2024-04-10_26a8c4619dcc8740202373b7cea7cdc4_cobalt-strike_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-10_26a8c4619dcc8740202373b7cea7cdc4_cobalt-strike_ryuk
Size

987KB
MD5

26a8c4619dcc8740202373b7cea7cdc4
SHA1

223c8c9186be7e157f0615e80ca2078b51df3019
SHA256

2150ca6e1a80d357c499d4d3783aeedee82aaf0a634f2d489bf7d47e40d7037d
SHA512

b1d061b031dc6338f3c3231b8335dd8f6369552e6696f1a4862c1a21e35a83516d16f2e7f33b0343fec68da1615bd7bd49a522fb9a6b785588c164ca5020fa96
SSDEEP

12288:/KM3RHVVxqHS/3wb0n3AEqKbQP3vcfY93oUXgZ0up3u8aa:/p3RDEHS/gb0nyKbQSjX3u8aa

Score

1^/10

Malware Config

Signatures

Files

2024-04-10_26a8c4619dcc8740202373b7cea7cdc4_cobalt-strike_ryuk
.exe windows:5 windows x64 arch:x64

f3f684a59003fab746f9cfb1ad99821f

Code Sign

75:dc:f6:c0:d8:e7:93:af:39:e0:6b:38:e6:83:3c:02
Certificate

Issuer

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

17/03/2021, 00:00

Not After

16/03/2024, 23:59

Subject

CN=HSH Soft- und Hardware Vertriebs GmbH,OU=IT,O=HSH Soft- und Hardware Vertriebs GmbH,POSTALCODE=16356,STREET=Rudolf-Diesel-Str. 2,L=Ahrensfelde OT Lindenberg,ST=Brandenburg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

03/05/2023, 00:00

Not After

02/08/2034, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #4,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

97:f1:20:ab:ce:e5:05:d9:50:67:f7:b0:c5:98:38:77:f6:f6:54:49:b5:b6:ec:dd:a2:5c:5d:de:b3:e2:19:3f:61:db:e8:62:69:6b:1c:32:fc:ea:1a:27:51:d9:23:d4:1e:40:07:a8:24:5c:93:97:1f:6d:93:f9:19:ad:5c:b5
Signer

Actual PE Digest

97:f1:20:ab:ce:e5:05:d9:50:67:f7:b0:c5:98:38:77:f6:f6:54:49:b5:b6:ec:dd:a2:5c:5d:de:b3:e2:19:3f:61:db:e8:62:69:6b:1c:32:fc:ea:1a:27:51:d9:23:d4:1e:40:07:a8:24:5c:93:97:1f:6d:93:f9:19:ad:5c:b5

Digest Algorithm

sha512

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\JenkinsHome\workspace\ServiceWrapper-VS2015\trunk\out\Release-ServiceWrapper-v8.1-x64\ServiceWrapper64.pdb

Imports

advapi32

StartServiceCtrlDispatcherA
CloseServiceHandle
ControlService
CreateServiceA
DeleteService
OpenSCManagerA
OpenServiceA
QueryServiceStatus
RegisterServiceCtrlHandlerA
SetServiceStatus
StartServiceA
DeregisterEventSource
RegisterEventSourceA
ReportEventA
OpenProcessToken
AdjustTokenPrivileges
IsValidSid
EqualSid
FreeSid
LookupAccountNameW
LookupPrivilegeValueA
GetUserNameA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
CreateProcessWithLogonW
SystemFunction036

psapi

EnumProcesses

kernel32

GetModuleHandleA
GetCommandLineW
GetComputerNameExA
IsWow64Process
CreateToolhelp32Snapshot
Process32First
Process32Next
RaiseException
CreateThread
SetThreadPriority
GetThreadPriority
TerminateThread
GetExitCodeThread
SuspendThread
ResumeThread
MulDiv
TerminateProcess
GetExitCodeProcess
WaitForSingleObject
SetStdHandle
SetHandleInformation
CreateProcessA
GetCommandLineA
ReleaseMutex
CreateMutexA
GetConsoleMode
SetConsoleMode
SetConsoleActiveScreenBuffer
SetEvent
CreateEventA
FreeLibrary
LoadLibraryA
LoadLibraryExA
WriteFile
ReadFile
CreatePipe
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
CreateFileA
GetModuleFileNameA
FindNextFileA
FindFirstFileExA
CreateDirectoryW
SetFilePointerEx
SetFileAttributesW
GetFileAttributesExW
MoveFileExW
ReadConsoleW
GetConsoleCP
FlushFileBuffers
LCMapStringW
CompareStringW
GetTimeZoneInformation
GetStringTypeW
HeapAlloc
HeapFree
GetACP
GetModuleHandleExW
ExitProcess
UnlockFileEx
LockFileEx
FindNextFileW
FindFirstFileExW
FindClose
GetCurrentDirectoryA
SetEnvironmentVariableW
SetEnvironmentVariableA
GetFullPathNameW
GetCurrentDirectoryW
SetCurrentDirectoryW
SystemTimeToFileTime
TzSpecificLocalTimeToSystemTime
SetFileTime
SetEndOfFile
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
HeapReAlloc
GetFileType
GetDriveTypeW
CreateFileW
WideCharToMultiByte
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
LoadLibraryExW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
EncodePointer
SetLastError
GetModuleFileNameW
RtlUnwindEx
RtlPcToFileHeader
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetNativeSystemInfo
CloseHandle
GetCurrentThreadId
GetCurrentProcess
OpenProcess
GetProcAddress
GetCurrentProcessId
MultiByteToWideChar
DeleteFileA
RemoveDirectoryA
GetLocalTime
FormatMessageA
GetLastError
LocalFree
WriteConsoleA
SetConsoleCursorPosition
GetConsoleScreenBufferInfo
FindResourceA
GetTickCount
GetStdHandle
SizeofResource
LoadResource
LockResource
GetConsoleWindow
AttachConsole
FreeConsole
SetConsoleCtrlHandler
SetCurrentDirectoryA
Sleep
GetFullPathNameA
SetDllDirectoryA
IsValidCodePage
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
WriteConsoleW
HeapSize
GlobalFree

user32

DestroyCaret
CreateCaret
SwitchToThisWindow
GetFocus
SetFocus
GetWindowInfo
EnumDisplayMonitors
GetMonitorInfoA
MonitorFromWindow
EnumDisplayDevicesA
DrawIconEx
LoadCursorA
GetWindowThreadProcessId
EnumThreadWindows
EnumWindows
GetShellWindow
EnumChildWindows
SetParent
GetParent
SetClassLongA
GetClassLongA
SetWindowLongA
GetWindowLongA
ShowCaret
FillRect
WindowFromPoint
MapWindowPoints
GetCursorPos
GetWindowRect
GetClientRect
InvalidateRect
SetWindowRgn
EndPaint
BeginPaint
ReleaseDC
GetWindowDC
GetDC
GetForegroundWindow
UpdateWindow
DrawTextA
ReleaseCapture
SetCapture
IsZoomed
IsIconic
IsWindowVisible
SetWindowPos
ShowWindowAsync
SetLayeredWindowAttributes
ShowWindow
DestroyWindow
IsChild
IsWindow
CreateWindowExA
RegisterClassExA
UnregisterClassA
DefWindowProcA
PostMessageA
DispatchMessageA
TranslateMessage
GetMessageA
MessageBoxA
CharToOemBuffA
SendMessageA
SetCaretPos
GetCaretPos
GetSysColor
EnableWindow
PtInRect
GetDesktopWindow

gdi32

SetGraphicsMode
CreateDIBSection
GetTextMetricsA
SetDIBits
Rectangle
GetDIBits
GdiFlush
GetObjectA
SetStretchBltMode
SetPixel
SetBkMode
SetDCPenColor
SetDCBrushColor
SetBkColor
SelectObject
GetDeviceCaps
FrameRgn
DeleteObject
DeleteDC
CreateSolidBrush
CreateRectRgn
CreatePen
CreateFontA
CreateCompatibleDC
BitBlt
SetTextColor

shell32

ShellExecuteA

Exports

Exports

setLogLevel

Sections

.text
Size: 521KB - Virtual size: 520KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 375KB - Virtual size: 375KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tdwlogg
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f3f684a59003fab746f9cfb1ad99821f

Code Sign

75:dc:f6:c0:d8:e7:93:af:39:e0:6b:38:e6:83:3c:02Certificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4Certificate

Extended Key Usages

Key Usages

97:f1:20:ab:ce:e5:05:d9:50:67:f7:b0:c5:98:38:77:f6:f6:54:49:b5:b6:ec:dd:a2:5c:5d:de:b3:e2:19:3f:61:db:e8:62:69:6b:1c:32:fc:ea:1a:27:51:d9:23:d4:1e:40:07:a8:24:5c:93:97:1f:6d:93:f9:19:ad:5c:b5Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

psapi

kernel32

user32

gdi32

shell32

Exports

Exports

Sections

.text Size: 521KB - Virtual size: 520KB

.rdata Size: 375KB - Virtual size: 375KB

.data Size: 7KB - Virtual size: 12KB

.pdata Size: 45KB - Virtual size: 45KB

.tdwlogg Size: 512B - Virtual size: 4B

.gfids Size: 512B - Virtual size: 208B

.rsrc Size: 20KB - Virtual size: 19KB

.reloc Size: 8KB - Virtual size: 8KB

75:dc:f6:c0:d8:e7:93:af:39:e0:6b:38:e6:83:3c:02
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

97:f1:20:ab:ce:e5:05:d9:50:67:f7:b0:c5:98:38:77:f6:f6:54:49:b5:b6:ec:dd:a2:5c:5d:de:b3:e2:19:3f:61:db:e8:62:69:6b:1c:32:fc:ea:1a:27:51:d9:23:d4:1e:40:07:a8:24:5c:93:97:1f:6d:93:f9:19:ad:5c:b5
Signer

.text
Size: 521KB - Virtual size: 520KB

.rdata
Size: 375KB - Virtual size: 375KB

.data
Size: 7KB - Virtual size: 12KB

.pdata
Size: 45KB - Virtual size: 45KB

.tdwlogg
Size: 512B - Virtual size: 4B

.gfids
Size: 512B - Virtual size: 208B

.rsrc
Size: 20KB - Virtual size: 19KB

.reloc
Size: 8KB - Virtual size: 8KB