2024-05-22_f79ec6315cfb5037b66b25f1524b4dc1_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-05-22_f79ec6315cfb5037b66b25f1524b4dc1_ryuk
Size

1.5MB
MD5

f79ec6315cfb5037b66b25f1524b4dc1
SHA1

af8064ef1470519d09cdf8d7092032f8e6b7bf31
SHA256

04ad474cc6ec5977f249dce29436237a46807604b192beb2c09c89e1783f54e9
SHA512

3ba6f64495981dd773dac8888a2e47db80f3413d2b083da1603fa7206f8730fa9bc6bed485c2027f0604446df6f767dfebd966c0152f87dfa71c3ec3c1a2e302
SSDEEP

24576:+Lh1gR6oPZP9j3tLOS3/26/sEyGKCplM43sqjnhMgeiCl7G0nehbGZpbD:+LhFoJJ9SSuisEyGKCplJDmg27RnWGj

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-05-22_f79ec6315cfb5037b66b25f1524b4dc1_ryuk

Files

2024-05-22_f79ec6315cfb5037b66b25f1524b4dc1_ryuk
.exe windows:6 windows x64 arch:x64

27de371e1dae125bc04cc09552c72d87

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

sshd.pdb

Imports

libcrypto

ECDSA_do_sign
ECDSA_SIG_free
ECDSA_do_verify
ECDSA_SIG_new
DH_free
EVP_CIPHER_CTX_set_app_data
EVP_CIPHER_CTX_get_app_data
DH_size
DH_compute_key
AES_set_encrypt_key
DSA_do_sign
DSA_do_verify
AES_encrypt
DSA_SIG_free
EC_POINT_oct2point
BN_bn2bin
EC_POINT_point2oct
BN_bin2bn
BN_init
BN_clear_free
RSA_public_decrypt
RSA_sign
BN_div
RSA_size
RAND_status
SSLeay
EVP_sha384
EVP_MD_CTX_copy_ex
EVP_MD_CTX_cleanup
EVP_md5
EVP_sha256
EVP_DigestUpdate
EVP_Digest
DSA_SIG_new
EVP_DigestInit_ex
EVP_MD_CTX_md
EVP_sha1
EVP_MD_block_size
EVP_sha512
EVP_MD_CTX_init
EVP_DigestFinal_ex
EVP_CIPHER_CTX_key_length
EVP_CIPHER_CTX_new
EVP_aes_256_cbc
EVP_CIPHER_CTX_iv_length
EVP_CipherInit
EVP_des_ede3_cbc
EVP_aes_192_cbc
EVP_CIPHER_CTX_ctrl
EVP_CIPHER_CTX_set_key_length
EVP_Cipher
EVP_aes_256_gcm
EVP_aes_128_gcm
EVP_CIPHER_CTX_free
BN_is_bit_set
BN_hex2bn
DH_new
DH_generate_key
RSA_blinding_on
BN_dup
EC_GROUP_get_order
DSA_free
BIO_new
EC_POINT_cmp
ERR_peek_error
EC_KEY_set_private_key
BN_value_one
EVP_PKEY_get1_EC_KEY
EC_METHOD_get_field_type
EC_POINT_mul
RSA_new
RSA_free
BN_copy
ERR_get_error
EC_POINT_get_affine_coordinates_GFp
ERR_peek_last_error
EC_KEY_set_public_key
BN_CTX_get
EC_KEY_set_group
EC_POINT_is_at_infinity
BIO_s_mem
PEM_read_bio_PrivateKey
EC_POINT_free
EVP_aes_128_cbc
BN_CTX_start
EVP_PKEY_free
EVP_PKEY_get1_RSA
EC_GROUP_free
DSA_new
BIO_write
BIO_free
EC_GROUP_cmp
EVP_PKEY_get1_DSA
EC_GROUP_set_asn1_flag
EC_GROUP_get_curve_name
EC_KEY_get0_private_key
BN_CTX_new
BN_cmp
BN_sub
EC_GROUP_new_by_curve_name
BN_CTX_free
EC_GROUP_method_of
BN_num_bits
OPENSSL_add_all_algorithms_noconf
RAND_poll
RAND_seed
RAND_bytes
SSLeay_version
ECDH_compute_key
EC_KEY_generate_key
EC_KEY_get0_public_key
EC_KEY_get0_group
EC_KEY_free
EC_KEY_new_by_curve_name
EC_POINT_new
EC_GROUP_get_degree
BN_new

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
RaiseException
UnhandledExceptionFilter
SetUnhandledExceptionFilter

ws2_32

WSASocketW
WSADuplicateSocketW
WSAGetLastError
htonl
ntohl
htons
WSASend
WSARecv
WSAIoctl
WSAGetOverlappedResult
closesocket
getpeername
inet_ntop
inet_ntoa
ntohs
getsockname
getsockopt
listen
getnameinfo
setsockopt
shutdown
socket
gethostname
WSAStartup
WSACleanup
GetAddrInfoW
bind
FreeAddrInfoW

api-ms-win-core-processenvironment-l1-1-0

SetEnvironmentVariableA
GetCurrentDirectoryW
GetEnvironmentStringsW
SetCurrentDirectoryW
SetStdHandle
GetCommandLineW
FreeEnvironmentStringsW
GetCommandLineA
ExpandEnvironmentStringsW
SetEnvironmentVariableW
GetEnvironmentVariableW
GetStdHandle

api-ms-win-core-handle-l1-1-0

CloseHandle
SetHandleInformation
DuplicateHandle

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
OpenProcessToken
GetExitCodeProcess
TerminateProcess
GetCurrentProcess
CreateProcessA
TerminateThread
ExitThread
CreateThread
GetStartupInfoW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
ExitProcess
GetCurrentThreadId
OpenThread
CreateProcessAsUserW
CreateProcessW
QueueUserAPC

api-ms-win-core-job-l2-1-0

AssignProcessToJobObject
CreateJobObjectW
SetInformationJobObject

api-ms-win-core-registry-l1-1-0

RegEnumValueW
RegOpenKeyExW
RegQueryValueExW
RegCreateKeyExW
RegCloseKey

api-ms-win-security-base-l1-1-0

GetTokenInformation
GetSidIdentifierAuthority
FreeSid
EqualSid
DuplicateToken
CreateRestrictedToken
AllocateLocallyUniqueId
AllocateAndInitializeSid
AdjustTokenPrivileges
CheckTokenMembership
CopySid
IsWellKnownSid
IsValidSecurityDescriptor
IsValidAcl
GetLengthSid
GetAce
IsValidSid

api-ms-win-security-lsalookup-l2-1-0

LookupAccountSidW
LookupAccountNameW

api-ms-win-core-kernel32-legacy-l1-1-0

CreateNamedPipeA
GetComputerNameW

api-ms-win-core-file-l1-1-0

GetFinalPathNameByHandleW
CreateFileA
RemoveDirectoryW
GetFullPathNameA
GetFullPathNameW
ReadFile
FindClose
FindFirstFileExW
FindNextFileW
DeleteFileW
WriteFileEx
GetFileType
CreateFileW
CreateDirectoryW
SetFilePointerEx
SetEndOfFile
GetFileAttributesW
FlushFileBuffers
ReadFileEx
GetFileInformationByHandle
GetDriveTypeW
WriteFile
GetFileAttributesExW

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionAndSpinCount
SleepEx
CreateEventA
WaitForSingleObjectEx
ResetEvent
SetWaitableTimer
SetEvent
WaitForMultipleObjectsEx
WaitForSingleObject
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
CancelWaitableTimer

api-ms-win-core-file-l2-1-2

CopyFileW

bcrypt

BCryptGenRandom

api-ms-win-service-winsvc-l1-1-0

RegisterServiceCtrlHandlerW

api-ms-win-service-core-l1-1-0

StartServiceCtrlDispatcherW
SetServiceStatus

samcli

NetUserGetInfo
NetUserAdd

netutils

NetApiBufferFree

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetLocalTime
GetSystemDirectoryW
GetWindowsDirectoryW
GetTickCount64

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
FreeLibrary
GetModuleHandleExW
GetModuleFileNameW
GetModuleHandleW
FreeLibraryAndExitThread
GetProcAddress

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-core-console-l2-1-0

FillConsoleOutputAttribute
GetConsoleCursorInfo
FillConsoleOutputCharacterA
SetConsoleScreenBufferSize
FreeConsole
GetConsoleScreenBufferInfo
SetConsoleCursorPosition
SetConsoleCursorInfo
ScrollConsoleScreenBufferA
SetConsoleWindowInfo
SetConsoleTextAttribute
WriteConsoleOutputA
ReadConsoleOutputA

api-ms-win-security-provider-l1-1-0

GetNamedSecurityInfoW

api-ms-win-core-string-l1-1-0

GetStringTypeW
MultiByteToWideChar
WideCharToMultiByte
CompareStringW

api-ms-win-security-lsalookup-ansi-l2-1-0

LookupPrivilegeValueA

userenv

LoadUserProfileW

sspicli

LsaDeregisterLogonProcess
LsaConnectUntrusted
LsaLookupAuthenticationPackage
LsaLogonUser
LsaRegisterLogonProcess
LsaFreeReturnBuffer

api-ms-win-security-lsalookup-l2-1-1

LsaManageSidNameMapping

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent

crypt32

CryptStringToBinaryA
CryptBinaryToStringA

api-ms-win-core-console-l1-1-0

ReadConsoleW
SetConsoleCtrlHandler
GetConsoleCP
GetConsoleMode
ReadConsoleInputW
SetConsoleMode
WriteConsoleW

api-ms-win-core-sysinfo-l1-2-0

VerSetConditionMask

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW

api-ms-win-core-synch-ansi-l1-1-0

CreateWaitableTimerA

api-ms-win-core-io-l1-1-0

CancelIoEx
DeviceIoControl

api-ms-win-core-io-l1-1-1

CancelIo

api-ms-win-core-util-l1-1-0

Beep

api-ms-win-core-localization-l1-2-0

FormatMessageA
LCMapStringW
GetCPInfo
GetOEMCP
IsValidCodePage
GetACP

api-ms-win-security-sddl-ansi-l1-1-0

ConvertSidToStringSidA

user32

ShowWindow
GetWindowPlacement
FindWindowA

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlUnwindEx
RtlVirtualUnwind
RtlCaptureContext

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-namedpipe-l1-1-0

PeekNamedPipe

api-ms-win-core-timezone-l1-1-0

SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetTimeZoneInformation

api-ms-win-core-heap-l1-1-0

HeapFree
HeapSize
HeapAlloc
HeapReAlloc
GetProcessHeap

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetTimeFormatW

api-ms-win-eventing-provider-l1-1-0

EventWrite
EventRegister

Sections

.text
Size: 622KB - Virtual size: 622KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 220KB - Virtual size: 219KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 77KB - Virtual size: 105KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 27KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 568KB - Virtual size: 572KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

27de371e1dae125bc04cc09552c72d87

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

libcrypto

api-ms-win-core-errorhandling-l1-1-0

ws2_32

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-job-l2-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-file-l2-1-2

bcrypt

api-ms-win-service-winsvc-l1-1-0

api-ms-win-service-core-l1-1-0

samcli

netutils

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-heap-l2-1-0

api-ms-win-core-console-l2-1-0

api-ms-win-security-provider-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-security-lsalookup-ansi-l2-1-0

userenv

sspicli

api-ms-win-security-lsalookup-l2-1-1

api-ms-win-core-debug-l1-1-0

crypt32

api-ms-win-core-console-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-synch-ansi-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-io-l1-1-1

api-ms-win-core-util-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-security-sddl-ansi-l1-1-0

user32

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-namedpipe-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-eventing-provider-l1-1-0

Sections

.text Size: 622KB - Virtual size: 622KB

.rdata Size: 220KB - Virtual size: 219KB

.data Size: 77KB - Virtual size: 105KB

.pdata Size: 27KB - Virtual size: 26KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 568KB - Virtual size: 572KB

.text
Size: 622KB - Virtual size: 622KB

.rdata
Size: 220KB - Virtual size: 219KB

.data
Size: 77KB - Virtual size: 105KB

.pdata
Size: 27KB - Virtual size: 26KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 568KB - Virtual size: 572KB