2024-07-26_1d613302d4a464e0f9ea96e88f23fb71_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-07-26_1d613302d4a464e0f9ea96e88f23fb71_ryuk
Size

496KB
MD5

1d613302d4a464e0f9ea96e88f23fb71
SHA1

56e68d1045827290e15de5561769c2b5c8d75066
SHA256

e23ba794552dbfa4b60f747d3e89da70fac5e4e478d66a6eb6e22a3dfb2fe47f
SHA512

afe32088fc9c0fcb2baefb5e9d7010979ba0fc6b79c20c180b01411df10229cd23a83afa99d11e3d3ac76d7411c9be3f8b7cd8845ed6faafc935bd5bccd0fe0d
SSDEEP

12288:ZuDh6t0K8wEa9tiukGPfE8lf/lmhwRUAO:ZuDh6t0KBEa9tiQPs8lf/0hWUAO

Score

1^/10

Malware Config

Signatures

Files

2024-07-26_1d613302d4a464e0f9ea96e88f23fb71_ryuk
.exe windows:6 windows x64 arch:x64

d714070a5255bfd8f96a605ce19541ff

Code Sign

33:00:00:02:cb:b7:75:39:fb:02:71:42:36:00:00:00:00:02:cb
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/05/2022, 20:45

Not After

11/05/2023, 20:45

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

2b:7f:f0:b3:16:01:f3:a0:e8:2d:6c:63:a9:32:fa:a6:60:91:9e:61:82:db:ca:e1:82:62:43:1a:85:62:5e:4a
Signer

Actual PE Digest

2b:7f:f0:b3:16:01:f3:a0:e8:2d:6c:63:a9:32:fa:a6:60:91:9e:61:82:db:ca:e1:82:62:43:1a:85:62:5e:4a

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\_work\1\s\OSS_Microsoft_OpenSSH_Dev\bin\x64\Release\ssh-agent.pdb

Imports

libcrypto

DSA_do_sign
DSA_get0_key
BN_bn2bin
DSA_do_verify
DSA_set0_key
DSA_SIG_get0
DSA_new
DSA_SIG_new
DSA_set0_pqg
DSA_get0_pqg
DSA_generate_key
DSA_generate_parameters_ex
DSA_free
DSA_SIG_set0
EC_POINT_point2oct
BN_bin2bn
DSA_SIG_free
EC_POINT_oct2point
RSA_generate_key_ex
BN_set_flags
RSA_public_decrypt
RSA_new
RSA_set0_crt_params
RSA_free
BN_free
BN_set_word
RSA_sign
BN_div
RSA_set0_factors
RSA_get0_factors
RSA_get0_crt_params
RSA_set0_key
BN_CTX_new
BN_CTX_free
EVP_sha384
EVP_md5
EVP_sha256
EVP_Digest
EVP_sha1
EVP_sha512
EVP_CIPHER_CTX_key_length
EVP_CIPHER_CTX_new
EVP_aes_256_cbc
EVP_CipherInit
EVP_aes_128_ctr
EVP_aes_256_ctr
EVP_des_ede3_cbc
EVP_aes_192_cbc
EVP_CIPHER_CTX_ctrl
EVP_CIPHER_CTX_set_key_length
EVP_aes_192_ctr
EVP_Cipher
EVP_aes_256_gcm
EVP_aes_128_gcm
EVP_CIPHER_CTX_free
BN_dup
ECDSA_do_sign
EC_POINT_cmp
EC_KEY_set_private_key
EC_KEY_generate_key
ECDSA_SIG_get0
EC_KEY_set_public_key
EC_KEY_free
ECDSA_SIG_free
ECDSA_SIG_set0
EC_KEY_set_asn1_flag
ECDSA_do_verify
EC_KEY_new_by_curve_name
ECDSA_SIG_new
RSA_blinding_on
EC_GROUP_get_order
BN_clear_free
BN_value_one
EC_METHOD_get_field_type
EC_POINT_mul
EC_POINT_get_affine_coordinates_GFp
EC_KEY_set_group
EC_POINT_is_at_infinity
arc4random_buf
RSA_get0_key
EC_POINT_free
EVP_aes_128_cbc
EC_KEY_get0_public_key
EC_GROUP_free
EC_POINT_new
EC_GROUP_cmp
EC_GROUP_set_asn1_flag
EC_GROUP_get_curve_name
BN_new
EC_KEY_get0_private_key
EC_KEY_get0_group
BN_cmp
BN_sub
explicit_bzero
EC_GROUP_new_by_curve_name
EC_GROUP_method_of
BN_num_bits
EC_KEY_METHOD_set_sign
RSA_up_ref
d2i_ECDSA_SIG
EC_KEY_set_method
RSA_meth_set_priv_enc
EC_KEY_METHOD_get_sign
RSA_meth_set1_name
RSA_set_method
RSA_meth_dup
RSA_size
RSA_get_default_method
EC_KEY_up_ref
EC_KEY_METHOD_new
EC_KEY_OpenSSL

crypt32

CryptProtectData
CryptStringToBinaryA
CryptUnprotectData
CryptBinaryToStringA

ws2_32

WSASend
WSAStartup
getsockname
WSARecv
WSAGetOverlappedResult
setsockopt
closesocket
WSADuplicateSocketW
WSASocketW
WSAGetLastError
socket

kernel32

TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
SetLastError
RtlUnwindEx
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
TlsFree
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SetEnvironmentVariableW
SetCurrentDirectoryW
GetCurrentDirectoryW
GetCommandLineA
GetCommandLineW
SetStdHandle
GetFullPathNameW
ExitProcess
GetModuleHandleExW
FindClose
FindFirstFileExW
FindNextFileW
CreateThread
ExitThread
FreeLibraryAndExitThread
HeapFree
HeapAlloc
CompareStringW
LCMapStringW
HeapReAlloc
GetStringTypeW
ReadConsoleW
GetFileSizeEx
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
HeapSize
RaiseException
GetLocalTime
LoadLibraryExW
ReadConsoleOutputA
SetConsoleCursorPosition
GetConsoleWindow
Beep
FillConsoleOutputAttribute
WriteConsoleOutputA
ReadConsoleInputW
SetConsoleCursorInfo
SetConsoleWindowInfo
GetConsoleCP
GetConsoleCursorInfo
RtlPcToFileHeader
UnhandledExceptionFilter
GetCurrentThreadId
ScrollConsoleScreenBufferA
SetConsoleScreenBufferSize
SetConsoleTextAttribute
FillConsoleOutputCharacterA
CreateWaitableTimerA
WriteConsoleW
CancelSynchronousIo
GetConsoleMode
SetConsoleMode
WaitForSingleObjectEx
WaitForMultipleObjectsEx
GetDriveTypeW
GetFinalPathNameByHandleW
QueueUserAPC
MultiByteToWideChar
VerifyVersionInfoW
VerSetConditionMask
ResetEvent
SleepEx
ReadFileEx
CreateFileA
WriteFileEx
CreateNamedPipeA
CancelIo
GetExitCodeProcess
GetWindowsDirectoryW
GetSystemDirectoryW
SetConsoleCtrlHandler
GetModuleFileNameW
GetLastError
SetHandleInformation
CreateNamedPipeW
WaitForMultipleObjects
GetNamedPipeClientProcessId
GetQueuedCompletionStatus
OpenProcess
SetEvent
CloseHandle
GetCurrentProcessId
CreateProcessW
CreateEventA
CreateIoCompletionPort
ConnectNamedPipe
ReadFile
WriteFile
CancelIoEx
GetOverlappedResult
LocalFree
GetCurrentProcess
GetStdHandle
TerminateProcess
SetEndOfFile
EncodePointer
DuplicateHandle
GetTickCount64
SetFilePointerEx
GetFileType
OpenThread
FlushFileBuffers
GetConsoleScreenBufferInfo
WaitForSingleObject
CreateFileW
GetProcAddress
GetComputerNameW
FreeLibrary
WideCharToMultiByte
ExpandEnvironmentStringsW

user32

ShowWindow
GetWindowPlacement

advapi32

RegDeleteKeyExA
EventWrite
EventRegister
OpenServiceW
StartServiceCtrlDispatcherW
StartServiceA
RegisterServiceCtrlHandlerW
SetServiceStatus
OpenSCManagerW
GetTokenInformation
DuplicateTokenEx
ConvertStringSecurityDescriptorToSecurityDescriptorW
DuplicateToken
CheckTokenMembership
OpenProcessToken
RegSetValueExW
IsWellKnownSid
RegCreateKeyExW
CreateWellKnownSid
RegQueryValueExW
RegOpenKeyExW
RegOpenKeyExA
RegDeleteTreeW
ImpersonateLoggedOnUser
RegEnumKeyExW
RegCreateKeyExA
RegOpenCurrentUser
RegCloseKey
RevertToSelf
RegDeleteTreeA
CreateProcessAsUserW
LookupAccountNameW
GetLengthSid
IsValidSecurityDescriptor
CopySid
GetSidIdentifierAuthority
LookupAccountSidW
ConvertSidToStringSidW

Sections

.text
Size: 267KB - Virtual size: 266KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 193KB - Virtual size: 193KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 209KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d714070a5255bfd8f96a605ce19541ff

Code Sign

33:00:00:02:cb:b7:75:39:fb:02:71:42:36:00:00:00:00:02:cbCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

2b:7f:f0:b3:16:01:f3:a0:e8:2d:6c:63:a9:32:fa:a6:60:91:9e:61:82:db:ca:e1:82:62:43:1a:85:62:5e:4aSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

libcrypto

crypt32

ws2_32

kernel32

user32

advapi32

Sections

.text Size: 267KB - Virtual size: 266KB

.rdata Size: 193KB - Virtual size: 193KB

.data Size: 3KB - Virtual size: 209KB

.pdata Size: 15KB - Virtual size: 15KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 2KB - Virtual size: 2KB

33:00:00:02:cb:b7:75:39:fb:02:71:42:36:00:00:00:00:02:cb
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

2b:7f:f0:b3:16:01:f3:a0:e8:2d:6c:63:a9:32:fa:a6:60:91:9e:61:82:db:ca:e1:82:62:43:1a:85:62:5e:4a
Signer

.text
Size: 267KB - Virtual size: 266KB

.rdata
Size: 193KB - Virtual size: 193KB

.data
Size: 3KB - Virtual size: 209KB

.pdata
Size: 15KB - Virtual size: 15KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 2KB - Virtual size: 2KB