2024-04-20_6ed29b29fa184d36f3856f957c2fcf89_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-20_6ed29b29fa184d36f3856f957c2fcf89_ryuk
Size

1.1MB
MD5

6ed29b29fa184d36f3856f957c2fcf89
SHA1

cb9dc2ca964601a4cce65d8dea66c631c5a890ba
SHA256

8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694
SHA512

58dfc0043ace7fd685b4f51a8e6d003a3228487e784cb51354b1c9d1838444a3dce6a881e36145980d487dd92e81fe21ad5990bc5e803fdad385f4deefab952d
SSDEEP

24576:a31P0Gn5iyE+gKaa8dNX2qa/5Rp8lf/trQTGy7hyF1oHhNU3:g17n5i3/K+NX2qQX8lf/trQTV7hy4h

Score

1^/10

Malware Config

Signatures

Files

2024-04-20_6ed29b29fa184d36f3856f957c2fcf89_ryuk
.exe windows:6 windows x64 arch:x64

bf73479ba9273c124bdf29b288ecdf56

Code Sign

33:00:00:02:52:8b:33:aa:f8:95:f3:39:db:00:00:00:00:02:52
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:32

Not After

01/09/2022, 18:32

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

41:6f:f7:60:59:6e:e4:65:f9:16:36:5b:7f:19:b5:8a:b4:a3:ee:cd:9e:f6:22:39:34:75:7e:6e:4a:86:7a:92
Signer

Actual PE Digest

41:6f:f7:60:59:6e:e4:65:f9:16:36:5b:7f:19:b5:8a:b4:a3:ee:cd:9e:f6:22:39:34:75:7e:6e:4a:86:7a:92

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\_work\1\s\OSS_Microsoft_OpenSSH_Dev\bin\x64\Release\sshd.pdb

Imports

libcrypto

AES_set_encrypt_key
EVP_CIPHER_CTX_get_app_data
EVP_CIPHER_CTX_set_app_data
ECDH_compute_key
EC_POINT_clear_free
EC_GROUP_get_degree
DH_compute_key
DH_size
ECDSA_do_sign
ECDSA_SIG_free
ECDSA_do_verify
EVP_MD_CTX_cleanup
AES_encrypt
ECDSA_SIG_new
DSA_do_sign
DSA_do_verify
DSA_SIG_new
DSA_SIG_free
RSA_public_decrypt
RSA_sign
BN_div
RSA_size
BN_CTX_new
BN_CTX_free
RAND_status
SSLeay
EVP_CIPHER_CTX_key_length
EVP_CIPHER_CTX_new
EVP_aes_256_cbc
EVP_CIPHER_CTX_iv_length
EVP_CipherInit
EVP_des_ede3_cbc
EVP_aes_192_cbc
EVP_CIPHER_CTX_ctrl
EVP_CIPHER_CTX_set_key_length
EVP_Cipher
EVP_aes_256_gcm
EVP_aes_128_gcm
EVP_CIPHER_CTX_free
EC_POINT_oct2point
BN_bn2bin
EC_POINT_point2oct
BN_bin2bn
BN_is_bit_set
BN_hex2bn
DH_new
DH_generate_key
EVP_sha384
EVP_MD_CTX_copy_ex
EVP_md5
EVP_sha256
EVP_DigestUpdate
EVP_Digest
EVP_DigestInit_ex
EVP_MD_CTX_md
EVP_sha1
EVP_MD_block_size
EVP_sha512
EVP_DigestFinal_ex
RSA_blinding_on
BN_dup
EC_GROUP_get_order
DSA_free
BIO_new
EC_POINT_cmp
BN_clear_free
ERR_peek_error
EC_KEY_set_private_key
BN_value_one
EVP_PKEY_get1_EC_KEY
EC_METHOD_get_field_type
EC_POINT_mul
RSA_new
EC_KEY_generate_key
RSA_free
ERR_get_error
EC_POINT_get_affine_coordinates_GFp
ERR_peek_last_error
EC_KEY_set_public_key
BN_free
EC_KEY_set_group
EC_POINT_is_at_infinity
BIO_s_mem
PEM_read_bio_PrivateKey
EC_POINT_free
EVP_aes_128_cbc
EC_KEY_free
EVP_PKEY_free
EVP_PKEY_get1_RSA
EC_KEY_get0_public_key
EC_GROUP_free
DSA_new
EC_POINT_new
BIO_write
BIO_free
EC_GROUP_cmp
EVP_PKEY_get1_DSA
EC_GROUP_set_asn1_flag
EC_GROUP_get_curve_name
BN_new
EC_KEY_get0_private_key
EC_KEY_get0_group
BN_cmp
BN_sub
EC_GROUP_new_by_curve_name
EVP_PKEY_base_id
EC_GROUP_method_of
EC_KEY_new_by_curve_name
BN_num_bits
RAND_poll
SSLeay_version
RAND_seed
RAND_bytes
DH_free

userenv

LoadUserProfileW

crypt32

CryptStringToBinaryA
CryptBinaryToStringA

ws2_32

getservbyname
htonl
htons
FreeAddrInfoW
bind
WSAIoctl
WSASend
shutdown
listen
WSAStartup
getpeername
ntohs
socket
inet_ntoa
GetAddrInfoW
WSARecv
getsockopt
WSAGetOverlappedResult
setsockopt
closesocket
WSADuplicateSocketW
WSASocketW
WSAGetLastError
getnameinfo
getsockname
inet_ntop
ntohl
gethostname

secur32

InitSecurityInterfaceW
FreeContextBuffer
LsaFreeReturnBuffer
LsaLookupAuthenticationPackage
LsaLogonUser
LsaDeregisterLogonProcess
LsaRegisterLogonProcess
LsaConnectUntrusted

kernel32

GetFullPathNameW
SetFileAttributesW
RemoveDirectoryW
SetStdHandle
GetCurrentDirectoryW
SetCurrentDirectoryW
ExitProcess
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
SetLastError
RtlUnwindEx
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
DeleteFileW
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetCommandLineA
GetCommandLineW
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
FindClose
FindFirstFileExW
FindNextFileW
CreateThread
ExitThread
FreeLibraryAndExitThread
HeapFree
HeapAlloc
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetTimeZoneInformation
HeapReAlloc
GetStringTypeW
ReadConsoleW
GetFileSizeEx
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
HeapSize
RaiseException
GetLocalTime
FormatMessageA
CancelIoEx
CancelSynchronousIo
WriteFile
ReadFile
WaitForSingleObjectEx
WaitForMultipleObjectsEx
GetDriveTypeW
GetDiskFreeSpaceExW
GetLogicalDriveStringsW
ReadFileEx
GetFileAttributesExW
GetFileInformationByHandle
RtlPcToFileHeader
InitializeSListHead
CreateWaitableTimerW
WriteFileEx
DeviceIoControl
CreateNamedPipeA
CancelIo
ReadConsoleOutputA
SetConsoleCursorPosition
GetConsoleWindow
Beep
WriteConsoleW
FillConsoleOutputAttribute
WriteConsoleOutputA
CreateFileA
ReadConsoleInputW
SetConsoleCursorInfo
GetConsoleMode
SetConsoleWindowInfo
GetConsoleCP
GetConsoleCursorInfo
ScrollConsoleScreenBufferA
SetConsoleScreenBufferSize
SetConsoleTextAttribute
FillConsoleOutputCharacterA
LoadLibraryExW
MultiByteToWideChar
CreateWaitableTimerA
CancelWaitableTimer
QueueUserAPC
SetConsoleCtrlHandler
GetExitCodeProcess
GetModuleHandleExW
GetSystemTime
GetWindowsDirectoryW
GetSystemDirectoryW
CreateEventA
GetLastError
CloseHandle
GetComputerNameW
WaitForSingleObject
GetFileAttributesW
CreateProcessW
CopyFileW
SetInformationJobObject
GetCurrentProcess
ExpandEnvironmentStringsW
AssignProcessToJobObject
TerminateProcess
SetEnvironmentVariableW
CreateJobObjectW
GetEnvironmentVariableW
DuplicateHandle
OpenProcess
FormatMessageW
LocalFree
GetModuleFileNameW
SetConsoleMode
CreateDirectoryW
SetWaitableTimer
GetConsoleScreenBufferInfo
GetStdHandle
EncodePointer
CreateFileW
Sleep
LoadLibraryW
GetProcAddress
FreeLibrary
WideCharToMultiByte
GetSystemTimeAsFileTime
GetFileType
GetFinalPathNameByHandleW
GetCurrentProcessId
SetHandleInformation
SetEndOfFile
GetCurrentThreadId
GetTickCount64
SetFilePointerEx
OpenThread
FlushFileBuffers
SetEvent
ResetEvent
VerSetConditionMask
SleepEx
VerifyVersionInfoW

user32

GetWindowPlacement
ShowWindow

advapi32

GetNamedSecurityInfoW
ConvertSidToStringSidA
EventWrite
GetTokenInformation
GetSidIdentifierAuthority
LookupAccountSidW
CheckTokenMembership
IsValidSid
ConvertStringSecurityDescriptorToSecurityDescriptorW
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
RegCreateKeyExW
SetServiceStatus
RegCloseKey
RegEnumValueW
RegOpenKeyExW
LookupAccountNameW
IsValidAcl
GetLengthSid
OpenProcessToken
IsValidSecurityDescriptor
IsWellKnownSid
CopySid
CreateWellKnownSid
GetAce
RegQueryValueExW
LsaNtStatusToWinError
DuplicateToken
FreeSid
CreateRestrictedToken
LookupPrivilegeValueA
AllocateAndInitializeSid
EqualSid
AllocateLocallyUniqueId
AdjustTokenPrivileges
LsaManageSidNameMapping
CreateProcessAsUserW
ConvertSidToStringSidW
EventUnregister
EventRegister
EventWriteTransfer

Sections

.text
Size: 758KB - Virtual size: 758KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 325KB - Virtual size: 324KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 225KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 37KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

bf73479ba9273c124bdf29b288ecdf56

Code Sign

33:00:00:02:52:8b:33:aa:f8:95:f3:39:db:00:00:00:00:02:52Certificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

41:6f:f7:60:59:6e:e4:65:f9:16:36:5b:7f:19:b5:8a:b4:a3:ee:cd:9e:f6:22:39:34:75:7e:6e:4a:86:7a:92Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

libcrypto

userenv

crypt32

ws2_32

secur32

kernel32

user32

advapi32

Sections

.text Size: 758KB - Virtual size: 758KB

.rdata Size: 325KB - Virtual size: 324KB

.data Size: 7KB - Virtual size: 225KB

.pdata Size: 37KB - Virtual size: 37KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 3KB - Virtual size: 2KB

33:00:00:02:52:8b:33:aa:f8:95:f3:39:db:00:00:00:00:02:52
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

41:6f:f7:60:59:6e:e4:65:f9:16:36:5b:7f:19:b5:8a:b4:a3:ee:cd:9e:f6:22:39:34:75:7e:6e:4a:86:7a:92
Signer

.text
Size: 758KB - Virtual size: 758KB

.rdata
Size: 325KB - Virtual size: 324KB

.data
Size: 7KB - Virtual size: 225KB

.pdata
Size: 37KB - Virtual size: 37KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 3KB - Virtual size: 2KB