2024-07-26_aa097467a4fd6fd4134ea2c06b1627d2_ryuk

Sharing

Copy URL

Twitter E-mail

General

Target

2024-07-26_aa097467a4fd6fd4134ea2c06b1627d2_ryuk
Size

750KB
MD5

aa097467a4fd6fd4134ea2c06b1627d2
SHA1

4c0449942fa1a05d4c9829e0a0896857ce236490
SHA256

1b4e0e4e1276b17a1e1ebcabfff70246ff886676beb7d303ce8c591cd1e210ab
SHA512

ff8c3085dd48ffbfab9057197298d4c1184b5672586348a7b842c6ccf959468a808e4da1a72c02018cfd5c000914139986688003023137015424870d3c9a5d82
SSDEEP

12288:DQzAsqcntjrXvAMSMsOjF2crNcDeDMr8lf/BnFvY608RAo:DOWotrLSMsOjI2NmeG8lf/HYoF

Score

1^/10

Malware Config

Signatures

Files

2024-07-26_aa097467a4fd6fd4134ea2c06b1627d2_ryuk
.exe windows:6 windows x64 arch:x64

24b51a7faad020994b8e22e6982ea773

Code Sign

33:00:00:02:cd:f3:64:bf:f8:d4:4c:5d:51:00:00:00:00:02:cd
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12-05-2022 20:46

Not After

11-05-2023 20:46

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08-07-2011 20:59

Not After

08-07-2026 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

6e:66:6b:c4:a2:34:0f:a9:b9:18:fa:1e:b1:3d:87:75:b0:e7:e4:63:3e:4c:66:60:84:e9:2b:6e:9d:5e:42:51
Signer

Actual PE Digest

6e:66:6b:c4:a2:34:0f:a9:b9:18:fa:1e:b1:3d:87:75:b0:e7:e4:63:3e:4c:66:60:84:e9:2b:6e:9d:5e:42:51

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\_work\1\s\OSS_Microsoft_OpenSSH_Dev\bin\x64\Release\ssh-keygen.pdb

Imports

libcrypto

EC_POINT_point2oct
DSA_SIG_set0
DSA_free
DSA_do_sign
DSA_get0_key
BN_bn2bin
DSA_do_verify
DSA_SIG_get0
DSA_new
DSA_SIG_new
DSA_get0_pqg
DSA_generate_key
DSA_generate_parameters_ex
DSA_SIG_free
ECDSA_do_sign
EC_POINT_cmp
EC_KEY_set_private_key
EC_KEY_generate_key
ECDSA_SIG_get0
EC_KEY_set_public_key
EC_KEY_set_asn1_flag
ECDSA_do_verify
EC_POINT_oct2point
EVP_sha384
EVP_MD_CTX_copy_ex
EVP_MD_CTX_new
EVP_md5
EVP_sha256
EVP_DigestUpdate
EVP_Digest
EVP_MD_CTX_free
EVP_DigestInit_ex
EVP_MD_CTX_md
EVP_sha1
EVP_MD_block_size
EVP_sha512
EVP_DigestFinal_ex
EVP_CIPHER_CTX_key_length
EVP_CIPHER_CTX_new
EVP_aes_256_cbc
EVP_CipherInit
EVP_aes_128_ctr
EVP_aes_256_ctr
EVP_des_ede3_cbc
EVP_aes_192_cbc
EVP_CIPHER_CTX_ctrl
EVP_CIPHER_CTX_set_key_length
EVP_aes_192_ctr
EVP_Cipher
EVP_aes_256_gcm
EVP_aes_128_gcm
EVP_CIPHER_CTX_free
BN_dup
RSA_generate_key_ex
BN_set_flags
RSA_public_decrypt
RSA_set0_crt_params
RSA_sign
BN_div
RSA_get0_factors
RSA_get0_crt_params
BN_CTX_new
BN_CTX_free
BN_lshift
BN_is_prime_ex
BN_copy
BN_rand
BN_rshift
BN_set_bit
BN_add
BN_bn2hex
BN_add_word
arc4random_uniform
EC_KEY_new_by_curve_name
BN_mod_word
EC_KEY_METHOD_set_sign
RSAPublicKey_dup
X509_get_pubkey
EC_KEY_set_method
RSA_meth_set_priv_enc
o2i_ECPublicKey
d2i_ECPKParameters
EC_KEY_METHOD_get_sign
RSA_meth_set1_name
d2i_ASN1_OCTET_STRING
RSA_new
RSA_free
d2i_X509
d2i_X509_NAME
BN_free
ECDSA_size
EC_KEY_get_ex_data
EC_KEY_set_ex_data
X509_NAME_free
RSA_set_method
EVP_PKEY_get0_EC_KEY
EC_KEY_free
EVP_PKEY_get0_RSA
RSA_meth_dup
ECDSA_SIG_free
RSA_set_ex_data
ERR_error_string
EC_KEY_new
RSA_size
RSA_get_ex_data
RSA_get_default_method
RSA_get_ex_new_index
RSA_meth_set_priv_dec
ECDSA_SIG_set0
X509_free
X509_NAME_oneline
CRYPTO_get_ex_new_index
ASN1_OCTET_STRING_free
EC_KEY_METHOD_new
EC_KEY_dup
EC_KEY_OpenSSL
ECDSA_SIG_new
RAND_status
SSLeay
gettimeofday
timegm
EVP_PKEY_set1_RSA
RSA_blinding_on
EC_GROUP_get_order
BIO_new
BIO_ctrl
ERR_peek_error
BN_value_one
PEM_write_bio_DSAPrivateKey
EVP_PKEY_new
EC_METHOD_get_field_type
EC_POINT_mul
EVP_PKEY_set1_DSA
ERR_get_error
EC_POINT_get_affine_coordinates_GFp
BN_print_fp
ERR_peek_last_error
arc4random
EC_KEY_set_group
EC_POINT_is_at_infinity
arc4random_buf
BIO_s_mem
RSA_get0_key
PEM_read_bio_PrivateKey
EC_POINT_free
EVP_aes_128_cbc
EC_KEY_get0_public_key
EC_GROUP_free
EC_POINT_new
BIO_write
BIO_free
EC_GROUP_cmp
PEM_write_bio_ECPrivateKey
EC_GROUP_set_asn1_flag
EC_GROUP_get_curve_name
EC_KEY_get0_private_key
PEM_write_bio_RSAPrivateKey
PEM_write_bio_PrivateKey
EC_KEY_get0_group
BN_cmp
BN_sub
EC_GROUP_new_by_curve_name
EC_GROUP_method_of
BN_num_bits
EVP_PKEY_set1_EC_KEY
BN_clear_free
BN_hex2bn
EVP_PKEY_get1_EC_KEY
PEM_read_PUBKEY
DSA_set0_key
PEM_write_RSA_PUBKEY
BN_set_word
PEM_write_RSAPublicKey
PEM_read_RSAPublicKey
EVP_PKEY_free
EVP_PKEY_get1_RSA
PEM_write_DSA_PUBKEY
RSA_set0_factors
EVP_PKEY_get1_DSA
BN_new
PEM_write_DSAPrivateKey
DSA_set0_pqg
PEM_write_EC_PUBKEY
RSA_set0_key
explicit_bzero
EVP_PKEY_base_id
PEM_write_ECPrivateKey
PEM_write_RSAPrivateKey
BN_bin2bn

crypt32

CryptStringToBinaryA
CryptBinaryToStringA

ws2_32

WSADuplicateSocketW
WSASocketW
WSACleanup
FreeAddrInfoW
bind
WSAIoctl
closesocket
WSASend
WSAStartup
getsockname
socket
gethostname
GetAddrInfoW
WSARecv
WSAGetOverlappedResult
setsockopt
WSAGetLastError
htonl

kernel32

ExitThread
CreateThread
FindNextFileW
FindFirstFileExW
FindClose
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetCommandLineW
GetCommandLineA
GetCurrentDirectoryW
SetEnvironmentVariableW
DeleteFileW
GetFullPathNameW
SetFileAttributesW
RemoveDirectoryW
SetStdHandle
GetModuleHandleExW
ExitProcess
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
SetLastError
RtlUnwindEx
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetConsoleOutputCP
SetConsoleMode
HeapAlloc
GetFileSizeEx
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetTimeZoneInformation
GetStringTypeW
GetNumberOfConsoleInputEvents
PeekConsoleInputA
ReadConsoleW
HeapReAlloc
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
HeapSize
RaiseException
EncodePointer
GetLocalTime
RtlPcToFileHeader
CreateWaitableTimerA
CancelIoEx
CancelSynchronousIo
WriteFile
ReadFile
WaitForSingleObjectEx
WaitForMultipleObjectsEx
LoadLibraryExW
GetFinalPathNameByHandleW
QueueUserAPC
SetConsoleCtrlHandler
GetDriveTypeW
GetDiskFreeSpaceExW
GetLogicalDriveStringsW
ReadFileEx
GetFileAttributesExW
GetFileInformationByHandle
CreateHardLinkW
WriteFileEx
DeviceIoControl
CreateNamedPipeA
CancelIo
GetExitCodeProcess
ReadConsoleOutputA
SetConsoleCursorPosition
GetConsoleWindow
Beep
WriteConsoleW
FillConsoleOutputAttribute
WriteConsoleOutputA
CreateFileA
ReadConsoleInputW
SetConsoleCursorInfo
GetConsoleMode
SetConsoleWindowInfo
GetConsoleCP
GetConsoleCursorInfo
ScrollConsoleScreenBufferA
SetConsoleScreenBufferSize
SetConsoleTextAttribute
FillConsoleOutputCharacterA
MultiByteToWideChar
FlushFileBuffers
OpenThread
CreateProcessW
GetCurrentProcessId
SetFilePointerEx
GetTickCount64
DuplicateHandle
GetCurrentThreadId
SetEndOfFile
TerminateProcess
SetHandleInformation
GetWindowsDirectoryW
GetSystemDirectoryW
ExpandEnvironmentStringsW
CreateEventA
VerifyVersionInfoW
SleepEx
VerSetConditionMask
ResetEvent
SetEvent
GetFileType
WideCharToMultiByte
FreeLibrary
GetComputerNameW
MoveFileExW
LocalFree
GetProcAddress
LoadLibraryW
FreeLibraryAndExitThread
HeapFree
CloseHandle
GetLastError
FormatMessageW
CreateFileW
WaitForSingleObject
GetStdHandle
GetCurrentProcess
GetConsoleScreenBufferInfo
CreateDirectoryW
GetModuleFileNameW
SetConsoleOutputCP

user32

GetWindowPlacement
ShowWindow

advapi32

ConvertStringSecurityDescriptorToSecurityDescriptorW
GetTokenInformation
EventWrite
EventRegister
LookupAccountNameW
IsValidAcl
GetLengthSid
OpenProcessToken
IsValidSecurityDescriptor
IsValidSid
IsWellKnownSid
GetNamedSecurityInfoW
CopySid
CreateWellKnownSid
GetAce
GetSidIdentifierAuthority
RegQueryValueExW
LookupAccountSidW
ConvertSidToStringSidW
RegOpenKeyExW
RegCloseKey
CreateProcessAsUserW
EqualSid
ConvertSidToStringSidA

Sections

.text
Size: 467KB - Virtual size: 467KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 239KB - Virtual size: 238KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 243KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

24b51a7faad020994b8e22e6982ea773

Code Sign

33:00:00:02:cd:f3:64:bf:f8:d4:4c:5d:51:00:00:00:00:02:cdCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

6e:66:6b:c4:a2:34:0f:a9:b9:18:fa:1e:b1:3d:87:75:b0:e7:e4:63:3e:4c:66:60:84:e9:2b:6e:9d:5e:42:51Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

libcrypto

crypt32

ws2_32

kernel32

user32

advapi32

Sections

.text Size: 467KB - Virtual size: 467KB

.rdata Size: 239KB - Virtual size: 238KB

.data Size: 4KB - Virtual size: 243KB

.pdata Size: 24KB - Virtual size: 23KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 2KB - Virtual size: 2KB

33:00:00:02:cd:f3:64:bf:f8:d4:4c:5d:51:00:00:00:00:02:cd
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

6e:66:6b:c4:a2:34:0f:a9:b9:18:fa:1e:b1:3d:87:75:b0:e7:e4:63:3e:4c:66:60:84:e9:2b:6e:9d:5e:42:51
Signer

.text
Size: 467KB - Virtual size: 467KB

.rdata
Size: 239KB - Virtual size: 238KB

.data
Size: 4KB - Virtual size: 243KB

.pdata
Size: 24KB - Virtual size: 23KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 2KB - Virtual size: 2KB