2024-02-25_35c932ca69e678c8e525fb4a8884cf0e_ryuk

Sharing

Copy URL

Twitter E-mail

General

Target

2024-02-25_35c932ca69e678c8e525fb4a8884cf0e_ryuk
Size

9.0MB
MD5

35c932ca69e678c8e525fb4a8884cf0e
SHA1

4d931c0914c974276926eb5f79b50915bd3f6c10
SHA256

ebc41859beb5fe1c413a366b9a27382c252f179d7900a70e279d690c2e8afb1f
SHA512

2eec263988a85abe8dd5775a0cc7cc5ede3eb7c023affdea42112ec6e74b49ebe105d9e31554bc81b7d35114abca33922f4a2167016809e486463e03342e739b
SSDEEP

98304:uW9CuY1bXgD5nCibVWhfJ0lFzQS+rhLRSq/k/JX7rbW:fE1bgDEAohfJEzXULRP/kE

Score

10^/10

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Files

2024-02-25_35c932ca69e678c8e525fb4a8884cf0e_ryuk
.exe windows:6 windows x64 arch:x64

87f38afbed37aaabe414931dcce242fb

Code Sign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22
Certificate

Issuer

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

Not Before

30/05/2000, 10:48

Not After

30/05/2020, 10:48

Subject

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

cb:22:53:8b:ef:77:f6:8d:c2:9b:f8:ea:a4:1e:e5:6d
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

07/04/2015, 00:00

Not After

06/04/2017, 23:59

Subject

CN=Limetric,O=Limetric,POSTALCODE=1447 GT,STREET=President Kennedylaan 221,L=Amsterdam,ST=Noord-Holland,C=NL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

81:c9:96:04:b6:ef:43:7f:a8:1a:37:e7:f3:ae:8b:a8:3b:a5:48:67
Signer

Actual PE Digest

81:c9:96:04:b6:ef:43:7f:a8:1a:37:e7:f3:ae:8b:a8:3b:a5:48:67

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\projects\openrct2-ject9\bin\openrct2.pdb

Imports

kernel32

lstrcpyW
GetSystemTimeAsFileTime
AllocConsole
MoveFileW
CopyFileW
LocalFree
GetLocalTime
FreeConsole
CloseHandle
DeleteFileW
GetFileAttributesExW
AttachConsole
GetLastError
GetLocaleInfoA
GetModuleHandleA
GetFileAttributesW
GetModuleFileNameW
lstrlenW
GetCommandLineW
GetLogicalDrives
CreateDirectoryW
WideCharToMultiByte
MultiByteToWideChar
GetFullPathNameW
lstrcmpW
FindClose
FindNextFileW
FindFirstFileW
HeapSize
SetEndOfFile
GetProcessHeap
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetCPInfo
GetOEMCP
IsValidCodePage
FindNextFileA
FindFirstFileExA
GetCurrentDirectoryW
SetStdHandle
FlushFileBuffers
GetTimeZoneInformation
GetStringTypeW
HeapReAlloc
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
FreeLibrary
GetProcAddress
LoadLibraryA
ExitProcess
SetLastError
FormatMessageA
RtlCaptureContext
CreateFileW
SetUnhandledExceptionFilter
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
ReleaseSemaphore
WaitForSingleObject
GetCurrentProcess
CreateThread
GetCurrentThreadId
GetProcessId
VirtualQueryEx
CreateSemaphoreW
LoadLibraryW
GetStdHandle
OutputDebugStringW
WriteConsoleW
GetFileSizeEx
ReadFile
SetFilePointer
SetFilePointerEx
WriteFile
SetErrorMode
GetTickCount
GetModuleHandleW
GlobalMemoryStatusEx
GetSystemInfo
lstrcatW
InitializeCriticalSectionAndSpinCount
TryEnterCriticalSection
GetEnvironmentVariableA
SetEnvironmentVariableA
GetCurrentThread
SetThreadPriority
QueryPerformanceCounter
QueryPerformanceFrequency
Sleep
GetFileType
GetCurrentProcessId
SwitchToThread
GetTickCount64
InitializeCriticalSectionEx
SleepEx
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
SetEvent
ResetEvent
WaitForMultipleObjects
TlsAlloc
TlsGetValue
TlsSetValue
VerSetConditionMask
FormatMessageW
VerifyVersionInfoW
GlobalAlloc
GlobalLock
GlobalUnlock
GetVersionExA
CompareStringA
MulDiv
GetSystemPowerStatus
MoveFileExW
GetSystemDirectoryA
VerifyVersionInfoA
WaitForSingleObjectEx
PeekNamedPipe
ExpandEnvironmentStringsA
RtlVirtualUnwind
GetFileTime
GlobalMemoryStatus
FlushConsoleInputBuffer
InitializeSListHead
CreateEventW
RtlLookupFunctionEntry
UnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
RtlPcToFileHeader
EncodePointer
RaiseException
InterlockedPushEntrySList
RtlUnwindEx
TlsFree
LoadLibraryExW
GetModuleFileNameA
GetModuleHandleExW
ExitThread
FreeLibraryAndExitThread
GetTempPathW
SetConsoleCtrlHandler
GetDriveTypeW
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetConsoleMode
ReadConsoleInputA
SetConsoleMode
GetACP
ReadConsoleW
GetConsoleCP
HeapFree
HeapAlloc

user32

LoadIconA
MessageBoxW
MessageBoxA
SendMessageA
GetUserObjectSecurity
GetRawInputDeviceList
GetRawInputDeviceInfoA
SystemParametersInfoW
SystemParametersInfoA
DrawTextW
EndDialog
TranslateMessage
DispatchMessageW
PeekMessageW
GetMessageExtraInfo
DefWindowProcW
CallWindowProcW
RegisterClassW
UnregisterClassW
GetClassInfoW
IsIconic
GetKeyState
GetAsyncKeyState
GetMenu
GetUpdateRect
ValidateRect
GetPropW
GetClientRect
GetWindowRect
AdjustWindowRectEx
SetCursor
GetCursorPos
ClipCursor
ClientToScreen
ScreenToClient
WindowFromPoint
IsRectEmpty
GetWindowLongW
LoadImageW
GetRawInputData
GetProcessWindowStation
GetUserObjectInformationW
OpenClipboard
CloseClipboard
GetClipboardSequenceNumber
SetClipboardData
GetClipboardData
EmptyClipboard
IsClipboardFormatAvailable
GetKeyboardLayout
MapVirtualKeyW
TrackMouseEvent
SendMessageW
CreateWindowExW
DestroyWindow
ShowWindow
SetWindowPos
GetFocus
GetDC
ReleaseDC
SetPropW
RemovePropW
SetWindowTextW
GetWindowTextW
GetWindowTextLengthW
SetWindowLongW
GetWindowLongPtrW
SetWindowLongPtrW
CreateIconFromResource
SetWindowRgn
GetDoubleClickTime
SetCursorPos
LoadCursorW
DestroyIcon
CreateIconIndirect
RegisterRawInputDevices
ChangeDisplaySettingsExW
EnumDisplaySettingsW
EnumDisplayDevicesW
EnumDisplayMonitors
GetDesktopWindow
GetMessageW
RegisterDeviceNotificationW
UnregisterDeviceNotification
RegisterClassExW
DialogBoxIndirectParamW

comdlg32

GetSaveFileNameW
GetOpenFileNameW

advapi32

CryptGetHashParam
RegisterEventSourceW
ReportEventW
CryptAcquireContextA
CryptReleaseContext
CryptGenRandom
CryptCreateHash
RegDeleteTreeA
RegCloseKey
GetUserNameA
RegDeleteTreeW
RegCreateKeyW
RegOpenKeyW
RegSetValueW
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt
DeregisterEventSource

shell32

DragAcceptFiles
DragFinish
DragQueryFileW
SHGetPathFromIDListW
SHGetKnownFolderPath
SHBrowseForFolderW
SHFileOperationW
SHGetFolderPathW
SHOpenFolderAndSelectItems
ord155
ord190
SHChangeNotify
SHGetMalloc
CommandLineToArgvW

ole32

CoTaskMemFree
CoInitializeEx
CoCreateInstance
CoUninitialize
CoInitialize

imm32

ImmReleaseContext
ImmSetCompositionWindow
ImmNotifyIME
ImmGetCandidateListW
ImmSetCompositionStringW
ImmGetCompositionStringW
ImmGetIMEFileNameA
ImmGetContext
ImmAssociateContext

version

GetFileVersionInfoSizeA
VerQueryValueA
GetFileVersionInfoA

winmm

waveOutUnprepareHeader
timeGetTime
timeBeginPeriod
timeEndPeriod
waveOutGetNumDevs
waveOutGetDevCapsW
waveInClose
waveInOpen
waveInGetDevCapsW
waveOutGetErrorTextW
waveOutWrite
waveInGetNumDevs
waveOutPrepareHeader
waveOutClose
waveOutOpen

crypt32

CertFreeCertificateContext

ws2_32

getnameinfo
htons
ntohs
WSAStartup
getsockopt
freeaddrinfo
setsockopt
WSAGetLastError
ioctlsocket
WSACleanup
ntohl
htonl
gethostname
sendto
recvfrom
recv
connect
socket
send
getaddrinfo
listen
shutdown
select
closesocket
bind
accept
__WSAFDIsSet
WSASetLastError
getpeername
getsockname
WSAIoctl

gdi32

GetDeviceCaps
BitBlt
CreateFontIndirectW
CreateCompatibleBitmap
CreateBitmap
CreateRectRgn
CombineRgn
SetDeviceGammaRamp
SetPixelFormat
GetPixelFormat
DescribePixelFormat
GetDeviceGammaRamp
CreateDCW
CreateDIBSection
SelectObject
DeleteObject
DeleteDC
CreateCompatibleDC
ChoosePixelFormat
GetDIBits
SwapBuffers
GetTextMetricsW

oleaut32

SysFreeString

Exports

Exports

zip_add
zip_archive_set_tempdir
zip_close
zip_delete
zip_discard
zip_error_code_system
zip_error_code_zip
zip_error_fini
zip_error_init
zip_error_init_with_code
zip_error_set
zip_error_system_type
zip_error_to_data
zip_fclose
zip_file_add
zip_file_rename
zip_file_replace
zip_fopen
zip_fopen_index_encrypted
zip_fread
zip_get_name
zip_get_num_files
zip_name_locate
zip_open
zip_open_from_source
zip_replace
zip_source_begin_write
zip_source_buffer
zip_source_buffer_create
zip_source_close
zip_source_commit_write
zip_source_error
zip_source_file
zip_source_file_create
zip_source_free
zip_source_function
zip_source_function_create
zip_source_keep
zip_source_make_command_bitmap
zip_source_open
zip_source_read
zip_source_rollback_write
zip_source_seek
zip_source_seek_compute_offset
zip_source_seek_write
zip_source_stat
zip_source_tell
zip_source_tell_write
zip_source_win32handle
zip_source_win32handle_create
zip_source_win32w
zip_source_win32w_create
zip_source_write
zip_stat_index
zip_stat_init
zip_unchange

Sections

.text
Size: 5.9MB - Virtual size: 5.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 415KB - Virtual size: 6.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 264KB - Virtual size: 264KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 336B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 61KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 55KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

87f38afbed37aaabe414931dcce242fb

Code Sign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0bCertificate

Extended Key Usages

Key Usages

27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22Certificate

Key Usages

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:afCertificate

Extended Key Usages

Key Usages

cb:22:53:8b:ef:77:f6:8d:c2:9b:f8:ea:a4:1e:e5:6dCertificate

Extended Key Usages

Key Usages

81:c9:96:04:b6:ef:43:7f:a8:1a:37:e7:f3:ae:8b:a8:3b:a5:48:67Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

comdlg32

advapi32

shell32

ole32

imm32

version

winmm

crypt32

ws2_32

gdi32

oleaut32

Exports

Exports

Sections

.text Size: 5.9MB - Virtual size: 5.9MB

.rdata Size: 2.3MB - Virtual size: 2.3MB

.data Size: 415KB - Virtual size: 6.2MB

.pdata Size: 264KB - Virtual size: 264KB

.gfids Size: 512B - Virtual size: 336B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 61KB - Virtual size: 60KB

.reloc Size: 55KB - Virtual size: 55KB

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

cb:22:53:8b:ef:77:f6:8d:c2:9b:f8:ea:a4:1e:e5:6d
Certificate

81:c9:96:04:b6:ef:43:7f:a8:1a:37:e7:f3:ae:8b:a8:3b:a5:48:67
Signer

.text
Size: 5.9MB - Virtual size: 5.9MB

.rdata
Size: 2.3MB - Virtual size: 2.3MB

.data
Size: 415KB - Virtual size: 6.2MB

.pdata
Size: 264KB - Virtual size: 264KB

.gfids
Size: 512B - Virtual size: 336B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 61KB - Virtual size: 60KB

.reloc
Size: 55KB - Virtual size: 55KB