2024-06-19_0702d99523fd0acb24d57ffed88e7387_ryuk_sliver

Sharing

Copy URL Twitter E-mail

General

Target

2024-06-19_0702d99523fd0acb24d57ffed88e7387_ryuk_sliver
Size

2.5MB
MD5

0702d99523fd0acb24d57ffed88e7387
SHA1

1efcace5405f0222a7baf734208cc9a7995de19b
SHA256

96851d7802b1ba2573b3b521d154f4f9d94eee0a862e6bb006e6c928262d6621
SHA512

a0d3a9a1b611c577159c5fed7ba3590988b8bd8dd8aecf523769cd6cbf1e0344e4b3df6bd020b139e681dc34aea456472e774586a6c58ff0435cb3d659246c9f
SSDEEP

49152:7TBeO3lR01oLNbPlpEUpiu/pPu//GEdPOWQ2g:k+7LNiAPixIWQ/

Score

1^/10

Malware Config

Signatures

Files

2024-06-19_0702d99523fd0acb24d57ffed88e7387_ryuk_sliver
.exe windows:5 windows x64 arch:x64

f87ee23b58085160ec08004508e5f6d1

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

25/05/2021, 00:00

Not After

31/12/2028, 23:59

Subject

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:d7:08:a8:91:40:53:19:e2:a5:bb:d3:39:b9:ad:6e
Certificate

Issuer

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Not Before

22/03/2021, 00:00

Not After

21/03/2036, 23:59

Subject

CN=Sectigo Public Code Signing CA EV R36,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

7d:ab:79:f2:98:a4:c1:8e:81:cb:7f:9f:90:99:55:fc
Certificate

Issuer

CN=Sectigo Public Code Signing CA EV R36,O=Sectigo Limited,C=GB

Not Before

20/02/2024, 00:00

Not After

19/02/2027, 23:59

Subject

SERIALNUMBER=91110105MA005CH48R,CN=北京火绒网络科技有限公司,O=北京火绒网络科技有限公司,ST=Beijing Shi,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

4e:d7:d3:25:03:86:33:ad:41:9d:89:3f:16:ad:7f:7b:94:64:ff:81:d1:5d:31:e7:ec:69:2d:64:36:57:1b:a8
Signer

Actual PE Digest

4e:d7:d3:25:03:86:33:ad:41:9d:89:3f:16:ad:7f:7b:94:64:ff:81:d1:5d:31:e7:ec:69:2d:64:36:57:1b:a8

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\docker\Documents\workspace\build-v2\common\hr_sysdiag-app-60\bin\x64\TrafficProt.pdb

Imports

kernel32

GetLocalTime
GetModuleFileNameA
CreateIoCompletionPort
PostQueuedCompletionStatus
DeviceIoControl
GetQueuedCompletionStatus
LoadLibraryW
CreateMutexA
FindResourceExW
FindResourceW
LoadResource
LockResource
SizeofResource
GetProcessHeap
HeapDestroy
DecodePointer
HeapAlloc
RaiseException
HeapReAlloc
HeapSize
InitializeCriticalSectionAndSpinCount
HeapFree
WaitForMultipleObjects
TerminateThread
CreateThread
ResetEvent
WaitForSingleObject
SetEvent
CreateEventW
GetModuleHandleW
LoadLibraryExA
FreeLibrary
FindClose
FindNextFileW
FindFirstFileW
GetLastError
GetSystemInfo
LoadLibraryA
CreateFileW
GetVersion
GetProcAddress
ReadFile
WideCharToMultiByte
DeleteCriticalSection
CloseHandle
Sleep
MultiByteToWideChar
InitializeCriticalSection
LeaveCriticalSection
GetCurrentProcess
SetEndOfFile
WriteConsoleW
GetFullPathNameW
GetCurrentDirectoryW
SetFilePointerEx
GetConsoleCP
FlushFileBuffers
GetTimeZoneInformation
SetStdHandle
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
IsValidCodePage
EnterCriticalSection
FindFirstFileExW
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetDriveTypeW
SetConsoleCtrlHandler
GetACP
ExitProcess
WriteFile
GetStdHandle
SetCurrentDirectoryW
GetModuleHandleA
GetModuleFileNameW
LoadLibraryExW
WaitForSingleObjectEx
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
OutputDebugStringW
EncodePointer
GetCPInfo
SetLastError
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetModuleHandleExW
GetFileType
GetEnvironmentVariableW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
GetSystemTime
SystemTimeToFileTime
RtlPcToFileHeader
RtlUnwindEx

user32

MessageBoxW
GetProcessWindowStation
GetUserObjectInformationW

advapi32

DeregisterEventSource
RegisterEventSourceW
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptReleaseContext
ReportEventW
CryptAcquireContextW
RegOpenKeyExW
RegQueryValueExA
RegOpenKeyExA
RegQueryValueExW
RegCloseKey
CryptGenRandom

ws2_32

WSAGetLastError
WSACleanup
recv
send
WSASetLastError
closesocket
inet_ntop

crypt32

CertGetCertificateContextProperty
CertCloseStore
CryptMsgClose
CryptMsgGetParam
CertGetNameStringW
CertFindCertificateInStore
CertFreeCertificateContext
CertOpenStore
CertCreateCertificateContext
CertAddCertificateContextToStore
CertDuplicateCertificateContext
CertDeleteCertificateFromStore
CryptQueryObject
CertEnumCertificatesInStore

uactmon

ord5
ord1
ord2

usysdiag

vif_get

jansson

json_object_iter
json_false
json_true
json_dumps_free
json_array_size
json_array_get
json_unpack
json_array
json_pack
json_array_append_new
json_object
json_object_set_new
json_string
json_integer
json_delete
json_integer_value
json_object_iter_key
json_object_key_to_iter
json_object_iter_next
json_object_iter_value
json_object_get
json_dumps

libxsse

ord10

libcobra

libcobra_setopt
libcobra_init
libcobra_release
libcobra_lsetup
libcobra_create
libcobra_scans

hipsdb

ord10
ord9
ord13

hrcomm

CreateLPCClient

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 696KB - Virtual size: 696KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 31KB - Virtual size: 103KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 83KB - Virtual size: 82KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f87ee23b58085160ec08004508e5f6d1

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16Certificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

33:d7:08:a8:91:40:53:19:e2:a5:bb:d3:39:b9:ad:6eCertificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

7d:ab:79:f2:98:a4:c1:8e:81:cb:7f:9f:90:99:55:fcCertificate

Extended Key Usages

Key Usages

4e:d7:d3:25:03:86:33:ad:41:9d:89:3f:16:ad:7f:7b:94:64:ff:81:d1:5d:31:e7:ec:69:2d:64:36:57:1b:a8Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

ws2_32

crypt32

uactmon

usysdiag

jansson

libxsse

libcobra

hipsdb

hrcomm

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

.rdata Size: 696KB - Virtual size: 696KB

.data Size: 31KB - Virtual size: 103KB

.pdata Size: 83KB - Virtual size: 82KB

.tls Size: 512B - Virtual size: 9B

.gfids Size: 2KB - Virtual size: 1KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 28KB - Virtual size: 31KB

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

33:d7:08:a8:91:40:53:19:e2:a5:bb:d3:39:b9:ad:6e
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

7d:ab:79:f2:98:a4:c1:8e:81:cb:7f:9f:90:99:55:fc
Certificate

4e:d7:d3:25:03:86:33:ad:41:9d:89:3f:16:ad:7f:7b:94:64:ff:81:d1:5d:31:e7:ec:69:2d:64:36:57:1b:a8
Signer

.text
Size: 1.6MB - Virtual size: 1.6MB

.rdata
Size: 696KB - Virtual size: 696KB

.data
Size: 31KB - Virtual size: 103KB

.pdata
Size: 83KB - Virtual size: 82KB

.tls
Size: 512B - Virtual size: 9B

.gfids
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 28KB - Virtual size: 31KB