2024-01-25_8c37bfa1b3574626b08967276a3d1afb_gazer_ryuk

Sharing

Copy URL

Twitter E-mail

General

Target

2024-01-25_8c37bfa1b3574626b08967276a3d1afb_gazer_ryuk
Size

3.5MB
MD5

8c37bfa1b3574626b08967276a3d1afb
SHA1

6e8b50d91b53fb3e1f8ff0b3ba210f0ae8682874
SHA256

89f1812de37e608e824c7be1fd85b171f26debd351df49d611a0c19efe81b7c6
SHA512

0e7f7723750c0ca475cd89fcbcfe2c5835cf5ca6025538570ddd577922089ac56be88190e2be2e52d209c8c3f0198af94af833268a622fbf559292706da2f419
SSDEEP

49152:bHmcWmzoPGbP//YXcG4ND/vEICEDvlP/bOVxHmpSK8hWomh:bGGzwMtUAvlHkmz8Momh

Score

10^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 1 IoCs

Processes:

resource yara_rule

sample UPX

resource	yara_rule
sample	UPX

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
2024-01-25_8c37bfa1b3574626b08967276a3d1afb_gazer_ryuk

Files

2024-01-25_8c37bfa1b3574626b08967276a3d1afb_gazer_ryuk
.exe windows:6 windows x64 arch:x64

fa6d91b0e0a68066f4250f88522f817f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CryptReleaseContext
CryptAcquireContextA
CryptGenRandom

core_rl_magick++_

??0ReadOptions@Magick@@QEAA@XZ
??0Image@Magick@@QEAA@PEAU_Image@MagickCore@@@Z
??1Image@Magick@@UEAA@XZ
?throwException@Magick@@YAXPEAU_ExceptionInfo@MagickCore@@_N@Z
?modifyImage@Image@Magick@@QEAAXXZ
?syncPixels@Image@Magick@@QEAAXXZ
?getPixels@Image@Magick@@QEAAPEAE_J0_K1@Z
?write@Image@Magick@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?read@Image@Magick@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?quiet@Image@Magick@@QEAAX_N@Z
?quality@Image@Magick@@QEAAX_K@Z
??1ReadOptions@Magick@@QEAA@XZ
?fileName@Image@Magick@@QEAAXAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?debug@Image@Magick@@QEAAX_N@Z
?compressType@Image@Magick@@QEAAXW4CompressionType@MagickCore@@@Z
??0Image@Magick@@QEAA@XZ
?texture@Image@Magick@@QEAAXAEBV12@@Z
??0Image@Magick@@QEAA@AEBVBlob@1@@Z
??1Blob@Magick@@UEAA@XZ
??0Blob@Magick@@QEAA@PEBX_K@Z
?TerminateMagick@Magick@@YAXXZ
?InitializeMagick@Magick@@YAXPEBD@Z
?compare@Image@Magick@@QEBA_NAEBV12@@Z
?yOff@Geometry@Magick@@QEBA_JXZ
?quiet@ReadOptions@Magick@@QEBA_NXZ
?imageInfo@ReadOptions@Magick@@QEAAPEAU_ImageInfo@MagickCore@@XZ
?fileName@Image@Magick@@QEBA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ
?extent@Image@Magick@@QEAAXAEBVGeometry@2@@Z
?xOff@Geometry@Magick@@QEBA_JXZ
?gamma@Image@Magick@@QEAAXN@Z
?convolve@Image@Magick@@QEAAX_KPEBN@Z
?colorMatrix@Image@Magick@@QEAAX_KPEBN@Z
??0Color@Magick@@QEAA@AEBV01@@Z
??0Color@Magick@@QEAA@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
??1Color@Magick@@UEAA@XZ
??0Geometry@Magick@@QEAA@PEBD@Z
??0Geometry@Magick@@QEAA@AEBV01@@Z
??0Geometry@Magick@@QEAA@_K0_J1@Z
??1Geometry@Magick@@QEAA@XZ
?height@Geometry@Magick@@QEBA_KXZ
?width@Geometry@Magick@@QEBA_KXZ
??0Image@Magick@@QEAA@AEBV01@@Z
?backgroundColor@Image@Magick@@QEAAXAEBVColor@2@@Z
?size@Image@Magick@@QEBA?AVGeometry@2@XZ
?crop@Image@Magick@@QEAAXAEBVGeometry@2@@Z
?getConstPixels@Image@Magick@@QEBAPEBE_J0_K1@Z
?scale@Image@Magick@@QEAAXAEBVGeometry@2@@Z
??0Geometry@Magick@@QEAA@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
??0Image@Magick@@QEAA@AEBVGeometry@1@AEBVColor@1@@Z
?channels@Image@Magick@@QEBA_KXZ
?repage@Image@Magick@@QEAAXXZ

core_rl_magickcore_

SetMagickResourceLimit
AcquireExceptionInfo
DestroyExceptionInfo
ReadImage
GetEnvironmentValue
InterpretSiPrefixValue
FormatMagickSize
SetImageRegistry
GetImageRegistry
GetMagickResourceLimit

crypt32

CertOpenSystemStoreA
CertEnumCertificatesInStore
CertCloseStore

kernel32

GetTimeFormatW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetTimeZoneInformation
FlushFileBuffers
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetFileSizeEx
SetEnvironmentVariableW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
FindFirstFileExW
SetConsoleMode
ReadConsoleInputW
HeapSize
SetEndOfFile
WriteConsoleW
QueryPerformanceFrequency
TlsGetValue
TlsSetValue
TlsAlloc
CloseHandle
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetEvent
ResetEvent
WaitForSingleObject
CreateEventA
CreateThread
GetCurrentThreadId
GetCommandLineA
QueryPerformanceCounter
GetProcAddress
LoadLibraryA
GetSystemTime
SystemTimeToFileTime
RtlCaptureContext
GetCurrentDirectoryW
FindClose
FindFirstFileW
FindNextFileW
GetFileAttributesW
GetFullPathNameW
GetCurrentProcess
GetCurrentProcessId
GetModuleFileNameW
ReadFile
WriteFile
DuplicateHandle
CreatePipe
TerminateProcess
CreateProcessW
FormatMessageA
GetLastError
lstrlenW
MultiByteToWideChar
WideCharToMultiByte
EncodePointer
DecodePointer
SetLastError
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsFree
GetSystemTimeAsFileTime
GetModuleHandleW
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
WaitForSingleObjectEx
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
InitializeSListHead
GetDateFormatW
RtlUnwindEx
RtlPcToFileHeader
RaiseException
FreeLibrary
LoadLibraryExW
ExitProcess
GetModuleHandleExW
SetStdHandle
GetFileType
CreateDirectoryW
DeleteFileW
CreateFileW
GetDriveTypeW
GetFileInformationByHandle
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
HeapAlloc
HeapFree
HeapReAlloc
GetStdHandle
GetCommandLineW
GetConsoleCP

ws2_32

freeaddrinfo
getaddrinfo
WSAGetLastError
WSAStartup
gethostbyname
socket
shutdown
setsockopt
send
recv
inet_ntoa
inet_addr
htons
ioctlsocket
connect
closesocket

Exports

Exports

hx_cffi

Sections

.6510
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.6510
Size: 898KB - Virtual size: 900KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.6510
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.6510
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 608KB - Virtual size: 612KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

fa6d91b0e0a68066f4250f88522f817f

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

core_rl_magick++_

core_rl_magickcore_

crypt32

kernel32

ws2_32

Exports

Exports

Sections

.6510 Size: 2.0MB - Virtual size: 2.0MB

.6510 Size: 898KB - Virtual size: 900KB

.6510 Size: 512B - Virtual size: 4KB

.6510 Size: 8KB - Virtual size: 12KB

.reloc Size: 608KB - Virtual size: 612KB

.6510
Size: 2.0MB - Virtual size: 2.0MB

.6510
Size: 898KB - Virtual size: 900KB

.6510
Size: 512B - Virtual size: 4KB

.6510
Size: 8KB - Virtual size: 12KB

.reloc
Size: 608KB - Virtual size: 612KB