2024-09-30_e6b30ea949a28d5cfb2b5d89bf45eb7f_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-09-30_e6b30ea949a28d5cfb2b5d89bf45eb7f_ryuk
Size

4.1MB
MD5

e6b30ea949a28d5cfb2b5d89bf45eb7f
SHA1

2db6b38bb53b3eaf457cbbe41519b17df096a17d
SHA256

e378da6bc9731e6c5ae240bdbf883ee37a7d4af3ba367fd03601535f2e021c81
SHA512

ddfe1847e36c21f3505a8aab39a3fc21681f44c5e60207c01111601d67d3f5e860c43a53715e1ae10547f5758726bc276f35cc5d5744036358ab28ae0c72a23e
SSDEEP

49152:3RODqfHvHmEoiTDrgtlLyo5ZiR7KUzX/XhL8vXgt2GZA6FUzzDPU4uI52I:BNfHfp3UC52GTFUwo

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-09-30_e6b30ea949a28d5cfb2b5d89bf45eb7f_ryuk

Files

2024-09-30_e6b30ea949a28d5cfb2b5d89bf45eb7f_ryuk
.exe windows:5 windows x64 arch:x64

736916ec6d86908aba7a8811c053edd5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetModuleFileNameA
ExitProcess
CreateProcessA
WideCharToMultiByte
MultiByteToWideChar
PeekNamedPipe
GetDriveTypeW
GetModuleHandleExW
OutputDebugStringW
InitializeSListHead
GetStartupInfoW
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
ReadConsoleW
ReadConsoleA
SetConsoleMode
GetConsoleMode
CreateFileMappingA
GetProcAddress
GetModuleFileNameW
FreeLibrary
GetACP
GetEnvironmentVariableW
WriteFile
GetFileType
GetStdHandle
FindNextFileW
FindClose
SystemTimeToFileTime
GetSystemTime
FormatMessageA
GetSystemDirectoryA
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
lstrlenA
GetModuleHandleA
GetFileSize
CreateFileA
DeleteCriticalSection
GetProcessHeap
HeapDestroy
UnmapViewOfFile
MapViewOfFileEx
GetModuleHandleW
VirtualQuery
VirtualFree
VirtualAlloc
GetSystemDirectoryW
GetTickCount
GetSystemTimeAsFileTime
IsProcessorFeaturePresent
GetCurrentThreadId
SwitchToThread
TerminateProcess
GetCurrentProcessId
GetCurrentProcess
Sleep
CreateEventW
CreateEventA
WaitForSingleObjectEx
WaitForSingleObject
ResetEvent
SetEvent
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
QueryPerformanceCounter
SetLastError
GetLastError
RaiseException
AreFileApisANSI
GetFileInformationByHandle
GetFileAttributesW
FindFirstFileW
CreateFileW

user32

TranslateMessage
DispatchMessageA
PeekMessageA
MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation
MsgWaitForMultipleObjects

advapi32

CryptEnumProvidersW
CryptGetUserKey
CryptGetProvParam
ReportEventW
RegisterEventSourceW
DeregisterEventSource
CryptAcquireContextW
CryptReleaseContext
CryptDestroyKey
CryptSetHashParam
CryptExportKey
CryptDecrypt
CryptCreateHash
CryptDestroyHash
CryptSignHashW

shlwapi

StrChrA

ws2_32

inet_ntoa
inet_addr
WSAWaitForMultipleEvents
WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
recv
connect
WSACleanup
WSAStartup
socket
bind
gethostbyaddr
WSAIoctl
shutdown
setsockopt
send
htons
gethostbyname
htonl
getsockopt
getsockname
getpeername
ioctlsocket
closesocket
getservbyport
WSAGetLastError
__WSAFDIsSet
select
WSASetLastError
getaddrinfo
freeaddrinfo
getservbyname
WSAStringToAddressA
ntohs

crypt32

CertFindCertificateInStore
CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore

winmm

timeBeginPeriod
timeEndPeriod
timeGetDevCaps
timeGetTime

msvcrt

strtol
fputs
signal
tolower
isdigit
_initterm
_initterm_e
_set_fmode
_callnewh
__pctype_func
___mb_cur_max_func
wcsnlen
wcstol
_mbtowc_l
wctomb_s
_lock
_unlock
_iob
_getdrive
__doserrno
wcspbrk
_wcsicmp
_wfullpath
___lc_codepage_func
__getmainargs
_msize
_XcptFilter
__set_app_type
_ismbblead
_acmdln
?_set_new_mode@@YAHH@Z
_commode
?terminate@@YAXXZ
_isatty
_strtoui64
ceil
log10
_clearfp
getenv
raise
fopen
_wfopen
isspace
strcspn
strspn
strncpy
_setmode
setvbuf
ftell
fseek
fread
_fileno
fflush
ferror
strtoul
strncpy_s
strcat_s
strcpy_s
strcmp
qsort
_gmtime64_s
atoi
fgets
feof
fclose
strncmp
abort
_beginthreadex
realloc
strnlen
_errno
calloc
_time64
malloc
free
wcsstr
memchr
strrchr
strchr
strstr
__CxxFrameHandler3
_CxxThrowException
memset
memmove
memcpy
memcmp
__C_specific_handler
wcsrchr
strerror_s
_amsg_exit

Exports

Exports

LZ4_attach_dictionary
LZ4_compress
LZ4_compressBound
LZ4_compress_continue
LZ4_compress_default
LZ4_compress_destSize
LZ4_compress_fast
LZ4_compress_fast_continue
LZ4_compress_fast_extState
LZ4_compress_limitedOutput
LZ4_compress_limitedOutput_continue
LZ4_compress_limitedOutput_withState
LZ4_compress_withState
LZ4_create
LZ4_createStream
LZ4_createStreamDecode
LZ4_decoderRingBufferSize
LZ4_decompress_fast
LZ4_decompress_fast_continue
LZ4_decompress_fast_usingDict
LZ4_decompress_fast_withPrefix64k
LZ4_decompress_safe
LZ4_decompress_safe_continue
LZ4_decompress_safe_partial
LZ4_decompress_safe_partial_usingDict
LZ4_decompress_safe_usingDict
LZ4_decompress_safe_withPrefix64k
LZ4_freeStream
LZ4_freeStreamDecode
LZ4_initStream
LZ4_loadDict
LZ4_loadDictSlow
LZ4_resetStream
LZ4_resetStreamState
LZ4_resetStream_fast
LZ4_saveDict
LZ4_setStreamDecode
LZ4_sizeofState
LZ4_sizeofStreamState
LZ4_slideInputBuffer
LZ4_uncompress
LZ4_uncompress_unknownOutputSize
LZ4_versionNumber
LZ4_versionString
llhttp_errno_name
llhttp_execute
llhttp_finish
llhttp_get_errno
llhttp_get_error_pos
llhttp_get_error_reason
llhttp_get_http_major
llhttp_get_http_minor
llhttp_get_method
llhttp_get_status_code
llhttp_get_type
llhttp_get_upgrade
llhttp_init
llhttp_message_needs_eof
llhttp_method_name
llhttp_pause
llhttp_reset
llhttp_resume
llhttp_resume_after_upgrade
llhttp_set_error_reason
llhttp_set_lenient_chunked_length
llhttp_set_lenient_data_after_close
llhttp_set_lenient_headers
llhttp_set_lenient_keep_alive
llhttp_set_lenient_optional_cr_before_lf
llhttp_set_lenient_optional_crlf_after_chunk
llhttp_set_lenient_optional_lf_after_cr
llhttp_set_lenient_spaces_after_chunk_size
llhttp_set_lenient_transfer_encoding
llhttp_set_lenient_version
llhttp_settings_init
llhttp_should_keep_alive
llhttp_status_name

Sections

.text
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 30KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 114KB - Virtual size: 114KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gehcont
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.textshe
Size: 720KB - Virtual size: 720KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 39KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

736916ec6d86908aba7a8811c053edd5

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shlwapi

ws2_32

crypt32

winmm

msvcrt

Exports

Exports

Sections

.text Size: 2.0MB - Virtual size: 2.0MB

.rdata Size: 1.3MB - Virtual size: 1.3MB

.data Size: 30KB - Virtual size: 40KB

.pdata Size: 114KB - Virtual size: 114KB

.gfids Size: 512B - Virtual size: 72B

.tls Size: 1KB - Virtual size: 1KB

.gehcont Size: 512B - Virtual size: 4B

.textshe Size: 720KB - Virtual size: 720KB

.reloc Size: 39KB - Virtual size: 39KB

.text
Size: 2.0MB - Virtual size: 2.0MB

.rdata
Size: 1.3MB - Virtual size: 1.3MB

.data
Size: 30KB - Virtual size: 40KB

.pdata
Size: 114KB - Virtual size: 114KB

.gfids
Size: 512B - Virtual size: 72B

.tls
Size: 1KB - Virtual size: 1KB

.gehcont
Size: 512B - Virtual size: 4B

.textshe
Size: 720KB - Virtual size: 720KB

.reloc
Size: 39KB - Virtual size: 39KB