:17:70
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

13/10/2017, 00:00

Not After

13/10/2018, 23:59

Subject

CN=Henan Pushitong Intelligent Technology Co.\, Ltd.,O=Henan Pushitong Intelligent Technology Co.\, Ltd.,L=Zhengzhou,ST=Henan,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/02/2011, 19:25

Not After

22/02/2021, 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

03/05/2023, 00:00

Not After

02/08/2034, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #4,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

8b:84:f8:20:9a:26:3a:a3:98:95:9b:50:16:36:f9:4b:23:d3:f3:aa
Signer

Actual PE Digest

8b:84:f8:20:9a:26:3a:a3:98:95:9b:50:16:36:f9:4b:23:d3:f3:aa

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

CloseHandle
GetProcAddress
ExitProcess
GetCurrentProcessId
GetConsoleWindow
Process32Next
GetComputerNameA
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
DeleteFileA
SetConsoleScreenBufferInfoEx
GetConsoleMode
CreateToolhelp32Snapshot
GetModuleHandleA
GetVolumeInformationA
GetConsoleScreenBufferInfoEx
SetConsoleMode
GetStdHandle
lstrcmpiA
Process32First
QueryPerformanceCounter
GetModuleHandleW
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
RtlCaptureContext

user32

GetAsyncKeyState
ShowWindow

advapi32

CryptAcquireContextA
GetCurrentHwProfileA
CloseServiceHandle
OpenSCManagerA
GetUserNameA
StartServiceA
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptGetHashParam
OpenServiceA
CryptReleaseContext
CreateServiceA

ole32

CoUninitialize
CoCreateInstance
CoInitialize

msvcp140

?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_BADOFF@std@@3_JB
?_Throw_C_error@std@@YAXH@Z
?_Xlength_error@std@@YAXPEBD@Z
_Mtx_lock
_Cnd_do_broadcast_at_thread_exit
_Cnd_destroy
_Thrd_sleep
_Cnd_wait
_Mtx_init
_Thrd_start
_Thrd_id
_Thrd_detach
?_Throw_Cpp_error@std@@YAXH@Z
_Mtx_destroy
_Cnd_init
_Thrd_join
_Mtx_unlock
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
_Cnd_signal
_Xtime_get_ticks

d3dx9_43

D3DXVec3Project

urlmon

URLDownloadToFileA

wininet

DeleteUrlCacheEntryA

vcruntime140

_purecall
__std_terminate
__CxxFrameHandler3
__C_specific_handler
_CxxThrowException
__std_exception_copy
memmove
memcpy
memcmp
__std_exception_destroy
memset

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo_noreturn
exit
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
terminate
_cexit
_seh_filter_exe
_set_app_type
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
_register_thread_local_exe_atexit_callback
__p___argc
__p___argv
_c_exit
_crt_atexit

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode

api-ms-win-crt-utility-l1-1-0

rand

api-ms-win-crt-string-l1-1-0

toupper

api-ms-win-crt-heap-l1-1-0

free
_callnewh
_set_new_mode
malloc

api-ms-win-crt-math-l1-1-0

sqrtf
atan2f
__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 39KB - Virtual size: 38KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 278KB - Virtual size: 278KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 64B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 288B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f770bdd1fecee3554bca7cf3bfe6792e

Code Sign

28:77:79:fb:66:62:61:cb:73:17:47:92:9a:62:17:70Certificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4Certificate

Extended Key Usages

Key Usages

8b:84:f8:20:9a:26:3a:a3:98:95:9b:50:16:36:f9:4b:23:d3:f3:aaSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

ole32

msvcp140

d3dx9_43

urlmon

wininet

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 39KB - Virtual size: 38KB

.rdata Size: 16KB - Virtual size: 15KB

.data Size: 278KB - Virtual size: 278KB

.pdata Size: 2KB - Virtual size: 2KB

.gfids Size: 512B - Virtual size: 64B

.vmp0 Size: 1.2MB - Virtual size: 1.2MB

.reloc Size: 512B - Virtual size: 288B

.rsrc Size: 5KB - Virtual size: 5KB

28:77:79:fb:66:62:61:cb:73:17:47:92:9a:62:17:70
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

8b:84:f8:20:9a:26:3a:a3:98:95:9b:50:16:36:f9:4b:23:d3:f3:aa
Signer

.text
Size: 39KB - Virtual size: 38KB

.rdata
Size: 16KB - Virtual size: 15KB

.data
Size: 278KB - Virtual size: 278KB

.pdata
Size: 2KB - Virtual size: 2KB

.gfids
Size: 512B - Virtual size: 64B

.vmp0
Size: 1.2MB - Virtual size: 1.2MB

.reloc
Size: 512B - Virtual size: 288B

.rsrc
Size: 5KB - Virtual size: 5KB