2024-02-21_e95e477a28313ea6ef4ada4472442dc3_ryuk_sliver

Sharing

Copy URL Twitter E-mail

General

Target

2024-02-21_e95e477a28313ea6ef4ada4472442dc3_ryuk_sliver
Size

14.5MB
MD5

e95e477a28313ea6ef4ada4472442dc3
SHA1

b48f470fdb592ec3ae8f1827d41561505877d525
SHA256

86f98479c88a06ae243ac0f271daf28d4a8b42a189c055c58f326e98761bfc3b
SHA512

78eb0a75234f77c3e59f4a6d921547232abf54042a1adf68abb6932e3520958c1e482a7015c8bd38f4ba63e68ad999bcafeb2896880d8350287400e0d0fe1bb2
SSDEEP

393216:V6BbTb9bpoRSggLVHJh6QCQcDdtununma:g/j5CQchRma

Score

1^/10

Malware Config

Signatures

Files

2024-02-21_e95e477a28313ea6ef4ada4472442dc3_ryuk_sliver
.exe windows:6 windows x64 arch:x64

37795de97d129d50416e49c11aa92399

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

25/05/2021, 00:00

Not After

31/12/2028, 23:59

Subject

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

Issuer

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Not Before

22/03/2021, 00:00

Not After

21/03/2036, 23:59

Subject

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

18:39:af:85:74:aa:0e:80:c3:71:d9:80:34:61:dd:7b
Certificate

Issuer

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Not Before

13/01/2022, 00:00

Not After

12/01/2025, 23:59

Subject

CN=ADLICE,O=ADLICE,ST=Loire-Atlantique,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

31:be:2f:7f:bc:16:fb:71:8e:f9:68:c4:8e:53:5a:64:c2:f6:94:1f
Signer

Actual PE Digest

31:be:2f:7f:bc:16:fb:71:8e:f9:68:c4:8e:53:5a:64:c2:f6:94:1f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\Adlice\RogueKillerQt\x64\RelWithDebInfo\roguekillersvc.pdb

Imports

kernel32

ConnectNamedPipe
DisconnectNamedPipe
SetNamedPipeHandleState
PeekNamedPipe
CreateNamedPipeW
WaitNamedPipeW
GetOverlappedResult
CancelIo
lstrcmpA
lstrcpyW
GetTickCount
GetDiskFreeSpaceW
GetDriveTypeW
GetFileType
GetVolumePathNameW
SetFilePointerEx
GetVolumeNameForVolumeMountPointW
HeapAlloc
HeapFree
GetProcessHeap
lstrcmpiW
lstrlenW
IsBadReadPtr
IsBadWritePtr
SetFilePointer
QueueUserWorkItem
LoadLibraryExW
GlobalAlloc
GlobalFree
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleExW
GetStdHandle
SwitchToFiber
DeleteFiber
CreateFiber
QueryPerformanceCounter
GetSystemTimeAsFileTime
ConvertFiberToThread
ConvertThreadToFiber
LoadLibraryA
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
FormatMessageA
InitializeCriticalSectionEx
SleepEx
QueryPerformanceFrequency
GetSystemDirectoryA
VerifyVersionInfoA
WriteFile
ExpandEnvironmentStringsA
CreateFileMappingA
SwitchToThread
ReadFile
FlushFileBuffers
DeviceIoControl
QueryDosDeviceW
InterlockedPushEntrySList
RtlPcToFileHeader
DefineDosDeviceW
K32GetModuleInformation
Module32NextW
Module32FirstW
GetModuleHandleW
CreateRemoteThread
WriteProcessMemory
VirtualFreeEx
VirtualAllocEx
OpenThread
CreateThread
RtlUnwindEx
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLocaleInfoW
LCMapStringW
CompareStringW
RaiseException
FormatMessageW
GetSystemInfo
GetSystemTimes
Sleep
SetErrorMode
GetCPInfo
DecodePointer
EncodePointer
GetStringTypeW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
MoveFileExW
MoveFileW
SetFileAttributesW
RemoveDirectoryW
GetFileTime
GetFileAttributesExW
FindNextFileW
FindFirstFileW
FindClose
CreateFileW
CreateDirectoryW
GetTimeFormatW
GetDateFormatW
SystemTimeToFileTime
FileTimeToSystemTime
TzSpecificLocalTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetSystemTime
CompareFileTime
DeleteCriticalSection
TryEnterCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
LoadLibraryW
GetModuleFileNameW
GetModuleFileNameA
FreeLibrary
GetVersionExA
OutputDebugStringA
GetFileAttributesW
GetEnvironmentVariableW
RtlCaptureContext
LocalAlloc
CopyFileW
DeleteFileW
WideCharToMultiByte
MultiByteToWideChar
GetComputerNameW
GetSystemDirectoryW
GetTempPathW
GetTempFileNameW
GetVersionExW
VerSetConditionMask
Thread32Next
Thread32First
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
K32GetProcessImageFileNameW
K32GetModuleFileNameExW
K32GetModuleBaseNameW
TerminateJobObject
AssignProcessToJobObject
CreateJobObjectW
GetProcAddress
GetModuleHandleA
ReadProcessMemory
OpenProcess
GetProcessId
CreateProcessW
TerminateThread
GetExitCodeProcess
TerminateProcess
GetProcessTimes
SetLastError
GetLastError
GetCurrentProcessId
GetCurrentProcess
GetShortPathNameW
GetLongPathNameW
GetFullPathNameW
GetCurrentDirectoryW
ExpandEnvironmentStringsW
LocalFree
GetCommandLineW
ExitProcess
SetConsoleCtrlHandler
ExitThread
FreeLibraryAndExitThread
HeapReAlloc
GetCommandLineA
GetACP
GetConsoleCP
IsValidLocale
GetVolumeInformationW
SetHandleInformation
GetUserDefaultLCID
EnumSystemLocalesW
SetStdHandle
GetFullPathNameA
SetEndOfFile
HeapSize
GetTimeZoneInformation
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
OutputDebugStringW
WriteConsoleW
CreateMutexW
OpenMutexW
GetGeoInfoW
GetUserGeoID
GetThreadLocale
WaitForMultipleObjects
CreateEventW
WaitForSingleObject
CreateIoCompletionPort
GetQueuedCompletionStatus
ResetEvent
SetEvent
WaitForSingleObjectEx
CloseHandle
LockFileEx
UnlockFile
HeapCompact
DeleteFileA
FlushViewOfFile
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapValidate
UnlockFileEx
InitializeCriticalSection
LockFile
AreFileApisANSI
VirtualQueryEx
CreateFileA
HeapCreate
GetFileSize
HeapDestroy
FindResourceW
SizeofResource
LockResource
LoadResource
GetFileSizeEx
GetTickCount64

user32

EnumWindows
GetWindowThreadProcessId
GetSystemMetrics
SystemParametersInfoW
GetProcessWindowStation
GetUserObjectInformationW
MessageBoxW
SendMessageA
FindWindowA
CharNextW
GetClassNameW
EnumChildWindows
GetWindowTextW
IsWindowVisible
SendMessageW

shell32

CommandLineToArgvW
ShellExecuteExW
SHGetFolderPathW
ord51

ole32

CoTaskMemAlloc
CoTaskMemRealloc
CoSetProxyBlanket
CoUninitialize
CoInitializeEx
CoInitializeSecurity
CoCreateInstance
StringFromCLSID
CoTaskMemFree

oleaut32

SysAllocString
SysFreeString
SysStringLen
VariantClear
VarUI4FromStr
VariantInit

advapi32

SetSecurityDescriptorDacl
QueryServiceStatus
RegisterServiceCtrlHandlerW
SetServiceStatus
StartServiceCtrlDispatcherW
GetSecurityInfo
StartServiceW
SetServiceObjectSecurity
QueryServiceStatusEx
QueryServiceConfig2W
QueryServiceConfigW
EnumServicesStatusW
EnumDependentServicesW
ChangeServiceConfigW
ChangeServiceConfig2W
CloseServiceHandle
ControlService
CreateServiceW
DeleteService
OpenSCManagerW
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptReleaseContext
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
LookupAccountNameW
GetLengthSid
CopySid
GetTokenInformation
FreeSid
CheckTokenMembership
ConvertStringSidToSidW
ConvertSidToStringSidW
SetNamedSecurityInfoW
GetNamedSecurityInfoW
GetExplicitEntriesFromAclW
SetEntriesInAclW
RegSetKeySecurity
RegGetKeySecurity
LookupAccountSidW
SetSecurityDescriptorOwner
RegQueryValueExW
IsValidSid
IsValidSecurityDescriptor
InitializeSecurityDescriptor
InitializeAcl
GetAce
AllocateAndInitializeSid
RegSetValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumValueW
RegEnumKeyExW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyExW
RegCloseKey
GetUserNameW
LookupPrivilegeValueW
DuplicateTokenEx
AdjustTokenPrivileges
OpenProcessToken
CreateProcessAsUserW
OpenServiceW

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

wininet

InternetGetConnectedState

shlwapi

PathIsDirectoryW
PathGetDriveNumberW
PathRemoveBackslashW
PathFindFileNameW
PathFindExtensionW
PathFileExistsW
PathCommonPrefixW
PathAppendW
PathRemoveBlanksW
PathRemoveExtensionW
PathRemoveFileSpecW
PathSearchAndQualifyW
PathUnquoteSpacesW
PathUnExpandEnvStringsW
StrDupW
StrCmpIW
PathIsPrefixW
PathIsRelativeW
PathIsNetworkPathW
PathQuoteSpacesW
PathAddBackslashW
PathRemoveArgsW
PathGetArgsW

userenv

GetProfilesDirectoryW
DestroyEnvironmentBlock
CreateEnvironmentBlock

ntdll

NtUnloadDriver
RtlInitUnicodeString
NtCreateKey
NtDeleteKey
NtOpenKey
RtlLookupFunctionEntry
NtQuerySystemInformation
NtQueryKey
NtLoadDriver
NtDeleteValueKey
NtSetValueKey
RtlVirtualUnwind

wsock32

connect
gethostname
sendto
recvfrom
htonl
select
__WSAFDIsSet
htons
getpeername
inet_ntoa
getsockname
socket
setsockopt
getsockopt
ntohs
WSAStartup
WSACleanup
WSAGetLastError
recv
send
WSASetLastError
accept
bind
closesocket
listen
shutdown

mpr

WNetGetConnectionW

wtsapi32

WTSEnumerateSessionsW

wintrust

CryptCATCatalogInfoFromContext
CryptCATAdminCalcHashFromFileHandle
CryptCATAdminEnumCatalogFromHash
CryptCATAdminReleaseCatalogContext
CryptCATAdminReleaseContext
CryptCATAdminAcquireContext
WinVerifyTrust

bcrypt

BCryptGenRandom
BCryptGenerateSymmetricKey
BCryptDestroyHash
BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptDestroyKey
BCryptEncrypt
BCryptCloseAlgorithmProvider
BCryptDeriveKeyPBKDF2
BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptGetProperty

ws2_32

getaddrinfo
freeaddrinfo
getnameinfo
inet_pton
WSAIoctl

crypt32

CertGetCertificateContextProperty
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertOpenStore
CryptQueryObject
CertGetNameStringW
CertNameToStrW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CryptMsgClose
CryptDecodeObject

fltlib

FilterConnectCommunicationPort
FilterSendMessage
FilterGetMessage
FilterReplyMessage

Sections

.text
Size: 6.5MB - Virtual size: 6.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 160KB - Virtual size: 276KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 409KB - Virtual size: 409KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 472B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5.3MB - Virtual size: 5.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 51KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

37795de97d129d50416e49c11aa92399

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16Certificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0aCertificate

Extended Key Usages

Key Usages

18:39:af:85:74:aa:0e:80:c3:71:d9:80:34:61:dd:7bCertificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

31:be:2f:7f:bc:16:fb:71:8e:f9:68:c4:8e:53:5a:64:c2:f6:94:1fSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

shell32

ole32

oleaut32

advapi32

version

wininet

shlwapi

userenv

ntdll

wsock32

mpr

wtsapi32

wintrust

bcrypt

ws2_32

crypt32

fltlib

Sections

.text Size: 6.5MB - Virtual size: 6.5MB

.rdata Size: 2.1MB - Virtual size: 2.1MB

.data Size: 160KB - Virtual size: 276KB

.pdata Size: 409KB - Virtual size: 409KB

.gfids Size: 512B - Virtual size: 472B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 5.3MB - Virtual size: 5.3MB

.reloc Size: 51KB - Virtual size: 50KB

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

18:39:af:85:74:aa:0e:80:c3:71:d9:80:34:61:dd:7b
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

31:be:2f:7f:bc:16:fb:71:8e:f9:68:c4:8e:53:5a:64:c2:f6:94:1f
Signer

.text
Size: 6.5MB - Virtual size: 6.5MB

.rdata
Size: 2.1MB - Virtual size: 2.1MB

.data
Size: 160KB - Virtual size: 276KB

.pdata
Size: 409KB - Virtual size: 409KB

.gfids
Size: 512B - Virtual size: 472B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 5.3MB - Virtual size: 5.3MB

.reloc
Size: 51KB - Virtual size: 50KB