General
-
Target
2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk
-
Size
2.2MB
-
Sample
240606-kv41hada84
-
MD5
e19f2d8b706b8ae8390bcb5ee7b10d1f
-
SHA1
d1bf74445805bb2b9744aaf272e70166fe07bbfd
-
SHA256
c3ff697ffa3ccf61ac56655f9334a66645a1fb86274ea16ecf43b797a753e567
-
SHA512
6d74c88abc84eb7390a7c8245e8d5f4a361e293e07b49ff2b08021e5f864319faf6a1b886d628cb861d27baab9560a67521a9baa5f68e50f592663ead0ee8c68
-
SSDEEP
49152:BwN7fzYcFe7I3TEK24Y9/qTjtfdI7dHiCgqAmcP1Qy8rPGZfEvYENf/rHi1y:4YcFe8gT/qfJM9i8KuxKyp/rHis
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
quasar
1.3.0.0
Test1
192.168.100.7:4782
192.168.100.1:4782
192.168.100.2:4782
192.168.100.3:4782
192.168.100.4:4782
192.168.100.5:4782
192.168.100.6:4782
192.168.100.8:4782
192.168.100.9:4782
QSR_MUTEX_EUcqtx8KrCdmvD2YIx
-
encryption_key
riVWKQv6KwgHqOuBNiok
-
install_name
Microsoft.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft
-
subdirectory
SubDir
Targets
-
-
Target
2024-06-06_e19f2d8b706b8ae8390bcb5ee7b10d1f_cova_ryuk
-
Size
2.2MB
-
MD5
e19f2d8b706b8ae8390bcb5ee7b10d1f
-
SHA1
d1bf74445805bb2b9744aaf272e70166fe07bbfd
-
SHA256
c3ff697ffa3ccf61ac56655f9334a66645a1fb86274ea16ecf43b797a753e567
-
SHA512
6d74c88abc84eb7390a7c8245e8d5f4a361e293e07b49ff2b08021e5f864319faf6a1b886d628cb861d27baab9560a67521a9baa5f68e50f592663ead0ee8c68
-
SSDEEP
49152:BwN7fzYcFe7I3TEK24Y9/qTjtfdI7dHiCgqAmcP1Qy8rPGZfEvYENf/rHi1y:4YcFe8gT/qfJM9i8KuxKyp/rHis
Score10/10-
Quasar payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects executables containing common artifacts observed in infostealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-