2024-07-26_6e1277263227178b67438d84929cc14f_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-07-26_6e1277263227178b67438d84929cc14f_ryuk
Size

457KB
MD5

6e1277263227178b67438d84929cc14f
SHA1

cfbb7d3a960779a18bfeb3d342dc88954a06e851
SHA256

030c56e2d1af71c42155ec31c93f1e36e0fa455e160c07808f57bed466f9376e
SHA512

02d07864d81ce967074a808d9cae0504a81e7857b7f0443002c5350a7ae7402e3a898ca9e949a47d240dc08dc9f04ca73ccb6293d28bac20b26a41a2d51c982d
SSDEEP

6144:ULnAg88Hm4JEMc/kjEPxurK8PUuBYVFtLmZbvWBaDb2O7fcCnDtlh6Ewmb+lge:YAg8EmdMc/ewxueYUUYpqt7h7wmb+lge

Score

1^/10

Malware Config

Signatures

Files

2024-07-26_6e1277263227178b67438d84929cc14f_ryuk
.exe windows:6 windows x64 arch:x64

ffdae8dca81b90f70106aaac5a8a7c88

Code Sign

33:00:00:02:cb:b7:75:39:fb:02:71:42:36:00:00:00:00:02:cb
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/05/2022, 20:45

Not After

11/05/2023, 20:45

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

9b:5b:0b:54:9e:7a:d1:f1:39:f5:e6:a2:08:af:cd:6d:d1:bc:92:c3:1b:ed:cd:ee:0c:a1:88:d7:f0:c5:fd:b5
Signer

Actual PE Digest

9b:5b:0b:54:9e:7a:d1:f1:39:f5:e6:a2:08:af:cd:6d:d1:bc:92:c3:1b:ed:cd:ee:0c:a1:88:d7:f0:c5:fd:b5

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\_work\1\s\OSS_Microsoft_OpenSSH_Dev\bin\x64\Release\ssh-pkcs11-helper.pdb

Imports

libcrypto

DSA_do_sign
DSA_get0_key
BN_bn2bin
DSA_do_verify
DSA_set0_key
DSA_SIG_get0
DSA_new
DSA_SIG_new
DSA_set0_pqg
DSA_get0_pqg
DSA_generate_key
DSA_generate_parameters_ex
DSA_SIG_free
BN_dup
RSA_generate_key_ex
BN_set_flags
RSA_public_decrypt
RSA_set0_crt_params
BN_set_word
RSA_sign
BN_div
RSA_set0_factors
RSA_get0_factors
DSA_free
BN_CTX_new
BN_CTX_free
EVP_sha384
DSA_SIG_set0
EVP_md5
EVP_sha256
EVP_Digest
EVP_sha1
EVP_sha512
EVP_aes_256_cbc
EVP_aes_128_ctr
EVP_aes_256_ctr
EVP_des_ede3_cbc
EVP_aes_192_cbc
EVP_aes_192_ctr
EC_POINT_point2oct
EC_POINT_oct2point
EVP_aes_256_gcm
EVP_aes_128_gcm
ECDSA_do_sign
EC_POINT_cmp
EC_KEY_set_private_key
EC_KEY_generate_key
ECDSA_SIG_get0
EC_KEY_set_public_key
EC_KEY_set_asn1_flag
ECDSA_do_verify
EC_KEY_new_by_curve_name
RAND_status
SSLeay
RSA_blinding_on
EC_GROUP_get_order
BN_clear_free
BN_value_one
EC_METHOD_get_field_type
EC_POINT_mul
RSA_get0_crt_params
EC_POINT_get_affine_coordinates_GFp
EC_POINT_is_at_infinity
arc4random_buf
RSA_get0_key
EC_POINT_free
EVP_aes_128_cbc
EC_KEY_get0_public_key
EC_POINT_new
EC_GROUP_cmp
EC_GROUP_set_asn1_flag
EC_GROUP_get_curve_name
BN_new
EC_KEY_get0_private_key
EC_KEY_get0_group
BN_cmp
BN_sub
EC_GROUP_new_by_curve_name
EC_GROUP_method_of
BN_num_bits
explicit_bzero
EC_KEY_METHOD_set_sign
RSAPublicKey_dup
X509_get_pubkey
EC_KEY_set_method
RSA_meth_set_priv_enc
o2i_ECPublicKey
d2i_ECPKParameters
EC_KEY_METHOD_get_sign
RSA_meth_set1_name
d2i_ASN1_OCTET_STRING
RSA_new
RSA_free
d2i_X509
ERR_get_error
d2i_X509_NAME
BN_free
EC_KEY_get_ex_data
EC_KEY_set_ex_data
EC_KEY_set_group
X509_NAME_free
RSA_set_method
EVP_PKEY_get0_EC_KEY
EC_KEY_free
EVP_PKEY_get0_RSA
RSA_meth_dup
ECDSA_SIG_free
RSA_set_ex_data
ERR_error_string
EC_GROUP_free
EC_KEY_new
RSA_get_ex_data
RSA_get_default_method
RSA_get_ex_new_index
RSA_meth_set_priv_dec
ECDSA_SIG_set0
X509_free
X509_NAME_oneline
RSA_set0_key
CRYPTO_get_ex_new_index
ASN1_OCTET_STRING_free
EC_KEY_METHOD_new
EC_KEY_dup
EVP_PKEY_base_id
EC_KEY_OpenSSL
ECDSA_SIG_new
BN_bin2bn
ECDSA_size
RSA_private_encrypt
ECDSA_sign
RSA_size

crypt32

CryptBinaryToStringA
CryptStringToBinaryA

ws2_32

WSASend
WSAStartup
getsockname
WSARecv
WSAGetOverlappedResult
setsockopt
closesocket
WSADuplicateSocketW
WSASocketW
WSAGetLastError
socket

kernel32

HeapFree
FreeLibraryAndExitThread
ExitThread
CreateThread
FindNextFileW
FindFirstFileExW
FindClose
GetCurrentDirectoryW
SetEnvironmentVariableW
GetFullPathNameW
SetStdHandle
GetCommandLineW
GetCommandLineA
GetModuleHandleExW
ExitProcess
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
SetLastError
RtlUnwindEx
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
HeapAlloc
CompareStringW
LCMapStringW
GetStringTypeW
GetNumberOfConsoleInputEvents
PeekConsoleInputA
ReadConsoleW
HeapReAlloc
GetFileSizeEx
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
HeapSize
RaiseException
GetLocalTime
LoadLibraryExW
ReadConsoleOutputA
SetConsoleCursorPosition
GetConsoleWindow
Beep
FillConsoleOutputAttribute
WriteConsoleOutputA
ReadConsoleInputW
SetConsoleCursorInfo
SetConsoleWindowInfo
GetConsoleCP
GetConsoleCursorInfo
ScrollConsoleScreenBufferA
SetConsoleScreenBufferSize
SetConsoleTextAttribute
FillConsoleOutputCharacterA
CreateWaitableTimerA
WriteConsoleW
CancelIoEx
CancelSynchronousIo
GetConsoleMode
SetConsoleMode
WriteFile
ReadFile
WaitForSingleObjectEx
WaitForMultipleObjectsEx
GetDriveTypeW
GetFinalPathNameByHandleW
QueueUserAPC
SetConsoleCtrlHandler
CreateEventA
VerifyVersionInfoW
VerSetConditionMask
ResetEvent
SetEvent
SleepEx
ReadFileEx
CreateFileA
WriteFileEx
CreateNamedPipeA
CancelIo
MultiByteToWideChar
GetExitCodeProcess
SetHandleInformation
WideCharToMultiByte
FreeLibrary
LocalFree
GetProcAddress
LoadLibraryW
FormatMessageW
CreateFileW
WaitForSingleObject
GetConsoleScreenBufferInfo
FlushFileBuffers
OpenThread
GetFileType
CreateProcessW
GetCurrentProcessId
SetFilePointerEx
CloseHandle
GetLastError
GetTickCount64
DuplicateHandle
GetCurrentThreadId
SetEndOfFile
TerminateProcess
GetStdHandle
GetCurrentProcess
GetModuleFileNameW

user32

ShowWindow
GetWindowPlacement

advapi32

EventWrite
EventRegister
CreateProcessAsUserW
GetTokenInformation
GetLengthSid
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenProcessToken
IsValidSecurityDescriptor
IsWellKnownSid
CopySid
ConvertSidToStringSidW

Sections

.text
Size: 235KB - Virtual size: 235KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 188KB - Virtual size: 188KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 177KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ffdae8dca81b90f70106aaac5a8a7c88

Code Sign

33:00:00:02:cb:b7:75:39:fb:02:71:42:36:00:00:00:00:02:cbCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

9b:5b:0b:54:9e:7a:d1:f1:39:f5:e6:a2:08:af:cd:6d:d1:bc:92:c3:1b:ed:cd:ee:0c:a1:88:d7:f0:c5:fd:b5Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

libcrypto

crypt32

ws2_32

kernel32

user32

advapi32

Sections

.text Size: 235KB - Virtual size: 235KB

.rdata Size: 188KB - Virtual size: 188KB

.data Size: 3KB - Virtual size: 177KB

.pdata Size: 14KB - Virtual size: 13KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 2KB - Virtual size: 2KB

33:00:00:02:cb:b7:75:39:fb:02:71:42:36:00:00:00:00:02:cb
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

9b:5b:0b:54:9e:7a:d1:f1:39:f5:e6:a2:08:af:cd:6d:d1:bc:92:c3:1b:ed:cd:ee:0c:a1:88:d7:f0:c5:fd:b5
Signer

.text
Size: 235KB - Virtual size: 235KB

.rdata
Size: 188KB - Virtual size: 188KB

.data
Size: 3KB - Virtual size: 177KB

.pdata
Size: 14KB - Virtual size: 13KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 2KB - Virtual size: 2KB