2024-03-05_e34bbad7a22037387b05d0eab1bb7911_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-03-05_e34bbad7a22037387b05d0eab1bb7911_ryuk
Size

1.4MB
MD5

e34bbad7a22037387b05d0eab1bb7911
SHA1

a9c757227f3562cd14f6683c9040508a1c6576b6
SHA256

c5baae149c6b00d26c0227f0c7c8d9ae99254c167ec7aa26e7395a063a23fba6
SHA512

3d8db06d0878745453b99c0b71c047b8c0ef64ecdce3e7fe7881484428237838b7c7f8e11b9844d3c11871a8a366b0002f0e7b9b35d692b7bfbd993f474a8e98
SSDEEP

24576:Cju1W9h8EfIisc6sYNm222222222222222222222uQ/TwSfVcYG3K/cJHlnFR+ID:C6WjRfBsc6s/QLNiXicJFFRGNzj3

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-03-05_e34bbad7a22037387b05d0eab1bb7911_ryuk

Files

2024-03-05_e34bbad7a22037387b05d0eab1bb7911_ryuk
.exe windows:6 windows x64 arch:x64

554784fb6fea3a783b4391bb2c4f7f65

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\PROG\HotKey\x64\Release\QLBController.pdb

Imports

keyboardhook

?InstallHook@@YAHPEAUHWND__@@@Z
?UnInstallHook@@YAHPEAUHWND__@@@Z

wtsapi32

WTSRegisterSessionNotification
WTSUnRegisterSessionNotification

shell32

SHGetFolderPathW
ShellExecuteW
SHCreateDirectoryExW

kernel32

HeapFree
HeapReAlloc
GetProcessHeap
FindResourceExW
InitializeCriticalSectionEx
GetLastError
RaiseException
DecodePointer
DeleteCriticalSection
HeapSize
HeapDestroy
SizeofResource
LockResource
LoadResource
FindResourceW
GetTempPathW
Sleep
VerifyVersionInfoW
VerSetConditionMask
LocalFree
CallNamedPipeA
HeapAlloc
CreateToolhelp32Snapshot
SetEndOfFile
WriteConsoleW
SetFilePointerEx
ReadConsoleW
ReadFile
FlushFileBuffers
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
IsDebuggerPresent
OutputDebugStringW
EnterCriticalSection
LeaveCriticalSection
CloseHandle
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
GetModuleHandleW
GetProcAddress
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
MultiByteToWideChar
WideCharToMultiByte
GetLocalTime
GetModuleFileNameW
InitializeCriticalSection
WaitForSingleObject
CreateDirectoryW
CreateMutexW
ReleaseMutex
GetFileAttributesExW
GetFullPathNameW
FindFirstFileW
FindNextFileW
FindClose
DeleteFileW
GetTempFileNameW
MoveFileW
SetLastError
Process32FirstW
lstrcmpiW
Process32NextW
CreateFileW
WriteFile
RtlPcToFileHeader
EncodePointer
RtlUnwindEx
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
ExitProcess
GetModuleHandleExW
GetStdHandle
GetACP
CreateThread
ExitThread
FreeLibraryAndExitThread
GetFileType
GetStringTypeW
GetConsoleCP
GetConsoleMode
LCMapStringW
FindFirstFileExW
IsValidCodePage
GetOEMCP

user32

LoadIconW
DispatchMessageW
TranslateMessage
TranslateAcceleratorW
CreateWindowExW
LoadCursorW
RegisterWindowMessageW
LoadStringW
DestroyWindow
DefWindowProcW
PostQuitMessage
LoadAcceleratorsW
RegisterClassExW
GetMessageW

ole32

OleRun
CoSetProxyBlanket
CoCreateInstance
CoUninitialize
CoInitialize

oleaut32

VariantClear
VariantCopy
VariantInit
SysFreeString
SysAllocString
SafeArrayGetElement
GetErrorInfo

advapi32

RegCloseKey
RegQueryValueExW
RegisterEventSourceW
DeregisterEventSource
ReportEventW
RegOpenKeyExW

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

Sections

.text
Size: 181KB - Virtual size: 181KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 93KB - Virtual size: 93KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 308B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 568KB - Virtual size: 568KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 568KB - Virtual size: 572KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

554784fb6fea3a783b4391bb2c4f7f65

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

keyboardhook

wtsapi32

shell32

kernel32

user32

ole32

oleaut32

advapi32

version

Sections

.text Size: 181KB - Virtual size: 181KB

.rdata Size: 93KB - Virtual size: 93KB

.data Size: 5KB - Virtual size: 11KB

.pdata Size: 10KB - Virtual size: 9KB

.gfids Size: 512B - Virtual size: 308B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 568KB - Virtual size: 568KB

.reloc Size: 568KB - Virtual size: 572KB

.text
Size: 181KB - Virtual size: 181KB

.rdata
Size: 93KB - Virtual size: 93KB

.data
Size: 5KB - Virtual size: 11KB

.pdata
Size: 10KB - Virtual size: 9KB

.gfids
Size: 512B - Virtual size: 308B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 568KB - Virtual size: 568KB

.reloc
Size: 568KB - Virtual size: 572KB