2024-03-05_ef925d940c7d1e11f43c7737bbc3f4c1_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-03-05_ef925d940c7d1e11f43c7737bbc3f4c1_ryuk
Size

24.4MB
MD5

ef925d940c7d1e11f43c7737bbc3f4c1
SHA1

71acd627e577235ed6ec70561afaf0c3f7923f05
SHA256

dd5508a6127a7f98cc29cb2b50517a70901297a6d049b0cf2497401f553bcbf9
SHA512

a3ac046e333d426d6369692321dde0a8d053185dbe408bd6a71bc2ac803f1c44a79f4541690aad00a3d4e3b6c9acd104e0760e633bb8fe4bb7116aa5d0305a9c
SSDEEP

98304:E2864aINeOsCacds5ZhgaOjnUXULOwQ3Y1AwMg+frPWC+R3GUgWEu9/vk7J6vfKb:MIUlgB/CcH0vTqyQrSGGLIDRqW2YV

Score

10^/10

Malware Config

Signatures

Detects executables containing URLs to raw contents of a Github gist 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Files

2024-03-05_ef925d940c7d1e11f43c7737bbc3f4c1_ryuk
.exe windows:6 windows x64 arch:x64

0efc7cf832c19aefae3e0712eaa63e3c

Code Sign

ea:15:6a:d9:e5:2e:41:da:ab:ba:36:72:c9:75:99:d9
Certificate

Issuer

CN=BooleanEffect(self)rootCA,OU=User,O=Aucdeloop

Not Before

20/10/2021, 16:23

Not After

27/09/2121, 16:23

Subject

CN=BooleanEffectCA,O=Aucdeloop,L=Kanagawa-ken,ST=Yokohama-shi,C=JP,1.2.840.113549.1.9.1=#0c0d6e6f6e65406e6f6e652e636f6d

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

ea:15:6a:d9:e5:2e:41:da:ab:ba:36:72:c9:75:99:d9
Certificate

Issuer

CN=BooleanEffect(self)rootCA,OU=User,O=Aucdeloop

Not Before

20/10/2021, 16:23

Not After

27/09/2121, 16:23

Subject

CN=BooleanEffectCA,O=Aucdeloop,L=Kanagawa-ken,ST=Yokohama-shi,C=JP,1.2.840.113549.1.9.1=#0c0d6e6f6e65406e6f6e652e636f6d

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

40:9f:e7:09:09:ea:67:1c:2a:63:88:e6:e0:18:e7:7a:82:57:a3:f2
Signer

Actual PE Digest

40:9f:e7:09:09:ea:67:1c:2a:63:88:e6:e0:18:e7:7a:82:57:a3:f2

Digest Algorithm

sha1

PE Digest Matches

true

7b:17:bd:3c:bc:37:4a:57:41:99:ef:58:5c:37:38:b7:e0:45:9d:06:aa:b2:cb:4f:e7:29:19:d5:1a:17:a7:02
Signer

Actual PE Digest

7b:17:bd:3c:bc:37:4a:57:41:99:ef:58:5c:37:38:b7:e0:45:9d:06:aa:b2:cb:4f:e7:29:19:d5:1a:17:a7:02

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

python38

PyArg_ParseTuple
PyArg_ParseTupleAndKeywords
PyArg_UnpackTuple
PyAsyncGen_Type
PyBaseObject_Type
PyBool_Type
PyBuffer_Release
PyByteArray_FromObject
PyByteArray_FromStringAndSize
PyByteArray_Type
PyBytes_FromStringAndSize
PyBytes_Type
PyCFunction_NewEx
PyCFunction_Type
PyCallIter_Type
PyCallable_Check
PyCapsule_New
PyCode_NewWithPosOnlyArgs
PyCode_Type
PyComplex_FromDoubles
PyComplex_Type
PyConfig_SetArgv
PyConfig_SetString
PyCoro_Type
PyDictItems_Type
PyDictKeys_Type
PyDictValues_Type
PyDict_DelItem
PyDict_DelItemString
PyDict_GetItem
PyDict_GetItemString
PyDict_Merge
PyDict_MergeFromSeq2
PyDict_New
PyDict_SetItem
PyDict_SetItemString
PyDict_Type
PyEllipsis_Type
PyEnum_Type
PyErr_BadArgument
PyErr_ExceptionMatches
PyErr_Format
PyErr_NoMemory
PyErr_Print
PyErr_PrintEx
PyErr_SetInterrupt
PyErr_WarnEx
PyErr_WriteUnraisable
PyEval_AcquireThread
PyEval_EvalCode
PyEval_EvalCodeEx
PyEval_EvalFrameEx
PyEval_GetFrame
PyEval_GetFuncName
PyEval_RestoreThread
PyEval_SaveThread
PyExc_AssertionError
PyExc_AttributeError
PyExc_BaseException
PyExc_EOFError
PyExc_Exception
PyExc_GeneratorExit
PyExc_ImportError
PyExc_ImportWarning
PyExc_IndexError
PyExc_KeyError
PyExc_KeyboardInterrupt
PyExc_LookupError
PyExc_NameError
PyExc_NotImplementedError
PyExc_OSError
PyExc_OverflowError
PyExc_RuntimeError
PyExc_StopAsyncIteration
PyExc_StopIteration
PyExc_SystemError
PyExc_TypeError
PyExc_UnboundLocalError
PyExc_UnicodeDecodeError
PyExc_UnicodeEncodeError
PyExc_UnicodeError
PyExc_ValueError
PyExc_ZeroDivisionError
PyException_GetContext
PyException_SetCause
PyException_SetContext
PyFilter_Type
PyFloat_FromDouble
PyFloat_FromString
PyFloat_Type
PyFrame_GetLineNumber
PyFrame_New
PyFrame_Type
PyFrozenSet_New
PyFrozenSet_Type
PyFunction_Type
PyGen_Type
PyImport_ExecCodeModule
PyImport_ExecCodeModuleEx
PyImport_FrozenModules
PyImport_GetModuleDict
PyImport_ImportFrozenModule
PyImport_ImportModule
PyIter_Next
PyList_New
PyList_SetItem
PyList_Sort
PyList_Type
PyLong_AsLong
PyLong_AsLongAndOverflow
PyLong_AsSsize_t
PyLong_FromLong
PyLong_FromLongLong
PyLong_FromSsize_t
PyLong_FromString
PyLong_FromUnicodeObject
PyLong_FromUnsignedLongLong
PyLong_FromVoidPtr
PyLong_Type
PyMap_Type
PyMapping_Check
PyMapping_Size
PyMarshal_ReadObjectFromString
PyMem_Malloc
PyMem_Realloc
PyMemoryView_Type
PyMethod_Type
PyModuleDef_Type
PyModule_ExecDef
PyModule_FromDefAndSpec2
PyModule_GetDef
PyModule_GetDict
PyModule_GetFilenameObject
PyModule_GetName
PyModule_NewObject
PyModule_Type
PyNumber_Add
PyNumber_AsSsize_t
PyNumber_Float
PyNumber_FloorDivide
PyNumber_InPlaceAdd
PyNumber_InPlaceLshift
PyNumber_InPlaceMultiply
PyNumber_Invert
PyNumber_Long
PyNumber_Negative
PyNumber_Positive
PyNumber_Subtract
PyNumber_ToBase
PyOS_snprintf
PyObject_ASCII
PyObject_Call
PyObject_CallFunctionObjArgs
PyObject_CallMethod
PyObject_CallMethodObjArgs
PyObject_CallObject
PyObject_ClearWeakRefs
PyObject_DelItem
PyObject_Dir
PyObject_Free
PyObject_GC_Del
PyObject_GenericSetAttr
PyObject_GetAttr
PyObject_GetAttrString
PyObject_GetBuffer
PyObject_GetItem
PyObject_GetIter
PyObject_HasAttrString
PyObject_IsInstance
PyObject_IsSubclass
PyObject_IsTrue
PyObject_LengthHint
PyObject_Malloc
PyObject_Realloc
PyObject_Repr
PyObject_RichCompareBool
PyObject_SelfIter
PyObject_SetAttr
PyObject_SetAttrString
PyObject_SetItem
PyProperty_Type
PyRange_Type
PyReversed_Type
PySeqIter_Type
PySequence_Check
PySequence_Contains
PySequence_InPlaceConcat
PySequence_List
PySequence_Tuple
PySet_Add
PySet_New
PySet_Type
PySlice_New
PySlice_Type
PyStructSequence_InitType
PyStructSequence_New
PySuper_Type
PySys_GetObject
PySys_SetArgv
PySys_SetObject
PySys_WriteStderr
PyTraceBack_Type
PyTuple_New
PyTuple_Pack
PyTuple_Type
PyType_GetFlags
PyType_IsSubtype
PyType_Ready
PyType_Type
PyUnicode_AsUTF8
PyUnicode_AsUnicode
PyUnicode_Concat
PyUnicode_DecodeUTF8
PyUnicode_Find
PyUnicode_FindChar
PyUnicode_Format
PyUnicode_FromEncodedObject
PyUnicode_FromFormat
PyUnicode_FromOrdinal
PyUnicode_FromString
PyUnicode_FromStringAndSize
PyUnicode_FromWideChar
PyUnicode_GetLength
PyUnicode_InternInPlace
PyUnicode_Join
PyUnicode_New
PyUnicode_Substring
PyUnicode_Type
PyWideStringList_Append
PyZip_Type
Py_BuildValue
Py_BytesWarningFlag
Py_CompileStringExFlags
Py_DebugFlag
Py_DontWriteBytecodeFlag
Py_Exit
Py_ExitStatusException
Py_FrozenFlag
Py_IgnoreEnvironmentFlag
Py_InitializeFromConfig
Py_InspectFlag
Py_InteractiveFlag
Py_MakePendingCalls
Py_NoSiteFlag
Py_NoUserSiteDirectory
Py_OptimizeFlag
Py_SetProgramName
Py_UTF8Mode
Py_VerboseFlag
_PyArg_NoKeywords
_PyAsyncGenWrappedValue_Type
_PyByteArray_empty_string
_PyBytes_Resize
_PyConfig_InitCompatConfig
_PyDict_NewPresized
_PyErr_FormatFromCause
_PyErr_NormalizeException
_PyGen_FetchStopIterationValue
_PyGen_SetStopIterationValue
_PyImport_FixupExtensionObject
_PyLong_New
_PyObject_GC_Malloc
_PyObject_GC_Resize
_PyObject_HasLen
_PyObject_New
_PyRuntime
_PyRuntime_Initialize
_PySet_NextEntry
_PyTraceMalloc_NewReference
_PyType_Lookup
_PyUnicode_Ready
_PyWarnings_Init
_Py_CheckRecursionLimit
_Py_CheckRecursiveCall
_Py_EllipsisObject
_Py_FalseStruct
_Py_NoneStruct
_Py_NotImplementedStruct
_Py_PackageContext
_Py_TrueStruct
_Py_path_config
_Py_tracemalloc_config

kernel32

CloseHandle
CreateFileW
CreateThread
DeleteCriticalSection
EncodePointer
EnterCriticalSection
ExitProcess
FindClose
FindFirstFileExW
FindNextFileW
FindResourceA
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FormatMessageA
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetConsoleMode
GetConsoleOutputCP
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetEnvironmentVariableA
GetEnvironmentVariableW
GetFileSizeEx
GetFileType
GetLastError
GetModuleFileNameW
GetModuleHandleExW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetShortPathNameW
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemTimeAsFileTime
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSectionAndSpinCount
InitializeSListHead
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
LCMapStringW
LeaveCriticalSection
LoadLibraryExW
LoadResource
LockResource
MultiByteToWideChar
OpenProcess
QueryPerformanceCounter
RaiseException
RtlCaptureContext
RtlLookupFunctionEntry
RtlPcToFileHeader
RtlUnwindEx
RtlVirtualUnwind
SetDllDirectoryW
SetEnvironmentVariableW
SetErrorMode
SetFilePointerEx
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
WaitForSingleObject
WideCharToMultiByte
WriteConsoleW
WriteFile

Sections

.text
Size: 16.7MB - Virtual size: 16.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 99KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 36KB - Virtual size: 513KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 142KB - Virtual size: 141KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.00cfg
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gxfg
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 7.5MB - Virtual size: 7.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0efc7cf832c19aefae3e0712eaa63e3c

Code Sign

ea:15:6a:d9:e5:2e:41:da:ab:ba:36:72:c9:75:99:d9Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

ea:15:6a:d9:e5:2e:41:da:ab:ba:36:72:c9:75:99:d9Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

40:9f:e7:09:09:ea:67:1c:2a:63:88:e6:e0:18:e7:7a:82:57:a3:f2Signer

7b:17:bd:3c:bc:37:4a:57:41:99:ef:58:5c:37:38:b7:e0:45:9d:06:aa:b2:cb:4f:e7:29:19:d5:1a:17:a7:02Signer

Headers

DLL Characteristics

File Characteristics

Imports

python38

kernel32

Sections

.text Size: 16.7MB - Virtual size: 16.7MB

.rdata Size: 99KB - Virtual size: 98KB

.data Size: 36KB - Virtual size: 513KB

.pdata Size: 142KB - Virtual size: 141KB

.00cfg Size: 512B - Virtual size: 56B

.gxfg Size: 6KB - Virtual size: 5KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 7.5MB - Virtual size: 7.5MB

.reloc Size: 5KB - Virtual size: 4KB

ea:15:6a:d9:e5:2e:41:da:ab:ba:36:72:c9:75:99:d9
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

ea:15:6a:d9:e5:2e:41:da:ab:ba:36:72:c9:75:99:d9
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

40:9f:e7:09:09:ea:67:1c:2a:63:88:e6:e0:18:e7:7a:82:57:a3:f2
Signer

7b:17:bd:3c:bc:37:4a:57:41:99:ef:58:5c:37:38:b7:e0:45:9d:06:aa:b2:cb:4f:e7:29:19:d5:1a:17:a7:02
Signer

.text
Size: 16.7MB - Virtual size: 16.7MB

.rdata
Size: 99KB - Virtual size: 98KB

.data
Size: 36KB - Virtual size: 513KB

.pdata
Size: 142KB - Virtual size: 141KB

.00cfg
Size: 512B - Virtual size: 56B

.gxfg
Size: 6KB - Virtual size: 5KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 7.5MB - Virtual size: 7.5MB

.reloc
Size: 5KB - Virtual size: 4KB