2024-02-01_8ed6ad3f35e8b5549a1681cc6c25db1f_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-02-01_8ed6ad3f35e8b5549a1681cc6c25db1f_ryuk
Size

29.6MB
MD5

8ed6ad3f35e8b5549a1681cc6c25db1f
SHA1

477095f5ccf7102c4f28b9981999e183934aba25
SHA256

af97c7f08d9b7a3483f3b5c9e3e12821e29a27cb650405a047c5351f0bf12186
SHA512

cc6840be1f07ce9fe17a5d612a5deab254c92ef85fcf74228a0cd1aec6be0a29d0ddc91510f5832cc5626e6927bd1163eae247017b4984d99a7f28ebcfd39fcf
SSDEEP

393216:93/BJlp9YiKRSggLVHJh6QCQcDdtununm:RBJ37j5CQchRm

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-02-01_8ed6ad3f35e8b5549a1681cc6c25db1f_ryuk

Files

2024-02-01_8ed6ad3f35e8b5549a1681cc6c25db1f_ryuk
.exe windows:6 windows x64 arch:x64

0a0930e34142b27ab8360436aa328881

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\Adlice\RogueKillerQt\x64\Debug\roguekillersvc.pdb

Imports

ws2_32

freeaddrinfo
getnameinfo
inet_pton
WSAIoctl
WSAAddressToStringW
getaddrinfo

crypt32

CryptDecodeObject
CryptMsgClose
CryptMsgGetParam
CertCloseStore
CertFindCertificateInStore
CertFreeCertificateContext
CertGetCertificateContextProperty
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertOpenStore
CryptQueryObject
CertGetNameStringW
CertNameToStrW

advapi32

CryptEnumProvidersW
DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptAcquireContextW
CryptReleaseContext
CryptDestroyKey
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
CreateProcessAsUserW
OpenProcessToken
AdjustTokenPrivileges
DuplicateTokenEx
LookupPrivilegeValueW
DuplicateToken
GetUserNameW
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegEnumValueW
RegLoadKeyW
RegOpenKeyExW
RegQueryInfoKeyW
RegRestoreKeyW
RegSetValueExW
RegUnLoadKeyW
RegSaveKeyExW
AllocateAndInitializeSid
GetAce
GetAclInformation
GetSecurityDescriptorDacl
GetSecurityDescriptorOwner
InitializeAcl
InitializeSecurityDescriptor
IsValidSecurityDescriptor
IsValidSid
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
LookupAccountSidW
RegGetKeySecurity
RegSetKeySecurity
SetEntriesInAclW
GetExplicitEntriesFromAclW
GetNamedSecurityInfoW
SetNamedSecurityInfoW
GetInheritanceSourceW
FreeInheritedFromArray
ConvertSidToStringSidW
ConvertStringSidToSidW
GetUserNameA
CheckTokenMembership
FreeSid
GetTokenInformation
SetKernelObjectSecurity
SetSecurityInfo
SetTokenInformation
CopySid
GetLengthSid
LookupAccountNameW
CryptCreateHash
CryptDestroyHash
CryptSignHashW
CryptAcquireContextA
ChangeServiceConfig2W
CloseServiceHandle
ControlService
CreateServiceW
DeleteService
OpenSCManagerW
OpenServiceW
QueryServiceStatus
RegisterServiceCtrlHandlerW
SetServiceStatus
StartServiceCtrlDispatcherW
RegQueryValueExW
ChangeServiceConfigW
EnumDependentServicesW
EnumServicesStatusW
QueryServiceConfigW
QueryServiceConfig2W
QueryServiceStatusEx
SetServiceObjectSecurity
StartServiceW
LookupPrivilegeValueA
CryptGenRandom
GetSecurityInfo

kernel32

GetCurrentThread
SuspendThread
ResumeThread
GetThreadContext
GetVersionExA
FreeLibrary
GetModuleFileNameA
GetModuleFileNameW
LoadLibraryW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
TryEnterCriticalSection
DeleteCriticalSection
CompareFileTime
GetSystemTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
FileTimeToSystemTime
SystemTimeToFileTime
GetDateFormatW
GetTimeFormatW
CreateDirectoryW
CreateFileW
FindClose
FindFirstFileW
FindNextFileW
GetFileAttributesExW
GetFileTime
RemoveDirectoryW
SetFileAttributesW
MoveFileW
MoveFileExW
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetVolumeInformationW
OutputDebugStringW
SetErrorMode
Sleep
GetSystemTimes
GlobalMemoryStatusEx
GetSystemInfo
FormatMessageW
RaiseException
CreateThread
OpenThread
VirtualAllocEx
VirtualFreeEx
WriteProcessMemory
K32GetMappedFileNameW
CreateRemoteThread
GetModuleHandleW
Module32FirstW
Module32NextW
K32GetModuleInformation
DefineDosDeviceW
QueryDosDeviceW
GetVolumePathNamesForVolumeNameW
DeviceIoControl
FlushFileBuffers
ReadFile
WriteFile
SetHandleInformation
CreatePipe
ConnectNamedPipe
DisconnectNamedPipe
SetNamedPipeHandleState
PeekNamedPipe
CreateNamedPipeW
WaitNamedPipeW
GetOverlappedResult
CancelIo
lstrcmpA
lstrcpyW
GetTickCount
BackupRead
BackupSeek
GetDiskFreeSpaceW
GetDriveTypeW
GetFileInformationByHandle
GetFileType
GetVolumePathNameW
SetFilePointerEx
GetVolumeNameForVolumeMountPointW
GetCompressedFileSizeW
HeapAlloc
HeapFree
GetProcessHeap
WaitForMultipleObjectsEx
VirtualAlloc
VirtualFree
lstrcmpiW
lstrlenW
IsBadReadPtr
IsBadWritePtr
SetFilePointer
IsDebuggerPresent
DebugBreak
GetStdHandle
OutputDebugStringA
WriteConsoleOutputW
FillConsoleOutputCharacterW
GetConsoleScreenBufferInfo
GetConsoleCursorInfo
SetConsoleActiveScreenBuffer
SetConsoleScreenBufferSize
SetConsoleCursorPosition
SetConsoleCursorInfo
SetConsoleWindowInfo
SetConsoleTextAttribute
GetConsoleMode
GetNumberOfConsoleInputEvents
ReadConsoleInputW
SetConsoleMode
WriteConsoleW
CreateConsoleScreenBuffer
QueueUserWorkItem
LoadLibraryExW
GlobalAlloc
GlobalFree
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleExW
SwitchToFiber
DeleteFiber
CreateFiber
QueryPerformanceCounter
GetSystemTimeAsFileTime
ConvertFiberToThread
ConvertThreadToFiber
LoadLibraryA
ReadConsoleA
ReadConsoleW
FormatMessageA
InitializeCriticalSectionEx
SleepEx
QueryPerformanceFrequency
GetSystemDirectoryA
VerifyVersionInfoA
WaitForSingleObjectEx
ExpandEnvironmentStringsA
CreateFileMappingA
SwitchToThread
GetThreadTimes
LockFileEx
AreFileApisANSI
GetTempPathA
GetDiskFreeSpaceA
GetFileAttributesA
FlushViewOfFile
DeleteFileA
LockFile
UnlockFileEx
HeapCompact
UnlockFile
VirtualQueryEx
CreateFileA
CreateMutexA
HeapCreate
GetFileSize
WritePrivateProfileStringW
GetPrivateProfileStringW
HeapDestroy
InitializeCriticalSection
CloseHandle
SetEvent
ResetEvent
WaitForSingleObject
CreateEventW
WaitForMultipleObjects
GetCommandLineW
LocalFree
ExpandEnvironmentStringsW
GetFileAttributesW
GetCurrentDirectoryA
GetEnvironmentVariableW
GetEnvironmentVariableA
RtlCaptureContext
GetCurrentDirectoryW
GetFullPathNameW
LocalAlloc
GetLongPathNameW
GetShortPathNameW
GetCurrentProcess
GetCurrentProcessId
DuplicateHandle
GetLastError
SetLastError
GetProcessTimes
TerminateProcess
GetExitCodeProcess
TerminateThread
CopyFileW
DeleteFileW
WideCharToMultiByte
MultiByteToWideChar
GetComputerNameW
GetSystemDirectoryW
GetTempPathW
GetTempFileNameW
VerifyVersionInfoW
GetVersionExW
VerSetConditionMask
Thread32Next
Thread32First
Process32NextW
FileTimeToLocalFileTime
Process32FirstW
CreateToolhelp32Snapshot
FindResourceW
SizeofResource
LockResource
LoadResource
GetFileSizeEx
GetTickCount64
GetQueuedCompletionStatus
CreateIoCompletionPort
SetThreadUILanguage
SetThreadLocale
GetThreadLocale
GetUserGeoID
GetGeoInfoW
OpenMutexW
CreateMutexW
ReleaseMutex
SetEnvironmentVariableW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
IsValidCodePage
FindNextFileA
FindFirstFileExW
FindFirstFileExA
GetTimeZoneInformation
SetEndOfFile
GetFullPathNameA
SetCurrentDirectoryW
SetStdHandle
CreateProcessA
HeapQueryInformation
HeapReAlloc
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetConsoleCP
GetACP
GetCommandLineA
FreeLibraryAndExitThread
ExitThread
SetConsoleCtrlHandler
ExitProcess
HeapValidate
HeapSize
InterlockedFlushSList
InterlockedPushEntrySList
RtlPcToFileHeader
RtlUnwindEx
VirtualQuery
GetStartupInfoW
InitializeSListHead
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
CreateProcessW
SetPriorityClass
GetPriorityClass
K32GetProcessImageFileNameW
K32GetModuleFileNameExW
K32GetModuleBaseNameW
TerminateJobObject
AssignProcessToJobObject
GetStringTypeW
EncodePointer
DecodePointer
GetCPInfo
CompareStringW
LCMapStringW
CreateJobObjectW
GetProcAddress
GetModuleHandleA
ReadProcessMemory
OpenProcess
SetThreadContext
GetProcessId
GetLocaleInfoW
ReadConsoleOutputW

user32

GetWindowTextLengthW
GetClientRect
GetWindowRect
GetCursorPos
GetWindowLongW
SetWindowLongW
GetWindowLongPtrW
SetWindowLongPtrW
GetDesktopWindow
SetWindowTextW
LoadIconW
LoadImageW
GetShellWindow
EnumWindows
GetWindowThreadProcessId
DestroyIcon
CreateIconFromResourceEx
ExitWindowsEx
RedrawWindow
InvalidateRect
ReleaseDC
GetDC
SetForegroundWindow
UpdateWindow
TrackPopupMenuEx
GetSubMenu
EnableMenuItem
DestroyMenu
GetSystemMenu
LoadMenuW
FindWindowW
PostThreadMessageW
PostMessageW
LoadStringW
SendMessageW
SendInput
IsWindowVisible
GetForegroundWindow
GetWindowTextW
EnumChildWindows
GetClassNameW
UnregisterClassW
CharNextW
EnableWindow
TranslateAcceleratorW
TrackMouseEvent
GetMessageW
TranslateMessage
DispatchMessageW
DefWindowProcW
RegisterClassExW
CreateWindowExW
DestroyWindow
SetLayeredWindowAttributes
MoveWindow
SetWindowPos
SetClipboardViewer
LoadCursorW
ShowWindow
GetSystemMetrics
FindWindowExW
SystemParametersInfoW
GetProcessWindowStation
GetUserObjectInformationW
MessageBoxW
SendMessageA
FindWindowA

shell32

ShellExecuteW
ord68
SHChangeNotify
SHGetSpecialFolderLocation
SHGetMalloc
SHGetFolderPathW
ShellExecuteExW
ord51
CommandLineToArgvW

ole32

CoTaskMemAlloc
CoSetProxyBlanket
CoTaskMemFree
StringFromCLSID
CoCreateInstance
CoInitializeSecurity
CoInitializeEx
CoUninitialize
CoTaskMemRealloc

oleaut32

SafeArrayCreate
VariantClear
VariantInit
VarUI4FromStr
SafeArrayAccessData
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayDestroy
SysStringLen
SysFreeString
SysAllocString
CreateErrorInfo
SetErrorInfo
VariantChangeType
SafeArrayUnaccessData
GetErrorInfo

version

GetFileVersionInfoA
GetFileVersionInfoSizeW
GetFileVersionInfoW
GetFileVersionInfoSizeA
VerQueryValueW

wininet

InternetCrackUrlW
InternetGetConnectedState

shlwapi

PathQuoteSpacesW
PathAppendW
PathBuildRootW
PathCanonicalizeW
PathCompactPathW
PathCommonPrefixW
PathFileExistsW
PathFindExtensionW
PathFindFileNameW
PathFindNextComponentW
PathGetArgsW
PathIsLFNFileSpecW
PathGetDriveNumberW
PathIsDirectoryW
PathIsDirectoryEmptyW
PathIsPrefixW
PathIsRelativeW
PathIsRootW
PathIsSameRootW
PathIsUNCW
PathIsNetworkPathW
PathIsURLW
PathRemoveArgsW
PathRemoveBackslashW
PathRemoveBlanksW
PathRemoveExtensionW
PathRemoveFileSpecW
PathRenameExtensionW
PathSearchAndQualifyW
PathUnquoteSpacesW
PathUnExpandEnvStringsW
StrFormatByteSizeW
UrlEscapeW
AssocQueryStringW
StrCmpNIW
StrDupW
StrCmpIW
PathMakePrettyW
PathAddBackslashW

userenv

UnloadUserProfile
LoadUserProfileW
DestroyEnvironmentBlock
CreateEnvironmentBlock
GetProfilesDirectoryW

netapi32

NetApiBufferFree
NetUserGetInfo

ntdll

NtUnloadDriver
NtLoadDriver
RtlInitUnicodeString
NtCreateKey
NtQueryKey
NtQuerySystemInformation
RtlLookupFunctionEntry
RtlVirtualUnwind
NtOpenKey
NtSetValueKey
NtDeleteValueKey
NtDeleteKey

wsock32

shutdown
getsockname
getsockopt
ntohs
gethostbyname
WSAStartup
gethostname
sendto
recvfrom
htonl
select
__WSAFDIsSet
getpeername
socket
setsockopt
listen
connect
closesocket
bind
accept
WSASetLastError
send
recv
getservbyname
inet_addr
htons
WSAGetLastError
WSACleanup
inet_ntoa

mpr

WNetGetConnectionW

wtsapi32

WTSQueryUserToken
WTSFreeMemory
WTSEnumerateSessionsW

wintrust

CryptCATAdminEnumCatalogFromHash
WinVerifyTrust
CryptCATAdminCalcHashFromFileHandle
CryptCATAdminReleaseContext
CryptCATAdminReleaseCatalogContext
CryptCATCatalogInfoFromContext
CryptCATAdminAcquireContext

winhttp

WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpCloseHandle
WinHttpOpen
WinHttpSendRequest
WinHttpOpenRequest
WinHttpConnect
WinHttpSetOption
WinHttpQueryDataAvailable
WinHttpWriteData
WinHttpReadData

iphlpapi

GetAdaptersAddresses

bcrypt

BCryptDeriveKeyPBKDF2
BCryptGenRandom
BCryptDestroyHash
BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptDestroyKey
BCryptEncrypt
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptGetProperty

gdi32

DeleteDC
CreateCompatibleDC
BitBlt
GetObjectW
SelectObject
DeleteObject

fltlib

FilterReplyMessage
FilterGetMessage
FilterSendMessage
FilterConnectCommunicationPort

msimg32

TransparentBlt

comctl32

ImageList_SetOverlayImage
ImageList_ReplaceIcon
ImageList_Destroy
InitCommonControlsEx

Sections

.text
Size: 16.9MB - Virtual size: 16.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5.6MB - Virtual size: 5.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 414KB - Virtual size: 569KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5.3MB - Virtual size: 5.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 105KB - Virtual size: 105KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0a0930e34142b27ab8360436aa328881

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

crypt32

advapi32

kernel32

user32

shell32

ole32

oleaut32

version

wininet

shlwapi

userenv

netapi32

ntdll

wsock32

mpr

wtsapi32

wintrust

winhttp

iphlpapi

bcrypt

gdi32

fltlib

msimg32

comctl32

Sections

.text Size: 16.9MB - Virtual size: 16.9MB

.rdata Size: 5.6MB - Virtual size: 5.6MB

.data Size: 414KB - Virtual size: 569KB

.pdata Size: 1.3MB - Virtual size: 1.3MB

.gfids Size: 2KB - Virtual size: 1KB

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 5.3MB - Virtual size: 5.3MB

.reloc Size: 105KB - Virtual size: 105KB

.text
Size: 16.9MB - Virtual size: 16.9MB

.rdata
Size: 5.6MB - Virtual size: 5.6MB

.data
Size: 414KB - Virtual size: 569KB

.pdata
Size: 1.3MB - Virtual size: 1.3MB

.gfids
Size: 2KB - Virtual size: 1KB

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 5.3MB - Virtual size: 5.3MB

.reloc
Size: 105KB - Virtual size: 105KB