General
-
Target
2024-05-22_f4557af937f454b597e693045e8525cf_ryuk
-
Size
6.2MB
-
Sample
240522-c6v8qshg47
-
MD5
f4557af937f454b597e693045e8525cf
-
SHA1
b2971ee1202d3e13a6bc69bd749c5e0f2c3e858b
-
SHA256
64ecc2284bcab43839a648c3dd87738a466c8585bcb48a1db43bd27c0409d1b9
-
SHA512
9547367ee0009f8998a0d5f69df832ca88bcda62314d088a04a95228ba163d91bebd1ebcd5cc4d2f5601775f823886a0711e6b039608db951ada6109c4a0061b
-
SSDEEP
196608:ZdfuVh+MESeE3L+ZhMBevDdep0Y+s9gQ3SEhO5swtM4:rc+bE3LtUDg6s9gQiuh
Behavioral task
behavioral1
Sample
2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
cobaltstrike
305419896
http://139.155.91.159:21001/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2
-
access_type
512
-
beacon_type
2048
-
host
139.155.91.159,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAIAAAAAgAAAAhQUkVGPUlEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAIAAAAAgAAABJVPTc3OWI2NGUxYTdlZDczN2EAAAACAAAACFBSRUY9SUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
10000
-
port_number
21001
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCC0aD/3GAGXABkhh4WDvMbkoKUca7rtzyTXMhBNZVxo/8zOJ7XId+DTCh8r7lvAbfHfjKuMNk0dPFM4phzgmzoA012/2Y/Vdn+raT3fDQapCICpDCYZWEucKwjLOfD43A556FEv3a5kVEiE4tc+vsSaPJw0cXnhtuMnmxERXpVRwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
305419896
Targets
-
-
Target
2024-05-22_f4557af937f454b597e693045e8525cf_ryuk
-
Size
6.2MB
-
MD5
f4557af937f454b597e693045e8525cf
-
SHA1
b2971ee1202d3e13a6bc69bd749c5e0f2c3e858b
-
SHA256
64ecc2284bcab43839a648c3dd87738a466c8585bcb48a1db43bd27c0409d1b9
-
SHA512
9547367ee0009f8998a0d5f69df832ca88bcda62314d088a04a95228ba163d91bebd1ebcd5cc4d2f5601775f823886a0711e6b039608db951ada6109c4a0061b
-
SSDEEP
196608:ZdfuVh+MESeE3L+ZhMBevDdep0Y+s9gQ3SEhO5swtM4:rc+bE3LtUDg6s9gQiuh
Score10/10-
Detects Reflective DLL injection artifacts
-
Loads dropped DLL
-
Adds Run key to start application
-