2024-03-07_670636b256a53a6b0e800d49a64eb809_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-03-07_670636b256a53a6b0e800d49a64eb809_ryuk
Size

1.8MB
MD5

670636b256a53a6b0e800d49a64eb809
SHA1

9696f32dd0399d06219e340590c61e1492b75536
SHA256

fa626f66d94736923d269fc89697f78f9a7a36a25db42bde14acf3dbe1940fe5
SHA512

d0f236860b3797271904b43526114c0946cabd1f7495fda68069b6252cabc09d59ec8e6485cfa98ece67fb7369a138a0fda979ff4be10cf2502304051fb26abf
SSDEEP

24576:miIRzVakfCrljcOxLcIfsxf1dOeoSYEvelnM0P:mZRzVakfCrlhXfGf1dOeoSzWlnt

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-03-07_670636b256a53a6b0e800d49a64eb809_ryuk

Files

2024-03-07_670636b256a53a6b0e800d49a64eb809_ryuk
.exe windows:6 windows x64 arch:x64

c3450b747b22f2447bb5c3214451ada3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

ssh-agent.pdb

Imports

libcrypto

EVP_CIPHER_CTX_get_app_data
EVP_CIPHER_CTX_set_app_data
ECDSA_do_sign
AES_set_encrypt_key
ECDSA_do_verify
ECDSA_SIG_new
AES_encrypt
DSA_do_sign
DSA_do_verify
ECDSA_SIG_free
DSA_SIG_new
EVP_sha384
EVP_md5
EVP_sha256
EVP_Digest
EVP_sha1
EVP_sha512
EVP_CIPHER_CTX_key_length
EVP_aes_256_cbc
DSA_SIG_free
EVP_aes_192_cbc
EVP_aes_256_gcm
EVP_aes_128_gcm
EC_POINT_oct2point
BN_bn2bin
EC_POINT_point2oct
BN_bin2bn
BN_init
RSA_public_decrypt
RSA_sign
BN_div
RSA_size
RSA_blinding_on
EC_GROUP_get_order
DSA_free
BN_clear_free
EC_KEY_set_private_key
BN_value_one
EC_METHOD_get_field_type
EC_POINT_mul
RSA_new
RSA_free
EC_POINT_get_affine_coordinates_GFp
EC_KEY_set_public_key
BN_CTX_get
EC_POINT_is_at_infinity
EC_POINT_free
EVP_aes_128_cbc
EC_KEY_free
BN_CTX_start
EC_KEY_get0_public_key
DSA_new
EC_POINT_new
BN_new
EC_KEY_get0_private_key
EC_KEY_get0_group
BN_CTX_new
BN_cmp
BN_sub
EVP_des_ede3_cbc
BN_CTX_free
EC_GROUP_method_of
EC_KEY_new_by_curve_name
BN_num_bits

api-ms-win-core-console-l1-1-0

ReadConsoleW
SetConsoleCtrlHandler
WriteConsoleW
GetConsoleCP
GetConsoleMode

api-ms-win-service-management-l1-1-0

OpenServiceW
OpenSCManagerW

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
LoadLibraryExW
GetModuleHandleExW
GetModuleFileNameW
FreeLibraryAndExitThread
FreeLibrary
GetProcAddress

api-ms-win-service-core-l1-1-0

StartServiceCtrlDispatcherW
SetServiceStatus

api-ms-win-service-winsvc-l1-1-0

RegisterServiceCtrlHandlerW
StartServiceA

api-ms-win-core-errorhandling-l1-1-0

SetLastError
GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
RaiseException

api-ms-win-security-base-l1-1-0

IsWellKnownSid
CreateWellKnownSid
EqualSid
CheckTokenMembership
DuplicateToken
GetTokenInformation
ImpersonateLoggedOnUser
RevertToSelf

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW

api-ms-win-core-handle-l1-1-0

CloseHandle
SetHandleInformation

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-namedpipe-l1-1-0

ConnectNamedPipe
CreateNamedPipeW

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-kernel32-legacy-l1-1-0

GetNamedPipeClientProcessId

api-ms-win-core-io-l1-1-0

CreateIoCompletionPort
GetOverlappedResult
GetQueuedCompletionStatus

api-ms-win-core-processthreads-l1-1-0

OpenProcessToken
GetExitCodeProcess
GetCurrentProcessId
CreateProcessW
ExitProcess
GetCurrentProcess
TerminateProcess
GetCurrentThreadId
GetStartupInfoW
CreateThread
TlsAlloc
QueueUserAPC
TlsGetValue
TlsSetValue
OpenThread
ExitThread
TlsFree

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegOpenKeyExA
RegDeleteTreeW
RegCreateKeyExW
RegSetValueExW
RegEnumKeyExW
RegDeleteKeyExA
RegCreateKeyExA
RegOpenKeyExW
RegDeleteTreeA
RegCloseKey
RegOpenCurrentUser

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
OpenProcess

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
WaitForMultipleObjectsEx
InitializeCriticalSectionAndSpinCount
WaitForSingleObjectEx
SetEvent
CreateEventA
LeaveCriticalSection
SleepEx
EnterCriticalSection
WaitForSingleObject

api-ms-win-core-file-l1-1-0

ReadFile
GetFileType
FindNextFileW
SetEndOfFile
FindFirstFileExW
FlushFileBuffers
FindClose
CreateFileW
SetFilePointerEx
WriteFile
WriteFileEx

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent

api-ms-win-core-heap-l2-1-0

LocalFree

crypt32

CryptStringToBinaryA
CryptProtectData
CryptUnprotectData

api-ms-win-core-processenvironment-l1-1-0

SetStdHandle
SetCurrentDirectoryW
GetStdHandle
SetEnvironmentVariableW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetCurrentDirectoryW
GetEnvironmentStringsW
GetCommandLineA
GetCommandLineW

api-ms-win-core-sysinfo-l1-1-0

GetLocalTime
GetSystemTimeAsFileTime

ws2_32

WSAGetLastError
WSASend
WSAStartup

api-ms-win-core-console-l2-1-0

ScrollConsoleScreenBufferA
SetConsoleWindowInfo
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
ReadConsoleOutputA
WriteConsoleOutputA
SetConsoleCursorInfo
FillConsoleOutputCharacterA
FillConsoleOutputAttribute
GetConsoleCursorInfo
SetConsoleScreenBufferSize
SetConsoleCursorPosition

api-ms-win-core-string-l1-1-0

GetStringTypeW
MultiByteToWideChar
CompareStringW
WideCharToMultiByte

api-ms-win-core-synch-ansi-l1-1-0

CreateWaitableTimerA

api-ms-win-core-util-l1-1-0

Beep

api-ms-win-core-localization-l1-2-0

GetOEMCP
GetCPInfo
GetACP
LCMapStringW
IsValidCodePage

user32

GetWindowPlacement
ShowWindow
FindWindowA

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlUnwindEx

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapSize
HeapAlloc
HeapReAlloc

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventWrite

Sections

.text
Size: 172KB - Virtual size: 172KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 167KB - Virtual size: 166KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

c3450b747b22f2447bb5c3214451ada3

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

libcrypto

api-ms-win-core-console-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-service-core-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-namedpipe-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-synch-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-heap-l2-1-0

crypt32

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

ws2_32

api-ms-win-core-console-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-ansi-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-localization-l1-2-0

user32

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-eventing-provider-l1-1-0

Sections

.text Size: 172KB - Virtual size: 172KB

.rdata Size: 167KB - Virtual size: 166KB

.data Size: 20KB - Virtual size: 36KB

.pdata Size: 9KB - Virtual size: 9KB

.rsrc Size: 3KB - Virtual size: 2KB

.reloc Size: 1.4MB - Virtual size: 1.4MB

.text
Size: 172KB - Virtual size: 172KB

.rdata
Size: 167KB - Virtual size: 166KB

.data
Size: 20KB - Virtual size: 36KB

.pdata
Size: 9KB - Virtual size: 9KB

.rsrc
Size: 3KB - Virtual size: 2KB

.reloc
Size: 1.4MB - Virtual size: 1.4MB