2024-05-28_26ab58e4965a8dc5db791f24b6fab2ad_qakbot_ryuk_sliver

Sharing

Copy URL

Twitter E-mail

General

Target

2024-05-28_26ab58e4965a8dc5db791f24b6fab2ad_qakbot_ryuk_sliver
Size

17.1MB
MD5

26ab58e4965a8dc5db791f24b6fab2ad
SHA1

5383811a091244ae2f82172cb0ec776a7a203a4f
SHA256

c8fb8b44caf68107d99445790ea82ee10c605257811d27617f0ef66dd2572854
SHA512

4377c56c3feedd47d1f5293a2d1bae082788c6359a10aa2fa2bcc7eaa18f4cacb50c14fa22c6370d22a806623376867e7ccec3872a7c6cd4c921659db8cd0558
SSDEEP

196608:4GoE+GORFMso4PjDCAU1YTeeEh1AKhmrKEb0U+Zf/1Qe09lHwsguD63D7I6L57FJ:c5ROso4yAkhO44H9fz6fLRFgbqsQjV3

Score

1^/10

Malware Config

Signatures

Files

2024-05-28_26ab58e4965a8dc5db791f24b6fab2ad_qakbot_ryuk_sliver
.exe windows:6 windows x64 arch:x64

ef14eb185480bd8fbd5e271c10e9dec6

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

Issuer

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

Not Before

07/06/2005, 08:09

Not After

30/05/2020, 10:48

Subject

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

49:3d:fa:9c:55:01:bf:78:f3:47:16:c5:11:aa:54:45
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

22/03/2019, 00:00

Not After

01/04/2020, 23:59

Subject

CN=Veriato Inc.,O=Veriato Inc.,L=Palm Beach Gardens,ST=Florida,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

62:5c:4d:90:8c:d5:42:fb:ab:2e:a5:73:3f:f1:54:19
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

27/04/2011, 00:00

Not After

30/05/2020, 10:48

Subject

CN=COMODO Time Stamping CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2b:73:db:74:63:11:4c:5a:5b:32:4a:f2:30:57:72:49
Certificate

Issuer

CN=COMODO Time Stamping CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

02/05/2019, 00:00

Not After

30/05/2020, 10:48

Subject

CN=Sectigo SHA-1 Time Stamping Signer,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

44:fd:2d:7f:6f:41:06:81:76:8c:73:11:89:2c:e2:fc:35:03:24:08
Signer

Actual PE Digest

44:fd:2d:7f:6f:41:06:81:76:8c:73:11:89:2c:e2:fc:35:03:24:08

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

EntSetup64.pdb

Imports

advapi32

DeregisterEventSource
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
CryptEnumProvidersW
CryptSignHashW
GetUserNameA
CloseServiceHandle
DeleteService
OpenSCManagerA
OpenServiceA
CryptDestroyHash
SetFileSecurityA
ConvertStringSecurityDescriptorToSecurityDescriptorA
AllocateAndInitializeSid
FreeSid
SetEntriesInAclA
SetNamedSecurityInfoA
StartServiceA
CryptCreateHash
RegQueryValueExW
RegEnumValueW
RegDeleteValueW
RegGetValueW
RegOpenKeyExW
RegSetValueExW
RegSetKeySecurity
RegEnumKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
RegGetKeySecurity
CryptDecrypt
MakeSelfRelativeSD
GetSecurityDescriptorLength
InitializeSecurityDescriptor
IsValidSecurityDescriptor
SetSecurityDescriptorSacl
GetSecurityDescriptorControl
SetEntriesInAclW
SetSecurityDescriptorDacl
GetSecurityDescriptorSacl
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptReleaseContext
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
GetSecurityInfo
GetTokenInformation
InitiateSystemShutdownA
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueA
RegConnectRegistryA
RegDeleteKeyA

shlwapi

PathAddExtensionA
PathAppendA
PathRemoveFileSpecA
PathFileExistsA

msi

ord204
ord141
ord15
ord112

comctl32

PropertySheetA
ImageList_Create
ImageList_Add
InitCommonControlsEx
ord17

ws2_32

freeaddrinfo
getaddrinfo
WSAStringToAddressA
WSAAddressToStringA
WSAGetLastError
inet_ntoa

psapi

GetModuleFileNameExA

crypt32

CertDuplicateCertificateContext
CertGetCertificateContextProperty
CertFreeCertificateContext
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore

kernel32

UpdateResourceA
EndUpdateResourceA
CopyFileA
GetComputerNameA
VerifyVersionInfoW
SystemTimeToFileTime
MultiByteToWideChar
GlobalAlloc
GlobalUnlock
GlobalLock
GetPrivateProfileStringA
DecodePointer
RaiseException
InitializeCriticalSectionEx
DeleteCriticalSection
DeviceIoControl
InitializeCriticalSection
SetEvent
WaitForSingleObject
WaitForMultipleObjects
GetTickCount
MulDiv
GetLocaleInfoA
OutputDebugStringA
FindClose
FindFirstFileA
FindNextFileA
GetFileAttributesA
GetFileTime
SetEndOfFile
SetFileAttributesA
EnterCriticalSection
LeaveCriticalSection
TerminateThread
ResumeThread
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
MoveFileA
VirtualAlloc
VirtualFree
GetCurrentProcessId
GetCurrentProcess
Sleep
SetErrorMode
GlobalFree
GetCPInfo
RemoveDirectoryA
TerminateProcess
OpenProcess
GetWindowsDirectoryA
WinExec
BeginUpdateResourceA
LocalFree
MoveFileExA
GetCurrentThreadId
GetCommandLineA
GetCommandLineW
ExpandEnvironmentStringsA
CreateDirectoryA
ExitProcess
GetSystemWow64DirectoryA
CreateSemaphoreA
OpenSemaphoreA
WideCharToMultiByte
GetFileAttributesW
GetFileAttributesExW
DeleteFileW
MoveFileExW
CreateFileW
SetFilePointerEx
ProcessIdToSessionId
CreateProcessW
FlushFileBuffers
CreateDirectoryW
GetLocalTime
LocalAlloc
CreateToolhelp32Snapshot
GetModuleFileNameW
GetModuleHandleW
CreateEventW
ResetEvent
CreateMutexW
ReleaseMutex
HeapCreate
HeapDestroy
LocalReAlloc
GetACP
CreateMutexA
VirtualProtect
Process32First
Process32Next
GetFullPathNameA
GetThreadPriority
GetSystemInfo
LoadResource
LockResource
SizeofResource
FormatMessageA
FindResourceA
GetComputerNameW
GetDateFormatA
GetTimeFormatA
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetTimeZoneInformation
SetLastError
LoadLibraryExA
GlobalSize
lstrcmpA
lstrcmpiA
IsDBCSLeadByte
GetFullPathNameW
FindFirstFileW
FindNextFileW
GetStdHandle
GetFileType
LoadLibraryW
FlushConsoleInputBuffer
QueryPerformanceCounter
GlobalMemoryStatus
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
HeapReAlloc
SetConsoleCtrlHandler
GetConsoleCP
ReadConsoleW
GetConsoleMode
TzSpecificLocalTimeToSystemTime
VirtualQuery
PeekNamedPipe
GetFileInformationByHandle
GetDriveTypeW
GetModuleHandleExW
FreeLibraryAndExitThread
ExitThread
CreateThread
LoadLibraryExW
RtlPcToFileHeader
RtlUnwindEx
FlushInstructionCache
InterlockedPushEntrySList
InterlockedPopEntrySList
TryEnterCriticalSection
OutputDebugStringW
InitializeSListHead
GetStartupInfoW
IsDebuggerPresent
WaitForSingleObjectEx
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetStringTypeW
GetLocaleInfoW
LCMapStringW
CompareStringW
GetSystemTimeAsFileTime
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
EncodePointer
lstrlenA
WriteConsoleW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
IsValidCodePage
FindFirstFileExA
SetConsoleMode
ReadConsoleInputA
HeapSize
SetStdHandle
GetCurrentDirectoryW
LoadLibraryA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
FreeLibrary
GetSystemDirectoryA
GetSystemTime
CreateProcessA
GetProcessHeap
HeapFree
HeapAlloc
GetLastError
CloseHandle
GetTempFileNameA
GetTempPathA
WriteFile
SetFileTime
SetFilePointer
ReadFile
GetFileSize
GetDriveTypeA
DeleteFileA
CreateFileA
GetCurrentDirectoryA
SetCurrentDirectoryA
VerSetConditionMask
EnumSystemLocalesW
GetExitCodeProcess

user32

CreateAcceleratorTableA
DestroyAcceleratorTable
InvalidateRgn
AdjustWindowRectEx
GetClassLongPtrA
GetDesktopWindow
GetTopWindow
WinHelpA
EnumDisplaySettingsA
GetUserObjectInformationW
MessageBoxW
GetCapture
GetFocus
DeferWindowPos
ClientToScreen
EnableMenuItem
GetSystemMenu
CloseWindow
GetWindow
CharPrevA
CharNextA
CloseDesktop
CreateDesktopA
LoadStringA
LoadIconA
DrawFocusRect
RegisterClassA
PostQuitMessage
GetMessageA
KillTimer
SetTimer
GetKeyState
UpdateWindow
IsDialogMessageA
SetForegroundWindow
IsWindow
PeekMessageA
DispatchMessageA
TranslateMessage
LoadImageA
LoadBitmapA
GetClassNameA
IsChild
SetWindowLongA
GetSysColorBrush
ScreenToClient
GetWindowRect
CreateDialogParamA
SetWindowPos
MoveWindow
MessageBeep
GetClipboardData
EnumWindows
GetClassInfoExA
RegisterWindowMessageA
wsprintfW
GetProcessWindowStation
EndDeferWindowPos
BeginDeferWindowPos
PtInRect
DrawTextA
GetForegroundWindow
GetClientRect
MessageBoxA
OffsetRect
ShowWindow
SetWindowTextA
GetDlgItem
CheckDlgButton
IsDlgButtonChecked
EnableWindow
SetDlgItemTextA
IsWindowVisible
GetCursor
SetCursor
MapVirtualKeyExA
GetKeyNameTextA
GetKeyboardLayout
IsWindowEnabled
GetDlgItemInt
SetDlgItemInt
GetWindowTextLengthA
GetWindowTextA
SendDlgItemMessageA
EndDialog
DialogBoxParamA
GetWindowThreadProcessId
MapVirtualKeyA
VkKeyScanW
ReleaseDC
SendMessageA
GetDlgItemTextA
GetSystemMetrics
GetAsyncKeyState
PostMessageA
CallWindowProcA
OpenClipboard
CloseClipboard
SetClipboardData
RegisterClipboardFormatA
EmptyClipboard
SetFocus
CreatePopupMenu
SetRect
ReleaseCapture
SetParent
SetCapture
GetParent
GetWindowLongA
LoadCursorA
FillRect
GetSysColor
RemovePropA
GetPropA
SetPropA
RedrawWindow
InvalidateRect
EndPaint
BeginPaint
GetDC
DestroyWindow
CreateWindowExA
RegisterClassExA
DefWindowProcA
UnregisterClassA
wsprintfA
CheckRadioButton
SetWindowLongPtrA
GetWindowLongPtrA
GetCursorPos
TrackPopupMenu
AppendMenuA
DestroyMenu

gdi32

CreatePatternBrush
SetMapMode
GetMapMode
CreateCompatibleDC
StretchBlt
GetObjectA
DPtoLP
GetTextExtentPointA
TranslateCharsetInfo
CreateBitmap
CreateCompatibleBitmap
CreateBrushIndirect
BitBlt
GetStockObject
MoveToEx
LineTo
GetTextExtentPoint32A
GetDeviceCaps
CreateSolidBrush
CreatePen
CreateFontA
SetTextColor
SetBkMode
SetBkColor
SelectObject
DeleteObject
DeleteDC
CreateFontIndirectA

comdlg32

GetSaveFileNameA
GetOpenFileNameA

shell32

SHGetFolderPathA
CommandLineToArgvW
SHCreateDirectoryExA
SHFileOperationA
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
ShellExecuteA
SHBrowseForFolderA

ole32

StringFromCLSID
CoTaskMemFree
CoInitializeEx
CreateStreamOnHGlobal
CoGetClassObject
CLSIDFromProgID
StringFromGUID2
CoTaskMemRealloc
OleInitialize
OleUninitialize
OleLockRunning
CoCreateInstance
CoUninitialize
CLSIDFromString
CoCreateGuid
CoSetProxyBlanket
CoInitializeSecurity
CoInitialize
CoTaskMemAlloc

oleaut32

SysStringLen
SysAllocString
VariantInit
VariantClear
VariantCopy
VariantChangeType
SysAllocStringLen
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayCreateVector
VarUI4FromStr
LoadTypeLi
LoadRegTypeLi
OleCreateFontIndirect
SysFreeString

urlmon

URLDownloadToFileA

wininet

InternetGetConnectedState
InternetAttemptConnect
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetConnectA
InternetCloseHandle
InternetOpenA

Exports

Exports

OPENSSL_Applink

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 282KB - Virtual size: 318KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 134KB - Virtual size: 134KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 13.2MB - Virtual size: 13.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ef14eb185480bd8fbd5e271c10e9dec6

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4bCertificate

Key Usages

49:3d:fa:9c:55:01:bf:78:f3:47:16:c5:11:aa:54:45Certificate

Extended Key Usages

Key Usages

62:5c:4d:90:8c:d5:42:fb:ab:2e:a5:73:3f:f1:54:19Certificate

Extended Key Usages

Key Usages

2b:73:db:74:63:11:4c:5a:5b:32:4a:f2:30:57:72:49Certificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

44:fd:2d:7f:6f:41:06:81:76:8c:73:11:89:2c:e2:fc:35:03:24:08Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

shlwapi

msi

comctl32

ws2_32

psapi

crypt32

kernel32

user32

gdi32

comdlg32

shell32

ole32

oleaut32

urlmon

wininet

Exports

Exports

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.rdata Size: 1.1MB - Virtual size: 1.1MB

.data Size: 282KB - Virtual size: 318KB

.pdata Size: 134KB - Virtual size: 134KB

.gfids Size: 2KB - Virtual size: 1KB

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 13.2MB - Virtual size: 13.2MB

.reloc Size: 32KB - Virtual size: 32KB

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

49:3d:fa:9c:55:01:bf:78:f3:47:16:c5:11:aa:54:45
Certificate

62:5c:4d:90:8c:d5:42:fb:ab:2e:a5:73:3f:f1:54:19
Certificate

2b:73:db:74:63:11:4c:5a:5b:32:4a:f2:30:57:72:49
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

44:fd:2d:7f:6f:41:06:81:76:8c:73:11:89:2c:e2:fc:35:03:24:08
Signer

.text
Size: 2.3MB - Virtual size: 2.3MB

.rdata
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 282KB - Virtual size: 318KB

.pdata
Size: 134KB - Virtual size: 134KB

.gfids
Size: 2KB - Virtual size: 1KB

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 13.2MB - Virtual size: 13.2MB

.reloc
Size: 32KB - Virtual size: 32KB