2024-05-22_4a6459220bf72df0391c725ca370a191_cobalt-strike_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-05-22_4a6459220bf72df0391c725ca370a191_cobalt-strike_ryuk
Size

635KB
MD5

4a6459220bf72df0391c725ca370a191
SHA1

cfeced97f22725bf966b06c560a8722878b1517d
SHA256

f6051bc14a5ceb491f1c74e6872bc5419c075e646af78da0ddbdc60628c00012
SHA512

bdde3685337edaee4f5c186e019954cd31553a681f86a530b685c20e938186f47126a2c3415d7f6f97638822f7248747e2fc8855e40dc374d520465c88b7fbf8
SSDEEP

12288:FdF5Eoh6lpR+11LcZukcrtbrZpKS03eZi7zE5l2F1k7HYsHYq:rdh6vc/4ukWtPZpKS03si7zDF1kUs

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-05-22_4a6459220bf72df0391c725ca370a191_cobalt-strike_ryuk

Files

2024-05-22_4a6459220bf72df0391c725ca370a191_cobalt-strike_ryuk
.exe windows:6 windows x64 arch:x64

c0983432a126f9419d7a6193799630e8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

AcquireSRWLockExclusive
CloseHandle
CompareStringW
CreateFileW
CreateThread
DeleteCriticalSection
DeleteFileW
EncodePointer
EnterCriticalSection
ExitProcess
ExitThread
FileTimeToSystemTime
FindClose
FindFirstFileExW
FindNextFileW
FlushFileBuffers
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
FreeLibraryAndExitThread
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetConsoleMode
GetConsoleOutputCP
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDateFormatW
GetDriveTypeW
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileAttributesExW
GetFileInformationByHandle
GetFileSizeEx
GetFileType
GetFullPathNameW
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemDirectoryA
GetSystemTimeAsFileTime
GetTickCount
GetTimeFormatW
GetTimeZoneInformation
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
InitializeSListHead
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadLibraryExW
LoadLibraryW
MoveFileExA
MultiByteToWideChar
PeekNamedPipe
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReadConsoleW
ReadFile
ReleaseSRWLockExclusive
RtlCaptureContext
RtlLookupFunctionEntry
RtlPcToFileHeader
RtlUnwind
RtlUnwindEx
RtlVirtualUnwind
SetEndOfFile
SetEnvironmentVariableW
SetFilePointerEx
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
Sleep
SleepEx
SystemTimeToTzSpecificLocalTime
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
VerSetConditionMask
VerifyVersionInfoW
WaitForMultipleObjects
WaitForSingleObjectEx
WideCharToMultiByte
WriteConsoleW
WriteFile

gdi32

BitBlt
DeleteEnhMetaFile
DrawEscape
EnumObjects
GetTextExtentExPointA
SelectObject

user32

CreateWindowExW
SetWindowTextA

ws2_32

WSACleanup
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
WSAEventSelect
WSAGetLastError
WSAIoctl
WSAResetEvent
WSASetLastError
WSAStartup
WSAWaitForMultipleEvents
__WSAFDIsSet
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
gethostname
getpeername
getsockname
getsockopt
htonl
htons
inet_ntop
inet_pton
ioctlsocket
listen
ntohs
recv
recvfrom
select
send
sendto
setsockopt
socket

wldap32

ord301
ord22
ord32
ord26
ord30
ord35
ord143
ord200
ord41
ord33
ord27
ord50
ord211
ord60
ord46
ord79

advapi32

CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptDestroyKey
CryptEncrypt
CryptGetHashParam
CryptHashData
CryptImportKey
CryptReleaseContext

bcrypt

BCryptGenRandom

Sections

.text
Size: 515KB - Virtual size: 514KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 109KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gehcont
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c0983432a126f9419d7a6193799630e8

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

gdi32

user32

ws2_32

wldap32

advapi32

bcrypt

Sections

.text Size: 515KB - Virtual size: 514KB

.data Size: 7KB - Virtual size: 11KB

.pdata Size: 109KB - Virtual size: 108KB

.gehcont Size: 512B - Virtual size: 88B

.reloc Size: 2KB - Virtual size: 2KB

.text
Size: 515KB - Virtual size: 514KB

.data
Size: 7KB - Virtual size: 11KB

.pdata
Size: 109KB - Virtual size: 108KB

.gehcont
Size: 512B - Virtual size: 88B

.reloc
Size: 2KB - Virtual size: 2KB