2024-05-16_ba113ee31ca8fed8356f6538acf61a4d_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-05-16_ba113ee31ca8fed8356f6538acf61a4d_ryuk
Size

1.7MB
MD5

ba113ee31ca8fed8356f6538acf61a4d
SHA1

814a3d1cc114e9dad712cf504fa75d61ba4e1a08
SHA256

72f4a15b678a4bf65c7d46c1d0b39837d124977950257a6f59888c423eb53c15
SHA512

7c95eacfe722d675ed7f8731e6c34cdb06b76217ad48ade057261ad6a2c2d37bfd0115c03dc2b883e9b24f4df52fee9fb645ce9766944a52576d1fecdf7cf629
SSDEEP

24576:q6V6gC/AyqGizWCaFbyzMdIuwe3zfIe7xmvH/:q6cSGizWCaFbEMdFrIe78vH/

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-05-16_ba113ee31ca8fed8356f6538acf61a4d_ryuk

Files

2024-05-16_ba113ee31ca8fed8356f6538acf61a4d_ryuk
.exe windows:6 windows x64 arch:x64

476f1f35c8127c628ba01df1d9cea220

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

ssh-agent.pdb

Imports

libcrypto

BN_CTX_get
EC_KEY_set_private_key
BN_value_one
DSA_free
EC_GROUP_get_order
EC_KEY_get0_private_key
EC_POINT_is_at_infinity
BN_num_bits
RSA_blinding_on
RSA_size
EC_POINT_mul
EC_POINT_new
EC_KEY_get0_group
BN_CTX_new
BN_cmp
BN_sub
RSA_new
DSA_new
EC_KEY_get0_public_key
RSA_free
BN_CTX_start
EC_KEY_free
EVP_aes_128_cbc
EC_POINT_free
EC_METHOD_get_field_type
BN_clear_free
EC_KEY_set_public_key
BN_new
BN_div
AES_encrypt
AES_set_encrypt_key
EVP_CIPHER_CTX_get_app_data
EVP_CIPHER_CTX_set_app_data
ECDSA_do_sign
ECDSA_SIG_free
ECDSA_do_verify
ECDSA_SIG_new
DSA_do_sign
DSA_do_verify
DSA_SIG_new
DSA_SIG_free
EVP_sha384
EVP_md5
EVP_sha256
EVP_Digest
EVP_sha1
EVP_sha512
EVP_CIPHER_CTX_key_length
EVP_aes_256_cbc
EVP_des_ede3_cbc
EVP_aes_192_cbc
BN_CTX_free
EC_GROUP_method_of
EC_KEY_new_by_curve_name
EC_POINT_get_affine_coordinates_GFp
EC_POINT_oct2point
BN_bn2bin
EC_POINT_point2oct
BN_bin2bn
RSA_public_decrypt
RSA_sign

api-ms-win-core-console-l1-1-0

SetConsoleMode
GetConsoleMode
WriteConsoleW
SetConsoleCtrlHandler
WriteConsoleA
ReadConsoleW
GetNumberOfConsoleInputEvents
PeekConsoleInputA
ReadConsoleInputA
GetConsoleCP
ReadConsoleInputW

api-ms-win-service-management-l1-1-0

OpenSCManagerW
OpenServiceW

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
GetModuleHandleW
GetModuleFileNameW
LoadLibraryExW
GetProcAddress
FreeLibrary

api-ms-win-service-core-l1-1-0

StartServiceCtrlDispatcherW
SetServiceStatus

api-ms-win-service-winsvc-l1-1-0

StartServiceA
RegisterServiceCtrlHandlerW

api-ms-win-core-errorhandling-l1-1-0

RaiseException
SetUnhandledExceptionFilter
GetLastError
UnhandledExceptionFilter
SetLastError

api-ms-win-security-base-l1-1-0

IsValidSid
RevertToSelf
GetTokenInformation
IsValidAcl
IsValidSecurityDescriptor
DuplicateToken
CheckTokenMembership
IsWellKnownSid
CreateWellKnownSid
ImpersonateLoggedOnUser
EqualSid
GetAce

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle
SetHandleInformation

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-namedpipe-l1-1-0

ConnectNamedPipe
PeekNamedPipe
CreateNamedPipeW

api-ms-win-core-synch-l1-2-1

CreateWaitableTimerW
WaitForMultipleObjects

api-ms-win-core-kernel32-legacy-l1-1-0

GetNamedPipeClientProcessId
CreateNamedPipeA
SetConsoleTitleA
GetComputerNameW

api-ms-win-core-io-l1-1-0

GetOverlappedResult
GetQueuedCompletionStatus
CancelIoEx
CreateIoCompletionPort

api-ms-win-core-processthreads-l1-1-0

ExitProcess
TlsGetValue
TlsAlloc
QueueUserAPC
CreateThread
CreateProcessAsUserW
OpenThread
GetCurrentThreadId
GetExitCodeProcess
TerminateThread
TlsFree
GetStartupInfoW
TerminateProcess
OpenProcessToken
CreateProcessW
GetCurrentProcess
GetCurrentProcessId
TlsSetValue

api-ms-win-core-registry-l1-1-0

RegDeleteTreeA
RegCloseKey
RegOpenCurrentUser
RegSetValueExW
RegEnumKeyExW
RegOpenKeyExA
RegDeleteKeyExA
RegOpenKeyExW
RegDeleteTreeW
RegQueryValueExW
RegCreateKeyExW
RegCreateKeyExA

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
OpenProcess

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
ResetEvent
WaitForMultipleObjectsEx
SetEvent
CreateEventA
SleepEx
SetWaitableTimer
CancelWaitableTimer
WaitForSingleObject

api-ms-win-core-file-l1-1-0

GetLogicalDriveStringsW
SetFileTime
GetDiskFreeSpaceW
GetDriveTypeW
CreateFileW
CreateDirectoryW
GetDiskFreeSpaceExW
SetEndOfFile
FindNextFileW
FindFirstFileExW
GetFileType
GetFileInformationByHandle
FlushFileBuffers
WriteFileEx
CreateFileA
WriteFile
DeleteFileW
SetFileAttributesW
RemoveDirectoryW
GetFullPathNameA
GetFullPathNameW
ReadFile
ReadFileEx
GetFileAttributesExW
FindFirstFileW
SetFilePointerEx
FindClose

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak

api-ms-win-core-heap-l2-1-0

LocalFree

crypt32

CryptStringToBinaryA
CryptUnprotectData
CryptProtectData
CryptBinaryToStringA

api-ms-win-core-processenvironment-l1-1-0

SetStdHandle
SetCurrentDirectoryW
GetCommandLineW
SetEnvironmentVariableA
SetEnvironmentVariableW
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetCurrentDirectoryW
ExpandEnvironmentStringsW
GetCommandLineA
GetStdHandle

api-ms-win-core-sysinfo-l1-1-0

GetWindowsDirectoryW
GetSystemTimeAsFileTime
GetLocalTime
GetTickCount64

ws2_32

WSAIoctl
WSAGetOverlappedResult
WSACleanup
WSAStartup
WSASend
GetAddrInfoW
WSARecv
closesocket
WSAGetLastError
gethostname
WSASocketW
bind
getpeername
getsockname
getsockopt
listen
setsockopt
shutdown
socket
FreeAddrInfoW
WSADuplicateSocketW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryA

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-string-l1-1-0

CompareStringW
MultiByteToWideChar
WideCharToMultiByte
GetStringTypeW

api-ms-win-core-console-l2-1-0

ReadConsoleOutputA
WriteConsoleOutputA
FillConsoleOutputCharacterA
FillConsoleOutputAttribute
GetConsoleScreenBufferInfoEx
GetLargestConsoleWindowSize
GetConsoleCursorInfo
SetConsoleScreenBufferSize
FreeConsole
GetConsoleScreenBufferInfo
SetConsoleCursorPosition
SetConsoleCursorInfo
ScrollConsoleScreenBufferA
SetConsoleWindowInfo
SetConsoleTextAttribute

samcli

NetUserGetInfo
NetUserGetGroups
NetUserGetLocalGroups

logoncli

NetGetDCName
DsGetDcNameW

wkscli

NetWkstaGetInfo

netutils

NetApiBufferFree

api-ms-win-security-provider-l1-1-0

GetNamedSecurityInfoW

api-ms-win-core-sysinfo-l1-2-0

VerSetConditionMask

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW

api-ms-win-core-io-l1-1-1

CancelIo

api-ms-win-security-sddl-ansi-l1-1-0

ConvertStringSidToSidA

api-ms-win-core-synch-ansi-l1-1-0

CreateWaitableTimerA

sspicli

GetUserNameExW

api-ms-win-core-util-l1-1-0

Beep

api-ms-win-core-localization-l1-2-0

GetCPInfo
GetOEMCP
LCMapStringW
IsValidCodePage
GetACP

user32

FindWindowA
ShowWindow
GetWindowPlacement

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlUnwindEx
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetTimeZoneInformation

api-ms-win-core-heap-l1-1-0

HeapSize
GetProcessHeap
HeapReAlloc
HeapAlloc
HeapFree

Sections

.text
Size: 278KB - Virtual size: 277KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 173KB - Virtual size: 172KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1.2MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

476f1f35c8127c628ba01df1d9cea220

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

libcrypto

api-ms-win-core-console-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-service-core-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-namedpipe-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-synch-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-heap-l2-1-0

crypt32

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

ws2_32

api-ms-win-core-synch-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-file-l2-1-2

api-ms-win-core-string-l1-1-0

api-ms-win-core-console-l2-1-0

samcli

logoncli

wkscli

netutils

api-ms-win-security-provider-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-io-l1-1-1

api-ms-win-security-sddl-ansi-l1-1-0

api-ms-win-core-synch-ansi-l1-1-0

sspicli

api-ms-win-core-util-l1-1-0

api-ms-win-core-localization-l1-2-0

user32

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-heap-l1-1-0

Sections

.text Size: 278KB - Virtual size: 277KB

.rdata Size: 173KB - Virtual size: 172KB

.data Size: 16KB - Virtual size: 25KB

.pdata Size: 12KB - Virtual size: 12KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 1.2MB - Virtual size: 1.8MB

.text
Size: 278KB - Virtual size: 277KB

.rdata
Size: 173KB - Virtual size: 172KB

.data
Size: 16KB - Virtual size: 25KB

.pdata
Size: 12KB - Virtual size: 12KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1.2MB - Virtual size: 1.8MB