2024-05-22_8150d40a8182f30177e993c97e58ca94_ryuk

Sharing

Copy URL

Twitter E-mail

General

Target

2024-05-22_8150d40a8182f30177e993c97e58ca94_ryuk
Size

2.1MB
MD5

8150d40a8182f30177e993c97e58ca94
SHA1

45bf7bb254d1925a70661a2f123e44b04cbdd02c
SHA256

07da6201777201bf7a10cfd702b09be3a54317224ac50b2e62bc09e0e21334c1
SHA512

1e745f759a2da2270f27fa24e696b3ef548437e3cdbfa9abacbc7c154c864ae9edb65ea503ee6f148fdcb1ed9a2a598c6c3dc2cacd12e05f7ee516cc102bf5fb
SSDEEP

49152:VYpt7+RKKrgTuWbnf1V1UvMsf1fNyxT65B2vLOaFq6MjWVWKsNg:nkTuWDRUNyrTug

Score

1^/10

Malware Config

Signatures

Files

2024-05-22_8150d40a8182f30177e993c97e58ca94_ryuk
.exe windows:6 windows x64 arch:x64

d8684de251bf4547431f482a58fc292a

Code Sign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:de:c5:a2:90:57:95:93:ab:b2:3e:76:18:23:6a:2b
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

14/04/2020, 00:00

Not After

05/06/2023, 12:00

Subject

SERIALNUMBER=802578878,CN=RocketCyber LLC,O=RocketCyber LLC,L=Dallas,ST=Texas,C=US,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#13055465786173,1.3.6.1.4.1.311.60.2.1.3=#13025553

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21/09/2022, 00:00

Not After

21/11/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

c3:e3:a3:10:36:c8:a9:1d:02:72:fc:6c:26:21:29:72:6d:45:38:7c
Signer

Actual PE Digest

c3:e3:a3:10:36:c8:a9:1d:02:72:fc:6c:26:21:29:72:6d:45:38:7c

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\devel\repositories\agent\bin\agent\VersionRelease\rocketagent-x64.pdb

Imports

iphlpapi

GetAdaptersInfo

wldap32

ord143
ord301
ord200
ord30
ord79
ord46
ord211
ord60
ord50
ord41
ord22
ord26
ord27
ord32
ord33
ord35

wsock32

WSASetLastError
recv
send
socket
WSAGetLastError
WSACleanup
WSAStartup
ntohl
inet_addr
ioctlsocket
htonl
bind
closesocket
connect
getpeername
getsockname
getsockopt
htons
ntohs
setsockopt
accept
listen
recvfrom
sendto
inet_ntoa
gethostname
__WSAFDIsSet
select

ws2_32

WSAIoctl
getaddrinfo
inet_pton
getnameinfo
freeaddrinfo

crypt32

CertFreeCertificateContext

kernel32

GetCommandLineW
HeapReAlloc
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetDriveTypeW
ExitThread
GetModuleHandleExW
RtlUnwindEx
RtlPcToFileHeader
UnregisterWaitEx
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
VirtualProtect
VirtualFree
VirtualAlloc
GetVersionExW
LoadLibraryExW
GetModuleFileNameW
FreeLibraryAndExitThread
GetThreadTimes
UnregisterWait
RegisterWaitForSingleObject
GetACP
ReadConsoleW
GetLastError
CreateEventA
SetEvent
GetCurrentThreadId
GetCurrentProcess
GetCurrentProcessId
CloseHandle
GetStdHandle
CreateFileA
ReadFile
WriteFile
SetPriorityClass
FreeLibrary
GetDynamicTimeZoneInformation
GetConsoleScreenBufferInfo
SetConsoleTextAttribute
GetConsoleMode
SetConsoleCtrlHandler
WriteConsoleA
Sleep
WaitForSingleObject
GetProcessHeap
HeapAlloc
HeapFree
QueryPerformanceCounter
QueryPerformanceFrequency
QueueUserWorkItem
GetModuleFileNameA
GetCommandLineA
IsDebuggerPresent
DuplicateHandle
ExitProcess
CreateProcessA
GetProcAddress
LoadLibraryA
CreateJobObjectA
AssignProcessToJobObject
SetInformationJobObject
GetFileAttributesA
LocalFree
FormatMessageA
GetPrivateProfileStringA
WritePrivateProfileStringA
QueryInformationJobObject
GetVolumeInformationA
GetComputerNameA
FormatMessageW
WideCharToMultiByte
GetModuleHandleW
GetCurrentDirectoryW
GetConsoleCP
CreateFileW
DeleteFileW
FindClose
GetFileAttributesW
GetFileAttributesExW
GetFullPathNameW
RemoveDirectoryW
SetEndOfFile
SetFilePointerEx
DeviceIoControl
MoveFileExW
AreFileApisANSI
MultiByteToWideChar
ResetEvent
ReleaseSemaphore
WaitForSingleObjectEx
WaitForMultipleObjectsEx
OpenEventA
SetWaitableTimer
ResumeThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetLogicalProcessorInformation
GetModuleHandleA
CreateWaitableTimerA
SetLastError
GetTickCount
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SleepEx
VerSetConditionMask
GetSystemDirectoryA
VerifyVersionInfoA
WaitForMultipleObjects
GetFileType
PeekNamedPipe
ExpandEnvironmentStringsA
RaiseException
SetUnhandledExceptionFilter
CreateEventW
TerminateProcess
CreateThread
GetExitCodeThread
CreateProcessW
OpenProcess
GetVersion
LoadLibraryW
SetNamedPipeHandleState
TransactNamedPipe
CreateNamedPipeW
WaitNamedPipeW
LockFileEx
UnlockFileEx
OutputDebugStringW
GetLocalTime
InitializeCriticalSectionAndSpinCount
TryEnterCriticalSection
SetThreadAffinityMask
GetProcessAffinityMask
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
SetStdHandle
GetExitCodeProcess
CreatePipe
HeapSize
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
WriteConsoleW
CreateDirectoryW
GetCurrentThread
EncodePointer
DecodePointer
GetSystemTimeAsFileTime
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
IsProcessorFeaturePresent
GetStartupInfoW
InitializeSListHead
CreateTimerQueue
SignalObjectAndWait
SwitchToThread
SetThreadPriority
GetThreadPriority
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber

shell32

SHGetFolderPathA

advapi32

RegCloseKey
SystemFunction036
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
CryptGenRandom
CryptReleaseContext
CryptAcquireContextA
GetUserNameA
QueryServiceStatus
OpenServiceA
OpenSCManagerA
DeleteService
CreateServiceA
ControlService
CloseServiceHandle
ChangeServiceConfig2A
StartServiceCtrlDispatcherA
SetServiceStatus
RegisterServiceCtrlHandlerA
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA

Exports

Exports

luaL_addlstring
luaL_addstring
luaL_addvalue
luaL_argerror
luaL_buffinit
luaL_buffinitsize
luaL_callmeta
luaL_checkany
luaL_checkinteger
luaL_checklstring
luaL_checknumber
luaL_checkoption
luaL_checkstack
luaL_checktype
luaL_checkudata
luaL_checkversion_
luaL_error
luaL_execresult
luaL_fileresult
luaL_getmetafield
luaL_getsubtable
luaL_gsub
luaL_len
luaL_loadbufferx
luaL_loadfilex
luaL_loadstring
luaL_newmetatable
luaL_newstate
luaL_optinteger
luaL_optlstring
luaL_optnumber
luaL_prepbuffsize
luaL_pushresult
luaL_pushresultsize
luaL_ref
luaL_requiref
luaL_setfuncs
luaL_setmetatable
luaL_testudata
luaL_tolstring
luaL_traceback
luaL_unref
luaL_where
lua_absindex
lua_arith
lua_atpanic
lua_callk
lua_checkstack
lua_close
lua_compare
lua_concat
lua_copy
lua_createtable
lua_dump
lua_error
lua_gc
lua_getallocf
lua_getfield
lua_getglobal
lua_gethook
lua_gethookcount
lua_gethookmask
lua_geti
lua_getinfo
lua_getlocal
lua_getmetatable
lua_getstack
lua_gettable
lua_gettop
lua_getupvalue
lua_getuservalue
lua_iscfunction
lua_isinteger
lua_isnumber
lua_isstring
lua_isuserdata
lua_isyieldable
lua_len
lua_load
lua_newstate
lua_newthread
lua_newuserdata
lua_next
lua_pcallk
lua_pushboolean
lua_pushcclosure
lua_pushfstring
lua_pushinteger
lua_pushlightuserdata
lua_pushlstring
lua_pushnil
lua_pushnumber
lua_pushstring
lua_pushthread
lua_pushvalue
lua_pushvfstring
lua_rawequal
lua_rawget
lua_rawgeti
lua_rawgetp
lua_rawlen
lua_rawset
lua_rawseti
lua_rawsetp
lua_resume
lua_rotate
lua_setallocf
lua_setfield
lua_setglobal
lua_sethook
lua_seti
lua_setlocal
lua_setmetatable
lua_settable
lua_settop
lua_setupvalue
lua_setuservalue
lua_status
lua_stringtonumber
lua_toboolean
lua_tocfunction
lua_tointegerx
lua_tolstring
lua_tonumberx
lua_topointer
lua_tothread
lua_touserdata
lua_type
lua_typename
lua_upvalueid
lua_upvaluejoin
lua_version
lua_xmove
lua_yieldk

Sections

.text
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 538KB - Virtual size: 537KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 41KB - Virtual size: 53KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 74KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 25B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d8684de251bf4547431f482a58fc292a

Code Sign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

07:de:c5:a2:90:57:95:93:ab:b2:3e:76:18:23:6a:2bCertificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate

Extended Key Usages

Key Usages

c3:e3:a3:10:36:c8:a9:1d:02:72:fc:6c:26:21:29:72:6d:45:38:7cSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

iphlpapi

wldap32

wsock32

ws2_32

crypt32

kernel32

shell32

advapi32

Exports

Exports

Sections

.text Size: 1.4MB - Virtual size: 1.4MB

.rdata Size: 538KB - Virtual size: 537KB

.data Size: 41KB - Virtual size: 53KB

.pdata Size: 74KB - Virtual size: 73KB

.tls Size: 512B - Virtual size: 25B

.gfids Size: 4KB - Virtual size: 3KB

.rsrc Size: 6KB - Virtual size: 5KB

.reloc Size: 11KB - Virtual size: 11KB

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

07:de:c5:a2:90:57:95:93:ab:b2:3e:76:18:23:6a:2b
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

c3:e3:a3:10:36:c8:a9:1d:02:72:fc:6c:26:21:29:72:6d:45:38:7c
Signer

.text
Size: 1.4MB - Virtual size: 1.4MB

.rdata
Size: 538KB - Virtual size: 537KB

.data
Size: 41KB - Virtual size: 53KB

.pdata
Size: 74KB - Virtual size: 73KB

.tls
Size: 512B - Virtual size: 25B

.gfids
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 6KB - Virtual size: 5KB

.reloc
Size: 11KB - Virtual size: 11KB