2024-04-16_00cbc3d8e06515b3fd1fd8d469989e3d_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-16_00cbc3d8e06515b3fd1fd8d469989e3d_ryuk
Size

1.5MB
MD5

00cbc3d8e06515b3fd1fd8d469989e3d
SHA1

be594044ae35371b7302d1ef26c3cf99d1d107de
SHA256

dbce6b880e42edff17f21a2f10634a048d690ae693df6f1d89315708531b597f
SHA512

3c5c9e3278ddf520dd3e5c99cf6e91ce44367c73220ed98b2fc1f3feff0c0c3bc1f4e577e251fa6eade3fd9a010aa3a33af8fdd724fac66dff44cb05d1e76829
SSDEEP

24576:iyd9TGfR4DCmdIF2JPTulTzxBrpcLsqjnhMgeiCl7G0nehbGZpbD:9d9T2y2U62BT6TzxB0Dmg27RnWGj

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-04-16_00cbc3d8e06515b3fd1fd8d469989e3d_ryuk

Files

2024-04-16_00cbc3d8e06515b3fd1fd8d469989e3d_ryuk
.exe windows:6 windows x64 arch:x64

84d377d1fcee2c5e131acb1ff50250fe

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

sshd.pdb

Imports

libcrypto

EC_KEY_get0_private_key
BN_new
EC_GROUP_get_curve_name
EC_GROUP_set_asn1_flag
EVP_PKEY_get1_DSA
BN_CTX_new
EC_GROUP_cmp
BIO_free
BIO_write
EC_POINT_new
DSA_new
EC_GROUP_free
EC_KEY_get0_public_key
EVP_PKEY_get1_RSA
BN_cmp
EVP_PKEY_free
BN_CTX_start
EC_KEY_free
EVP_aes_128_cbc
BN_sub
EVP_MD_CTX_cleanup
AES_encrypt
AES_set_encrypt_key
EVP_CIPHER_CTX_get_app_data
EVP_CIPHER_CTX_set_app_data
ECDH_compute_key
EC_POINT_clear_free
EC_GROUP_get_degree
DH_compute_key
DH_size
ECDSA_do_sign
ECDSA_SIG_free
ECDSA_do_verify
ECDSA_SIG_new
EC_GROUP_new_by_curve_name
DSA_do_sign
EVP_PKEY_base_id
SSLeay_version
BN_CTX_free
RAND_poll
EC_GROUP_method_of
RAND_seed
DSA_do_verify
EC_KEY_new_by_curve_name
BN_num_bits
DSA_SIG_new
EC_POINT_free
DSA_SIG_free
RSA_public_decrypt
RSA_sign
BN_div
RSA_size
RAND_status
SSLeay
EVP_CIPHER_CTX_key_length
EVP_CIPHER_CTX_new
EVP_aes_256_cbc
EVP_CIPHER_CTX_iv_length
EVP_CipherInit
EVP_des_ede3_cbc
EVP_aes_192_cbc
EVP_CIPHER_CTX_ctrl
EVP_CIPHER_CTX_set_key_length
EVP_Cipher
EVP_aes_256_gcm
EVP_aes_128_gcm
EVP_CIPHER_CTX_free
EC_POINT_oct2point
BN_bn2bin
EC_POINT_point2oct
BN_bin2bn
BN_is_bit_set
BN_hex2bn
DH_new
DH_generate_key
EVP_sha384
EVP_MD_CTX_copy_ex
EVP_md5
EVP_sha256
EVP_DigestUpdate
EVP_Digest
EVP_DigestInit_ex
EVP_MD_CTX_md
EVP_sha1
EVP_MD_block_size
EVP_sha512
EVP_DigestFinal_ex
RSA_blinding_on
BN_dup
EC_GROUP_get_order
DSA_free
BIO_new
EC_POINT_cmp
BN_clear_free
ERR_peek_error
EC_KEY_set_private_key
BN_value_one
EVP_PKEY_get1_EC_KEY
EC_METHOD_get_field_type
EC_POINT_mul
RSA_new
EC_KEY_generate_key
RSA_free
ERR_get_error
EC_POINT_get_affine_coordinates_GFp
ERR_peek_last_error
EC_KEY_set_public_key
BN_free
BN_CTX_get
EC_KEY_set_group
EC_POINT_is_at_infinity
BIO_s_mem
PEM_read_bio_PrivateKey
EC_KEY_get0_group
RAND_bytes
DH_free

ws2_32

listen
shutdown
WSASend
WSAIoctl
WSAStartup
FreeAddrInfoW
getpeername
inet_ntoa
getsockname
WSAGetLastError
socket
htons
gethostname
htonl
inet_ntop
ntohl
ntohs
GetAddrInfoW
getservbyname
WSARecv
getsockopt
WSAGetOverlappedResult
setsockopt
getnameinfo
WSADuplicateSocketW
bind
closesocket
WSASocketW

advapi32

LookupPrivilegeValueA
EventRegister
ConvertSidToStringSidA
ConvertSidToStringSidW
CreateProcessAsUserW
LsaManageSidNameMapping
AdjustTokenPrivileges
AllocateLocallyUniqueId
EqualSid
AllocateAndInitializeSid
EventWrite
CreateRestrictedToken
FreeSid
DuplicateToken
RegQueryValueExW
GetAce
CreateWellKnownSid
CopySid
GetNamedSecurityInfoW
IsWellKnownSid
IsValidSecurityDescriptor
OpenProcessToken
GetLengthSid
IsValidAcl
LookupAccountNameW
RegOpenKeyExW
RegEnumValueW
RegCloseKey
SetServiceStatus
RegCreateKeyExW
RegisterServiceCtrlHandlerW
StartServiceCtrlDispatcherW
ConvertStringSecurityDescriptorToSecurityDescriptorW
IsValidSid
CheckTokenMembership
LookupAccountSidW
GetSidIdentifierAuthority
GetTokenInformation

kernel32

GetProcessHeap
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
GetFileSizeEx
ReadConsoleW
GetStringTypeW
HeapReAlloc
GetTimeZoneInformation
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
HeapAlloc
HeapFree
GetModuleFileNameW
FreeLibraryAndExitThread
ExitThread
CreateThread
FindNextFileW
FindFirstFileExW
FindClose
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetCommandLineW
GetCommandLineA
DeleteFileW
GetFullPathNameW
SetFileAttributesW
RemoveDirectoryW
SetStdHandle
GetCurrentDirectoryW
SetCurrentDirectoryW
GetModuleHandleExW
ExitProcess
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
SetLastError
RtlUnwindEx
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
HeapSize
FormatMessageA
ReadConsoleInputW
ReadConsoleOutputA
SetConsoleCursorPosition
Beep
FillConsoleOutputAttribute
WriteConsoleOutputA
SetConsoleCursorInfo
RaiseException
SetConsoleWindowInfo
GetConsoleCP
GetConsoleCursorInfo
ScrollConsoleScreenBufferA
SetConsoleScreenBufferSize
SetConsoleTextAttribute
FillConsoleOutputCharacterA
GetLastError
CloseHandle
GetComputerNameW
WriteConsoleW
CancelIoEx
WaitForSingleObject
GetFileAttributesW
CancelSynchronousIo
GetConsoleMode
SetConsoleMode
CreateProcessW
CopyFileW
WriteFile
SetInformationJobObject
ReadFile
GetCurrentProcess
ExpandEnvironmentStringsW
AssignProcessToJobObject
TerminateProcess
SetEnvironmentVariableW
CreateJobObjectW
WaitForSingleObjectEx
GetEnvironmentVariableW
DuplicateHandle
OpenProcess
CreateDirectoryW
WaitForMultipleObjectsEx
GetDriveTypeW
SetWaitableTimer
GetConsoleScreenBufferInfo
GetStdHandle
CreateWaitableTimerW
ReadFileEx
CreateFileW
Sleep
CreateFileA
GetFileAttributesExW
GetFileInformationByHandle
LoadLibraryW
WriteFileEx
GetProcAddress
LocalFree
FreeLibrary
WideCharToMultiByte
GetSystemTimeAsFileTime
GetFileType
DeviceIoControl
CreateNamedPipeA
CancelIo
GetFinalPathNameByHandleW
LoadLibraryExW
MultiByteToWideChar
CreateWaitableTimerA
CancelWaitableTimer
QueueUserAPC
SetConsoleCtrlHandler
GetSystemTime
GetWindowsDirectoryW
GetCurrentProcessId
GetSystemDirectoryW
GetExitCodeProcess
CreateEventA
VerifyVersionInfoW
SleepEx
VerSetConditionMask
SetHandleInformation
ResetEvent
SetEndOfFile
GetCurrentThreadId
SetFilePointerEx
GetTickCount64
GetLocalTime
SetEvent
FlushFileBuffers
OpenThread

sspicli

LsaRegisterLogonProcess
LsaConnectUntrusted
LsaDeregisterLogonProcess
LsaFreeReturnBuffer
LsaLogonUser
InitSecurityInterfaceW
FreeContextBuffer
LsaLookupAuthenticationPackage

userenv

LoadUserProfileW

crypt32

CryptBinaryToStringA
CryptStringToBinaryA

user32

FindWindowA
ShowWindow
GetWindowPlacement

Sections

.text
Size: 636KB - Virtual size: 635KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 301KB - Virtual size: 301KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 161KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 568KB - Virtual size: 572KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

84d377d1fcee2c5e131acb1ff50250fe

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

libcrypto

ws2_32

advapi32

kernel32

sspicli

userenv

crypt32

user32

Sections

.text Size: 636KB - Virtual size: 635KB

.rdata Size: 301KB - Virtual size: 301KB

.data Size: 6KB - Virtual size: 161KB

.pdata Size: 34KB - Virtual size: 33KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 568KB - Virtual size: 572KB

.text
Size: 636KB - Virtual size: 635KB

.rdata
Size: 301KB - Virtual size: 301KB

.data
Size: 6KB - Virtual size: 161KB

.pdata
Size: 34KB - Virtual size: 33KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 568KB - Virtual size: 572KB