2024-09-21_fcbf9037aa982421a51e150d6e5e1360_ryuk

Sharing

Copy URL

Twitter E-mail

General

Target

2024-09-21_fcbf9037aa982421a51e150d6e5e1360_ryuk
Size

14.1MB
MD5

fcbf9037aa982421a51e150d6e5e1360
SHA1

ded6dc624818a82ab71806f8523df643a854f0a1
SHA256

398ca66b89aeb3814fb6d3f4a40f8d7ede6912abe8337ce77a412dc381774800
SHA512

3a3cd6f507af8240ca351883c09e4955a1ec6056540da15ba36b9a547c6132e0b7cf4ab0911bee88a7cbf2208d450949774b816aba97f8419c4ec9e940916784
SSDEEP

196608:zRHNwCAy2gWmmmhnjr0M91pei1GEiSAUddl+Bu:zBNwvy2g/mQnjQMRXhlr

Score

1^/10

Malware Config

Signatures

Files

2024-09-21_fcbf9037aa982421a51e150d6e5e1360_ryuk
.exe windows:6 windows x64 arch:x64

79f6f28c493c4e50eda3b128179c634b

Code Sign

05:d3:ac:4a:89:44:68:9e:10:38:0a:ae:2b:1b:fe:be
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

21-06-2018 00:00

Not After

22-07-2021 12:00

Subject

CN=Adlice,O=Adlice,L=Sautron,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22-10-2013 12:00

Not After

22-10-2028 12:00

Subject

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
Certificate

Issuer

CN=DigiCert Assured ID CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22-10-2014 00:00

Not After

22-10-2024 00:00

Subject

CN=DigiCert Timestamp Responder,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

10-11-2006 00:00

Not After

10-11-2021 00:00

Subject

CN=DigiCert Assured ID CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageEmailProtection
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e8:02:4b:36:18:a2:63:82:84:9c:95:75:74:24:95:30:a8:77:7c:17
Signer

Actual PE Digest

e8:02:4b:36:18:a2:63:82:84:9c:95:75:74:24:95:30:a8:77:7c:17

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Adlice\RogueKillerCMD\x64\RelWithDebInfo\roguekillercmd.pdb

Imports

kernel32

GetUserGeoID
GetThreadLocale
SetThreadLocale
VerSetConditionMask
VerifyVersionInfoW
DeviceIoControl
LocalAlloc
FlushFileBuffers
GetDiskFreeSpaceW
GetDriveTypeW
GetFileInformationByHandle
GetFileType
GetVolumeInformationW
GetVolumePathNameW
QueryDosDeviceW
ReadFile
SetFilePointerEx
GetVolumeNameForVolumeMountPointW
GetCompressedFileSizeW
WaitForMultipleObjectsEx
VirtualAlloc
VirtualFree
lstrcmpiW
lstrlenW
IsBadReadPtr
IsBadWritePtr
lstrcmpA
lstrcpyW
RaiseException
CreateThread
OpenThread
VirtualAllocEx
VirtualFreeEx
ReadProcessMemory
WriteProcessMemory
K32GetMappedFileNameW
CreateRemoteThread
LoadLibraryW
Module32FirstW
Module32NextW
K32GetModuleInformation
DefineDosDeviceW
GetVolumePathNamesForVolumeNameW
FreeLibrary
SetHandleInformation
CreatePipe
ConnectNamedPipe
DisconnectNamedPipe
SetNamedPipeHandleState
CreateNamedPipeW
WaitNamedPipeW
GetOverlappedResult
CancelIo
OutputDebugStringW
SetErrorMode
GlobalMemoryStatusEx
GetSystemInfo
FormatMessageW
SetFilePointer
ResetEvent
WaitForMultipleObjects
SuspendThread
QueueUserWorkItem
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleExW
SwitchToFiber
DeleteFiber
CreateFiber
QueryPerformanceCounter
GetSystemTimeAsFileTime
ConvertFiberToThread
ConvertThreadToFiber
LoadLibraryA
GetEnvironmentVariableW
ReadConsoleA
ReadConsoleW
FormatMessageA
GetTickCount64
InitializeCriticalSectionEx
SleepEx
WaitForSingleObjectEx
GetGeoInfoW
PeekNamedPipe
GetSystemDirectoryA
VerifyVersionInfoA
SwitchToThread
GetCurrentThread
GetThreadTimes
QueryPerformanceFrequency
VirtualQuery
GetLocaleInfoW
GetModuleFileNameW
GetVersionExW
LockFileEx
UnlockFile
HeapCompact
DeleteFileA
FlushViewOfFile
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapValidate
CreateMutexW
UnlockFileEx
InitializeCriticalSection
LockFile
AreFileApisANSI
VirtualQueryEx
CreateFileMappingA
CreateFileA
GetFileSize
HeapDestroy
HeapCreate
CreateMutexA
ReleaseMutex
GetVersionExA
GetThreadContext
GetCurrentDirectoryA
GetEnvironmentVariableA
TryEnterCriticalSection
FindResourceW
SizeofResource
LockResource
LoadResource
GetFileSizeEx
SetEndOfFile
OutputDebugStringA
SetEnvironmentVariableW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
Sleep
CreateEventW
SetEvent
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetComputerNameW
GetSystemDirectoryW
GetTempPathW
GetTempFileNameW
GetProcessHeap
HeapFree
HeapAlloc
Thread32Next
Thread32First
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
K32GetProcessImageFileNameW
K32GetModuleFileNameExW
K32GetModuleBaseNameW
GetModuleHandleA
TerminateJobObject
AssignProcessToJobObject
CreateJobObjectW
OpenProcess
SetThreadContext
GetProcessId
GetPriorityClass
SetPriorityClass
CreateProcessW
TerminateThread
GetExitCodeProcess
TerminateProcess
CloseHandle
GetCurrentProcessId
GetCurrentProcess
GetProcessTimes
WaitForSingleObject
SetLastError
DuplicateHandle
GetTimeFormatW
GetDateFormatW
SystemTimeToFileTime
FileTimeToSystemTime
TzSpecificLocalTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetSystemTime
CompareFileTime
CreateConsoleScreenBuffer
WriteConsoleW
SetConsoleMode
ReadConsoleInputW
GetNumberOfConsoleInputEvents
GetConsoleMode
SetConsoleTextAttribute
SetConsoleWindowInfo
SetConsoleCursorInfo
SetConsoleCursorPosition
SetConsoleScreenBufferSize
SetConsoleActiveScreenBuffer
GetConsoleCursorInfo
GetConsoleScreenBufferInfo
FillConsoleOutputCharacterW
WriteConsoleOutputW
ReadConsoleOutputW
WriteFile
GetStdHandle
MoveFileExW
MoveFileW
CopyFileW
SetFileAttributesW
RemoveDirectoryW
GetFileTime
GetFileAttributesExW
GetFileAttributesW
FindNextFileW
FindFirstFileW
CreateDirectoryW
BackupSeek
BackupRead
GetProcAddress
GetModuleHandleW
IsValidCodePage
FindNextFileA
FindFirstFileExW
FindFirstFileExA
GetTimeZoneInformation
HeapQueryInformation
HeapSize
GetFullPathNameA
SetCurrentDirectoryW
SetStdHandle
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
CreateProcessA
GetConsoleCP
GetACP
GetCommandLineA
GetModuleFileNameA
HeapReAlloc
FreeLibraryAndExitThread
ResumeThread
ExitThread
ExitProcess
LoadLibraryExW
InterlockedFlushSList
InterlockedPushEntrySList
RtlUnwindEx
RtlPcToFileHeader
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
LCMapStringW
CompareStringW
GetCPInfo
DecodePointer
EncodePointer
GetStringTypeW
FindClose
DeleteFileW
CreateFileW
WideCharToMultiByte
MultiByteToWideChar
GetTickCount
GetShortPathNameW
GetLongPathNameW
GetFullPathNameW
GetCurrentDirectoryW
ExpandEnvironmentStringsW
LocalFree
GetCommandLineW
SetConsoleCtrlHandler
GetLastError
ExpandEnvironmentStringsA

user32

MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation
SystemParametersInfoW
FindWindowExW
FindWindowW
GetSystemMetrics
ShowWindow
ExitWindowsEx
LoadStringW
GetWindowTextW
GetWindowThreadProcessId
DestroyIcon
CreateIconFromResourceEx
EnumWindows
GetShellWindow
PostThreadMessageW
PostMessageW

shell32

CommandLineToArgvW
ord68
ShellExecuteExW
SHGetFolderPathW
ShellExecuteW
SHGetSpecialFolderLocation
SHChangeNotify
SHGetMalloc

ole32

CoSetProxyBlanket
CoTaskMemFree
CoCreateInstance
CoInitializeSecurity
CoInitializeEx
StringFromCLSID
CoUninitialize

oleaut32

SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetLBound
SafeArrayGetUBound
VariantInit
SysStringLen
SysFreeString
SysAllocString
SetErrorInfo
VariantChangeType
SafeArrayDestroy
CreateErrorInfo
VariantClear
GetErrorInfo

advapi32

QueryServiceStatus
LookupPrivilegeValueA
GetUserNameA
OpenProcessToken
AdjustTokenPrivileges
DuplicateTokenEx
LookupPrivilegeValueW
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegEnumValueW
RegLoadKeyW
RegOpenKeyExW
RegQueryInfoKeyW
CryptGenRandom
CryptAcquireContextA
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptReleaseContext
CryptAcquireContextW
LookupAccountNameW
ConvertStringSidToSidW
ConvertSidToStringSidW
FreeInheritedFromArray
GetInheritanceSourceW
SetNamedSecurityInfoW
GetNamedSecurityInfoW
GetExplicitEntriesFromAclW
RegSetKeySecurity
RegGetKeySecurity
LookupAccountSidW
IsValidSid
GetSecurityDescriptorOwner
GetSecurityDescriptorDacl
GetAclInformation
GetAce
SetSecurityInfo
SetEntriesInAclW
SetSecurityDescriptorOwner
SetSecurityDescriptorDacl
SetKernelObjectSecurity
IsValidSecurityDescriptor
InitializeSecurityDescriptor
InitializeAcl
GetTokenInformation
FreeSid
CheckTokenMembership
AllocateAndInitializeSid
StartServiceW
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
QueryServiceStatusEx
QueryServiceConfig2W
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
EnumServicesStatusW
EnumDependentServicesW
DeleteService
CreateServiceW
ControlService
CloseServiceHandle
ChangeServiceConfig2W
ChangeServiceConfigW
RegQueryValueExW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
GetUserNameW
RegSaveKeyExW
RegUnLoadKeyW
RegSetValueExW
RegRestoreKeyW
GetSecurityInfo

shlwapi

PathUnquoteSpacesW
PathSearchAndQualifyW
PathRenameExtensionW
PathRemoveFileSpecW
PathUnExpandEnvStringsW
StrFormatByteSizeW
PathRemoveExtensionW
AssocQueryStringW
StrCmpNIW
StrDupW
StrCmpIW
PathMakePrettyW
PathFileExistsW
PathCommonPrefixW
PathCompactPathW
PathCanonicalizeW
PathBuildRootW
PathAppendW
PathRemoveBackslashW
PathRemoveArgsW
PathQuoteSpacesW
PathIsURLW
PathIsNetworkPathW
PathIsUNCW
PathIsSameRootW
PathRemoveBlanksW
PathIsRootW
PathIsRelativeW
PathIsPrefixW
PathIsDirectoryEmptyW
PathIsDirectoryW
PathAddBackslashW
PathGetDriveNumberW
PathIsLFNFileSpecW
PathGetArgsW
PathFindNextComponentW
PathFindFileNameW
UrlEscapeW
PathFindExtensionW

ntdll

NtDeleteKey
NtUnloadDriver
NtLoadDriver
RtlInitUnicodeString
NtDeleteValueKey
NtSetValueKey
NtCreateKey
NtQueryKey
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtOpenKey

wininet

InternetGetConnectedState
InternetCrackUrlW

userenv

GetProfilesDirectoryW

winhttp

WinHttpOpen
WinHttpQueryHeaders
WinHttpCloseHandle
WinHttpSendRequest
WinHttpOpenRequest
WinHttpSetOption
WinHttpQueryDataAvailable
WinHttpWriteData
WinHttpReadData
WinHttpConnect
WinHttpReceiveResponse

iphlpapi

GetAdaptersAddresses

wintrust

CryptCATAdminReleaseCatalogContext
CryptCATAdminAcquireContext
CryptCATAdminCalcHashFromFileHandle
CryptCATCatalogInfoFromContext
WinVerifyTrust
CryptCATAdminEnumCatalogFromHash
CryptCATAdminReleaseContext

mpr

WNetGetConnectionW

wsock32

getsockopt
ntohs
gethostbyname
WSAStartup
WSACleanup
WSAGetLastError
getsockname
inet_ntoa
getpeername
recv
send
gethostname
sendto
recvfrom
htons
shutdown
select
__WSAFDIsSet
socket
setsockopt
listen
connect
closesocket
bind
accept
WSASetLastError

bcrypt

BCryptGenRandom

ws2_32

getaddrinfo
WSAAddressToStringW
WSAIoctl
inet_pton
getnameinfo
freeaddrinfo

crypt32

CertGetCertificateContextProperty
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertOpenStore
CryptQueryObject
CertGetNameStringW
CertNameToStrW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CryptMsgClose
CryptDecodeObject

version

VerQueryValueW
GetFileVersionInfoSizeA
GetFileVersionInfoA
GetFileVersionInfoW
GetFileVersionInfoSizeW

Exports

Exports

yr_compiler_add_fd
yr_compiler_add_file
yr_compiler_add_string
yr_compiler_create
yr_compiler_define_boolean_variable
yr_compiler_define_float_variable
yr_compiler_define_integer_variable
yr_compiler_define_string_variable
yr_compiler_destroy
yr_compiler_get_current_file_name
yr_compiler_get_error_message
yr_compiler_get_rules
yr_compiler_load_atom_quality_table
yr_compiler_set_atom_quality_table
yr_compiler_set_callback
yr_compiler_set_include_callback
yr_compiler_set_re_ast_callback
yr_filemap_map
yr_filemap_map_ex
yr_filemap_map_fd
yr_filemap_unmap
yr_filemap_unmap_fd
yr_finalize
yr_get_configuration
yr_get_tidx
yr_hash_table_add
yr_hash_table_add_raw_key
yr_hash_table_clean
yr_hash_table_create
yr_hash_table_destroy
yr_hash_table_lookup
yr_hash_table_lookup_raw_key
yr_hash_table_remove
yr_hash_table_remove_raw_key
yr_initialize
yr_object_print_data
yr_process_close_iterator
yr_process_fetch_memory_block_data
yr_process_get_first_memory_block
yr_process_get_next_memory_block
yr_process_open_iterator
yr_rule_disable
yr_rule_enable
yr_rules_define_boolean_variable
yr_rules_define_float_variable
yr_rules_define_integer_variable
yr_rules_define_string_variable
yr_rules_destroy
yr_rules_get_stats
yr_rules_load
yr_rules_load_stream
yr_rules_save
yr_rules_save_stream
yr_rules_scan_fd
yr_rules_scan_file
yr_rules_scan_mem
yr_rules_scan_mem_blocks
yr_rules_scan_proc
yr_set_configuration
yr_set_tidx

Sections

.text
Size: 6.4MB - Virtual size: 6.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 88KB - Virtual size: 159KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 399KB - Virtual size: 399KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5.0MB - Virtual size: 5.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

79f6f28c493c4e50eda3b128179c634b

Code Sign

05:d3:ac:4a:89:44:68:9e:10:38:0a:ae:2b:1b:fe:beCertificate

Extended Key Usages

Key Usages

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08Certificate

Extended Key Usages

Key Usages

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66Certificate

Extended Key Usages

Key Usages

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1bCertificate

Extended Key Usages

Key Usages

e8:02:4b:36:18:a2:63:82:84:9c:95:75:74:24:95:30:a8:77:7c:17Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

shell32

ole32

oleaut32

advapi32

shlwapi

ntdll

wininet

userenv

winhttp

iphlpapi

wintrust

mpr

wsock32

bcrypt

ws2_32

crypt32

version

Exports

Exports

Sections

.text Size: 6.4MB - Virtual size: 6.4MB

.rdata Size: 2.1MB - Virtual size: 2.1MB

.data Size: 88KB - Virtual size: 159KB

.pdata Size: 399KB - Virtual size: 399KB

.gfids Size: 2KB - Virtual size: 1KB

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 5.0MB - Virtual size: 5.0MB

.reloc Size: 46KB - Virtual size: 45KB

05:d3:ac:4a:89:44:68:9e:10:38:0a:ae:2b:1b:fe:be
Certificate

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
Certificate

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
Certificate

e8:02:4b:36:18:a2:63:82:84:9c:95:75:74:24:95:30:a8:77:7c:17
Signer

.text
Size: 6.4MB - Virtual size: 6.4MB

.rdata
Size: 2.1MB - Virtual size: 2.1MB

.data
Size: 88KB - Virtual size: 159KB

.pdata
Size: 399KB - Virtual size: 399KB

.gfids
Size: 2KB - Virtual size: 1KB

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 5.0MB - Virtual size: 5.0MB

.reloc
Size: 46KB - Virtual size: 45KB