2024-04-17_76f37bf0299b722350f95bfd118da8c9_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-17_76f37bf0299b722350f95bfd118da8c9_ryuk
Size

1.6MB
MD5

76f37bf0299b722350f95bfd118da8c9
SHA1

336c4b57cebfac377bd061b39a49df3cab92a870
SHA256

9b57528501702456c528336f64b18d9398026775ffa6e53f3433b4673d0f1c10
SHA512

d923f641f15b4b676e3bbcbe3b17ea5b551f0c56d3f87ddb854a24d8bdcef7f6d0c2818643b1f0dbeaa89477bdc22d972910cfe34e2b627df123c4a23eff6a43
SSDEEP

24576:SXa0gqvDeeB22xFhLIKLaoyoBp7lje8OCVeupix0prETJ7ra4:cawSp2zuMy6xj4FupI0pQTr

Score

1^/10

Malware Config

Signatures

Files

2024-04-17_76f37bf0299b722350f95bfd118da8c9_ryuk
.exe windows:6 windows x64 arch:x64

9a2e9b6bd3b9f02976152a2cc5145b3f

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

10:00:f5:eb:e0:39:43
Certificate

Issuer

CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Not Before

14/10/2007, 22:01

Not After

14/10/2022, 22:01

Subject

CN=StartCom Class 2 Primary Intermediate Object CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

12:92:cc:92:c1:c7:f8
Certificate

Issuer

CN=StartCom Class 2 Primary Intermediate Object CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Not Before

10/08/2015, 20:42

Not After

11/08/2017, 01:25

Subject

CN=Declan Ireland,L=Celbridge,ST=Kildare,C=IE,1.2.840.113549.1.9.1=#0c15746f726e6465636f2e646940676d61696c2e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

39:9f:a8:a9:f9:63:a6:c3:47:8d:3f:0d:7d:45:75:91:33:dc:f9:99
Signer

Actual PE Digest

39:9f:a8:a9:f9:63:a6:c3:47:8d:3f:0d:7d:45:75:91:33:dc:f9:99

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

QueueUserAPC
GetCurrentThreadId
TerminateThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
VerifyVersionInfoW
GetDynamicTimeZoneInformation
GetSystemTimeAsFileTime
CreateSemaphoreA
CreateEventA
WaitForSingleObjectEx
WaitForMultipleObjectsEx
ReleaseSemaphore
GetProcessHeap
HeapAlloc
HeapFree
GetCommandLineW
DecodePointer
RaiseException
HeapReAlloc
HeapSize
CreateWaitableTimerW
GetModuleFileNameW
WaitForMultipleObjects
SetWaitableTimer
CreateEventW
SleepEx
WaitForSingleObject
SetEvent
DeleteCriticalSection
WriteConsoleW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
FindNextFileA
FindFirstFileExA
ReadConsoleW
GetTimeZoneInformation
GetConsoleMode
FlushFileBuffers
SetStdHandle
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
GetCommandLineA
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
PostQueuedCompletionStatus
GetQueuedCompletionStatus
CreateIoCompletionPort
SetLastError
GetLastError
CloseHandle
GetFileAttributesA
InitializeCriticalSectionEx
VerSetConditionMask
GetStdHandle
GetModuleFileNameA
ExitThread
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetFileType
GetModuleHandleExW
GetCurrentDirectoryW
CreateDirectoryW
CreateFileW
DeleteFileW
FindClose
FindFirstFileW
FindNextFileW
GetFileAttributesW
GetFileAttributesExW
GetFileInformationByHandle
SetEndOfFile
SetFilePointerEx
DeviceIoControl
GetModuleHandleA
GetProcAddress
MoveFileExW
AreFileApisANSI
MultiByteToWideChar
WideCharToMultiByte
LocalFree
FormatMessageA
ResetEvent
OpenEventA
Sleep
GetCurrentProcessId
ResumeThread
GetSystemInfo
GetTickCount
GetLogicalProcessorInformation
CreateWaitableTimerA
SystemTimeToFileTime
InitOnceExecuteOnce
GetACP
GetConsoleCP
GetConsoleWindow
InitializeCriticalSection
FreeLibrary
LoadLibraryExA
SwitchToFiber
DeleteFiber
CreateFiber
LoadLibraryA
IsValidCodePage
GetCPInfo
IsDBCSLeadByteEx
CancelIoEx
CreateFileA
ReadFile
WriteFile
SetNamedPipeHandleState
PeekNamedPipe
GetOverlappedResult
CancelIo
LocalAlloc
GetNamedPipeHandleStateA
WaitNamedPipeA
MapViewOfFile
UnmapViewOfFile
OpenFileMappingA
GetFileSize
DuplicateHandle
GetCurrentProcess
GetCurrentThread
GetExitCodeThread
QueryPerformanceCounter
QueryPerformanceFrequency
TryEnterCriticalSection
GetModuleHandleW
EncodePointer
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
InitializeSListHead
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
OutputDebugStringW
CreateTimerQueue
SignalObjectAndWait
SwitchToThread
CreateThread
SetThreadPriority
GetThreadPriority
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
GetThreadTimes
FreeLibraryAndExitThread
LoadLibraryExW
GetVersionExW
VirtualAlloc
VirtualFree
VirtualProtect
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
LoadLibraryW
RtlPcToFileHeader
RtlUnwindEx
ExitProcess

tbbmalloc_x64

scalable_free
scalable_malloc

ws2_32

socket
shutdown
setsockopt
send
select
getaddrinfo
ioctlsocket
closesocket
WSARecv
__WSAFDIsSet
getsockopt
connect
WSAGetLastError
getservbyname
ntohs
WSACleanup
WSAStartup
bind
WSASend
freeaddrinfo
recv

crypt32

CryptDecodeObjectEx
CertVerifySubjectCertificateContext
CertGetCertificateContextProperty
CertFreeCertificateContext
CertCreateCertificateContext
CertSetCertificateContextProperty
CertCreateCRLContext
CertFreeCRLContext
CertVerifyCRLRevocation
CertNameToStrA
CryptStringToBinaryA

secur32

InitializeSecurityContextA
EncryptMessage
DeleteSecurityContext
FreeCredentialsHandle
AcquireCredentialsHandleA
DecryptMessage
QueryContextAttributesA
FreeContextBuffer

advapi32

CryptDestroyKey
CryptEnumProvidersA
CryptGenRandom
CryptReleaseContext
CryptAcquireContextA
CryptImportKey

Exports

Exports

RVExtension

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 427KB - Virtual size: 426KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 44KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 61KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9a2e9b6bd3b9f02976152a2cc5145b3f

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

10:00:f5:eb:e0:39:43Certificate

Key Usages

12:92:cc:92:c1:c7:f8Certificate

Extended Key Usages

Key Usages

39:9f:a8:a9:f9:63:a6:c3:47:8d:3f:0d:7d:45:75:91:33:dc:f9:99Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

tbbmalloc_x64

ws2_32

crypt32

secur32

advapi32

Exports

Exports

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 427KB - Virtual size: 426KB

.data Size: 44KB - Virtual size: 65KB

.pdata Size: 61KB - Virtual size: 61KB

.gfids Size: 4KB - Virtual size: 3KB

.tls Size: 512B - Virtual size: 9B

.reloc Size: 14KB - Virtual size: 13KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

10:00:f5:eb:e0:39:43
Certificate

12:92:cc:92:c1:c7:f8
Certificate

39:9f:a8:a9:f9:63:a6:c3:47:8d:3f:0d:7d:45:75:91:33:dc:f9:99
Signer

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 427KB - Virtual size: 426KB

.data
Size: 44KB - Virtual size: 65KB

.pdata
Size: 61KB - Virtual size: 61KB

.gfids
Size: 4KB - Virtual size: 3KB

.tls
Size: 512B - Virtual size: 9B

.reloc
Size: 14KB - Virtual size: 13KB