2024-02-23_155027406ff8e0715dfb7c996b7a6d23_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-02-23_155027406ff8e0715dfb7c996b7a6d23_ryuk
Size

1023KB
MD5

155027406ff8e0715dfb7c996b7a6d23
SHA1

2d2ca42cdec80bb5e66957de121520a50f186052
SHA256

aa91332b37e8ed23ca34a0b394c4375c9b2677320c945bf9b8f009f86777a4c7
SHA512

2fde307e8df53e4dd14d155791476c9b07d52c900d8e82d980b7fc0b73de86b4bd7daa2120b61a7f36e8a2ba90bf68f768246e75ba499bf180275ff569f87a0c
SSDEEP

24576:W5S54O4tjWlMV6Nyn2+XdMz2bsmIWz7llqyUpKAccydI5xxIOG:OkMVCmAxvW1YKTcyi4OG

Score

1^/10

Malware Config

Signatures

Files

2024-02-23_155027406ff8e0715dfb7c996b7a6d23_ryuk
.exe windows:5 windows x64 arch:x64

f6fb8ff8438e32320a749f30df0f48b8

Code Sign

5e:d0:e6:71:52:40:13:a2:42:07:dd:73:94:08:79:11
Certificate

Issuer

CN=RecipeCleanser,1.2.840.113549.1.9.1=#0c1b6469676974616c40726563697065636c65616e7365722e696e666f

Not Before

18/11/2018, 00:00

Not After

18/11/2019, 23:59

Subject

CN=RecipeCleanser,1.2.840.113549.1.9.1=#0c1b6469676974616c40726563697065636c65616e7365722e696e666f

fe:67:e4:f1:5a:24:e3:c6:0d:54:7c:a0:20:c2:76:70
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

08/03/2016, 13:10

Not After

30/05/2027, 13:10

Subject

CN=Certum EV TSA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ws2_32

WSAGetLastError
recv
WSASetLastError
select
bind
closesocket
connect
getpeername
__WSAFDIsSet
send
ntohl
htonl
gethostname
ioctlsocket
listen
accept
sendto
recvfrom
freeaddrinfo
getaddrinfo
WSACleanup
WSAStartup
WSAIoctl
socket
setsockopt
ntohs
htons
getsockopt
getsockname

userenv

CreateEnvironmentBlock

wtsapi32

WTSEnumerateSessionsA
WTSFreeMemory
WTSQueryUserToken

rpcrt4

RpcStringFreeA
UuidToStringA

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

crypt32

CertAddCertificateContextToStore
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
CertGetNameStringA
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain

wldap32

ord30
ord79
ord35
ord33
ord32
ord27
ord26
ord200
ord41
ord50
ord301
ord60
ord45
ord46
ord217
ord143
ord22
ord211

normaliz

IdnToAscii

kernel32

CreateThread
GetModuleHandleExW
ExitProcess
CreateFileW
LoadLibraryExW
RtlUnwindEx
RtlPcToFileHeader
InitializeSListHead
GetStartupInfoW
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
ResetEvent
SetEvent
GetCPInfo
GetStringTypeW
GetLocaleInfoW
GetLastError
HeapDestroy
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
WideCharToMultiByte
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
GetTickCount
WTSGetActiveConsoleSessionId
CloseHandle
GetTempPathA
CreateToolhelp32Snapshot
GetCurrentProcessId
Process32First
Sleep
Process32Next
GetModuleFileNameA
GetCurrentProcess
GetProcAddress
GetModuleHandleA
LoadLibraryA
ExitThread
GetCurrentDirectoryA
OpenProcess
LocalFree
GetCurrentThreadId
CreateFileA
GetFileSize
ReadFile
GetComputerNameA
MoveFileExA
GetBinaryTypeA
VirtualAlloc
GetThreadContext
ReadProcessMemory
VirtualAllocEx
WriteProcessMemory
ResumeThread
GetCurrentThread
GetSystemDirectoryA
WriteFile
lstrcmpiA
WaitForSingleObject
FindFirstFileA
FindNextFileA
FindClose
InitializeCriticalSectionAndSpinCount
RaiseException
DecodePointer
DeleteCriticalSection
GetFileAttributesA
DeleteFileA
MultiByteToWideChar
TerminateThread
FindFirstVolumeW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
SleepEx
VerSetConditionMask
QueryPerformanceFrequency
VerifyVersionInfoA
QueryPerformanceCounter
WaitForSingleObjectEx
ExpandEnvironmentStringsA
GetStdHandle
GetFileType
PeekNamedPipe
WriteConsoleW
SetLastError
FormatMessageA
GetFileSizeEx
LCMapStringW
CompareStringW
GetModuleHandleW
GetSystemTimeAsFileTime
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
FreeLibraryAndExitThread
GetDriveTypeW
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
SetFilePointerEx
GetCommandLineA
GetCommandLineW
GetACP
GetConsoleMode
ReadConsoleW
GetConsoleCP
GetDateFormatW
GetTimeFormatW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
SetStdHandle
SetEndOfFile
GetExitCodeProcess
CreateProcessA
GetFileAttributesExW
GetCurrentDirectoryW
GetFullPathNameW
GetTimeZoneInformation
FindFirstFileExA
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
FreeLibrary
WaitForMultipleObjects
CreateEventW
EncodePointer
OutputDebugStringW
IsDebuggerPresent

user32

AllowSetForegroundWindow
GetWindowThreadProcessId
MsgWaitForMultipleObjects
DispatchMessageA
PeekMessageA

advapi32

CryptImportKey
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
RegQueryValueExW
RegOpenKeyExW
RegEnumKeyA
StartServiceCtrlDispatcherA
AdjustTokenPrivileges
LookupPrivilegeValueA
CreateProcessAsUserA
DuplicateTokenEx
SetServiceObjectSecurity
QueryServiceObjectSecurity
CloseServiceHandle
OpenServiceA
OpenSCManagerA
RegOpenKeyA
RegSetKeySecurity
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
SetEntriesInAclA
BuildExplicitAccessWithNameA
LookupAccountSidA
ConvertStringSidToSidA
GetSecurityDescriptorDacl
RegGetKeySecurity
ConvertSidToStringSidA
GetTokenInformation
OpenProcessToken
RegCloseKey
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
CryptEncrypt

shell32

SHGetFolderPathA
ShellExecuteA
SHGetSpecialFolderPathW

ole32

CoTaskMemFree
CoUninitialize
CoCreateInstance
CoInitialize
CoCreateGuid

oleaut32

SysFreeString
SysAllocString
VariantInit
VariantClear

shlwapi

PathFileExistsA
PathRemoveFileSpecA
SHSetValueA
ord176
PathRemoveExtensionA
PathFindFileNameA
PathAppendA
SHGetValueA
SHDeleteKeyA

Sections

.text
Size: 678KB - Virtual size: 677KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 243KB - Virtual size: 242KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 33KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 1024B - Virtual size: 560B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 51KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f6fb8ff8438e32320a749f30df0f48b8

Code Sign

5e:d0:e6:71:52:40:13:a2:42:07:dd:73:94:08:79:11Certificate

fe:67:e4:f1:5a:24:e3:c6:0d:54:7c:a0:20:c2:76:70Certificate

Extended Key Usages

Key Usages

Signer

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

userenv

wtsapi32

rpcrt4

version

crypt32

wldap32

normaliz

kernel32

user32

advapi32

shell32

ole32

oleaut32

shlwapi

Sections

.text Size: 678KB - Virtual size: 677KB

.rdata Size: 243KB - Virtual size: 242KB

.data Size: 7KB - Virtual size: 14KB

.pdata Size: 33KB - Virtual size: 32KB

.gfids Size: 1024B - Virtual size: 560B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 51KB - Virtual size: 50KB

.reloc Size: 5KB - Virtual size: 5KB

5e:d0:e6:71:52:40:13:a2:42:07:dd:73:94:08:79:11
Certificate

fe:67:e4:f1:5a:24:e3:c6:0d:54:7c:a0:20:c2:76:70
Certificate

.text
Size: 678KB - Virtual size: 677KB

.rdata
Size: 243KB - Virtual size: 242KB

.data
Size: 7KB - Virtual size: 14KB

.pdata
Size: 33KB - Virtual size: 32KB

.gfids
Size: 1024B - Virtual size: 560B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 51KB - Virtual size: 50KB

.reloc
Size: 5KB - Virtual size: 5KB