metasploit | 2024-01-27_b881759244ae673f2d1018aee7173a16_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-01-27_b881759244ae673f2d1018aee7173a16_ryuk
Size

924KB
MD5

b881759244ae673f2d1018aee7173a16
SHA1

23e873be2c2f8c5880e2ccb4ecd452f86a8e5c96
SHA256

2b0f6be37aa15e5e4566169e428b0cffb2af582392abf5a43c77e31a701f3bb9
SHA512

76d7364609de16c60d8a068c92c487b8a1cf6a38b21cd75f2c9791db6938fe8531b91cf8d93a8030185803fcaaf73ad7024fd05a8b55c35a5a1cb5e80a842477
SSDEEP

24576:PJIUqxUSoswhj2sVoYAxJoMyTHoTwKee6Yy:PJIUKBoj2sVoYKHyTHoToe6

Score

10^/10

metasploit

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

Metasploit family
metasploit

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-01-27_b881759244ae673f2d1018aee7173a16_ryuk

Files

2024-01-27_b881759244ae673f2d1018aee7173a16_ryuk
.exe windows:6 windows x64 arch:x64

91c272778494f545a220f3e427777252

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

ssh.pdb

Imports

libcrypto

EC_KEY_get0_group
EC_KEY_get0_private_key
BN_CTX_start
BN_new
EC_GROUP_get_curve_name
EC_GROUP_set_asn1_flag
EVP_PKEY_get1_DSA
EC_GROUP_cmp
BIO_free
BIO_write
EC_POINT_new
DSA_new
EC_GROUP_free
EC_KEY_get0_public_key
EVP_PKEY_get1_RSA
EVP_PKEY_free
EVP_MD_CTX_cleanup
RAND_bytes
BN_cmp
BN_is_bit_set
BN_sub
BN_hex2bn
EC_GROUP_new_by_curve_name
DH_new
DH_generate_key
ECDH_compute_key
EVP_PKEY_base_id
BN_CTX_free
EC_GROUP_method_of
EC_POINT_clear_free
EC_GROUP_get_degree
DH_compute_key
DH_size
AES_encrypt
AES_set_encrypt_key
EVP_CIPHER_CTX_get_app_data
EVP_CIPHER_CTX_set_app_data
ECDSA_do_sign
ECDSA_SIG_free
ECDSA_do_verify
ECDSA_SIG_new
DSA_do_sign
DSA_do_verify
DSA_SIG_new
DSA_SIG_free
EC_KEY_new_by_curve_name
RSA_public_decrypt
RSA_sign
BN_num_bits
BN_div
EC_POINT_oct2point
BN_bn2bin
EC_POINT_point2oct
RSAPublicKey_dup
X509_get_pubkey
X509_new
d2i_X509
RSA_set_method
RSA_set_ex_data
RSA_size
RSA_get_ex_data
RSA_get_default_method
RSA_get_ex_new_index
X509_free
BN_bin2bn
RAND_status
SSLeay
EVP_sha384
EVP_MD_CTX_copy_ex
EVP_md5
EVP_sha256
EVP_DigestUpdate
EVP_Digest
EVP_DigestInit_ex
EVP_MD_CTX_md
EVP_sha1
EVP_MD_block_size
EVP_sha512
EVP_DigestFinal_ex
EVP_CIPHER_CTX_key_length
EVP_CIPHER_CTX_new
EVP_aes_256_cbc
EVP_CipherInit
EVP_des_ede3_cbc
EVP_aes_192_cbc
EVP_CIPHER_CTX_ctrl
EVP_CIPHER_CTX_set_key_length
EVP_Cipher
EVP_aes_256_gcm
EVP_aes_128_gcm
EVP_CIPHER_CTX_free
DH_free
RSA_blinding_on
BN_dup
EC_GROUP_get_order
DSA_free
BIO_new
EC_POINT_cmp
BN_clear_free
ERR_peek_error
EC_KEY_set_private_key
BN_value_one
EVP_PKEY_get1_EC_KEY
EC_METHOD_get_field_type
EC_POINT_mul
RSA_new
EC_KEY_generate_key
RSA_free
ERR_get_error
EC_POINT_get_affine_coordinates_GFp
ERR_peek_last_error
EC_KEY_set_public_key
BN_free
BN_CTX_get
EC_KEY_set_group
EC_POINT_is_at_infinity
BIO_s_mem
PEM_read_bio_PrivateKey
EC_POINT_free
EVP_aes_128_cbc
EC_KEY_free
BN_CTX_new
SSLeay_version

ws2_32

WSACleanup
WSADuplicateSocketW
FreeAddrInfoW
WSASocketW
WSAGetLastError
bind
htonl
htons
getnameinfo
ntohs
WSAIoctl
closesocket
getservbyname
WSASend
shutdown
listen
setsockopt
WSAGetOverlappedResult
getsockopt
WSAStartup
WSARecv
inet_ntop
inet_ntoa
getsockname
socket
gethostname
ntohl
GetAddrInfoW
getpeername

kernel32

GetProcessHeap
GetFileSizeEx
HeapReAlloc
ReadConsoleW
PeekConsoleInputA
GetNumberOfConsoleInputEvents
GetStringTypeW
GetTimeZoneInformation
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
CreatePipe
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
HeapAlloc
HeapFree
GetModuleFileNameW
FindNextFileW
FindFirstFileExW
FindClose
FreeLibraryAndExitThread
ExitThread
CreateThread
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetCurrentDirectoryW
SetEnvironmentVariableW
DeleteFileW
GetFullPathNameW
MoveFileExW
SetFileAttributesW
RemoveDirectoryW
SetStdHandle
GetCommandLineW
GetCommandLineA
GetModuleHandleExW
ExitProcess
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapSize
RtlUnwindEx
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetConsoleMode
SetConsoleWindowInfo
GetConsoleCP
RaiseException
GetConsoleCursorInfo
FormatMessageA
ScrollConsoleScreenBufferA
ReadConsoleInputW
CancelIoEx
CancelSynchronousIo
WriteFile
ReadFile
LoadLibraryExW
GetDriveTypeW
GetDiskFreeSpaceExW
GetLogicalDriveStringsW
CreateWaitableTimerA
WaitForSingleObjectEx
WaitForMultipleObjectsEx
GetConsoleOutputCP
SetConsoleScreenBufferSize
SetConsoleTitleA
SetConsoleTextAttribute
FillConsoleOutputCharacterA
GetFinalPathNameByHandleW
MultiByteToWideChar
GetSystemTime
SetConsoleCursorInfo
GetComputerNameW
GetWindowsDirectoryW
GetSystemDirectoryW
Sleep
CreateFileA
SetConsoleMode
SetConsoleOutputCP
WriteConsoleOutputA
SetHandleInformation
GetCurrentProcess
GetStdHandle
TerminateProcess
SetLastError
SetEndOfFile
GetCurrentThreadId
GetLocalTime
DuplicateHandle
GetTickCount64
GetLastError
CloseHandle
ExpandEnvironmentStringsW
SetFilePointerEx
GetCurrentProcessId
CreateProcessW
GetFileType
FillConsoleOutputAttribute
CreateEventA
OpenThread
FlushFileBuffers
SetConsoleCtrlHandler
WaitForSingleObject
QueueUserAPC
ReadFileEx
CreateDirectoryW
VerifyVersionInfoW
GetFileAttributesExW
GetConsoleScreenBufferInfo
GetFileInformationByHandle
CreateHardLinkW
WriteFileEx
DeviceIoControl
CreateNamedPipeA
CreateFileW
CancelIo
ReadConsoleOutputA
FormatMessageW
SetConsoleCursorPosition
SetConsoleCP
Beep
FreeConsole
LoadLibraryW
WriteConsoleW
GetProcAddress
LocalFree
FreeLibrary
WideCharToMultiByte
GetSystemTimeAsFileTime
GetExitCodeProcess
SleepEx
VerSetConditionMask
ResetEvent
SetEvent

advapi32

GetAce
EventRegister
ConvertSidToStringSidA
EqualSid
RegCloseKey
RegOpenKeyExW
ConvertSidToStringSidW
LookupAccountSidW
RegQueryValueExW
EventWrite
CreateWellKnownSid
CopySid
GetNamedSecurityInfoW
IsWellKnownSid
IsValidSid
IsValidSecurityDescriptor
OpenProcessToken
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetLengthSid
IsValidAcl
LookupAccountNameW
GetTokenInformation

crypt32

CryptBinaryToStringA
CryptStringToBinaryA

sspicli

InitSecurityInterfaceW

user32

GetWindowPlacement
FindWindowA
ShowWindow

Sections

.text
Size: 591KB - Virtual size: 590KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 289KB - Virtual size: 288KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 193KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

91c272778494f545a220f3e427777252

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

libcrypto

ws2_32

kernel32

advapi32

crypt32

sspicli

user32

Sections

.text Size: 591KB - Virtual size: 590KB

.rdata Size: 289KB - Virtual size: 288KB

.data Size: 6KB - Virtual size: 193KB

.pdata Size: 31KB - Virtual size: 30KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 3KB - Virtual size: 2KB

.text
Size: 591KB - Virtual size: 590KB

.rdata
Size: 289KB - Virtual size: 288KB

.data
Size: 6KB - Virtual size: 193KB

.pdata
Size: 31KB - Virtual size: 30KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 3KB - Virtual size: 2KB