2024-10-02_86c3170afbe92ed678a4adaeb1040c7c_qakbot_ryuk_sliver

Sharing

Copy URL Twitter E-mail

General

Target

2024-10-02_86c3170afbe92ed678a4adaeb1040c7c_qakbot_ryuk_sliver
Size

7.6MB
MD5

86c3170afbe92ed678a4adaeb1040c7c
SHA1

1827ad14d3c7e6775f9a38feb18628e8f9b1267b
SHA256

318b4af71dfd6766b48bf4e1082c3d30d90de1a519a926844c4f3fd18b0997d8
SHA512

dedcb737655ff94001638c6556c3327ccea00c611fbfae7a92cd03d856e934ad4a606ea8ecd58b91da26b4a79adf5d061e239ee23cedbac96089a9769b6dfae0
SSDEEP

196608:iLkIVLR72QUmOfbClUxjzX884wpZnL5n8I:LIVLR72QiTC+zX8c1z

Score

1^/10

Malware Config

Signatures

Files

2024-10-02_86c3170afbe92ed678a4adaeb1040c7c_qakbot_ryuk_sliver
.exe windows:6 windows x64 arch:x64

342e54bad768e293f1884196e0530884

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

02:d6:93:2f:72:12:c9:9e:a6:02:87:0e:63:e3:8e:32
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

27/04/2023, 00:00

Not After

14/05/2026, 23:59

Subject

CN=Veriato\, Inc.,O=Veriato\, Inc.,L=West Palm Beach,ST=Florida,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

03/05/2023, 00:00

Not After

02/08/2034, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #4,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

26:b5:64:bc:1d:2b:5b:1b:66:e4:59:5c:5b:63:e9:f6:97:ed:4e:2a
Signer

Actual PE Digest

26:b5:64:bc:1d:2b:5b:1b:66:e4:59:5c:5b:63:e9:f6:97:ed:4e:2a

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

ClientService64.pdb

Imports

iphlpapi

GetTcp6Table2
GetTcpTable2

netapi32

DsRoleFreeMemory
DsRoleGetPrimaryDomainInformation

secur32

GetUserNameExA

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationW
WTSQueryUserToken
WTSEnumerateSessionsW

advapi32

CryptSignHashW
CryptDestroyHash
CryptAcquireContextW
CryptReleaseContext
CryptCreateHash
RegEnumValueA
CryptDecrypt
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
OpenProcessToken
CreateProcessAsUserA
AdjustTokenPrivileges
DuplicateTokenEx
ImpersonateLoggedOnUser
RevertToSelf
SetFileSecurityA
ConvertStringSecurityDescriptorToSecurityDescriptorA
LookupAccountSidW
GetSecurityDescriptorSacl
RegisterServiceCtrlHandlerExW
SetServiceStatus
StartServiceCtrlDispatcherW
SetNamedSecurityInfoA
LookupPrivilegeValueW
RegEnumKeyExA
RegCloseKey
RegQueryValueExW
RegEnumValueW
RegDeleteValueW
RegGetValueW
RegOpenKeyExW
RegSetValueExW
RegSetKeySecurity
RegEnumKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
RegGetKeySecurity
SetEntriesInAclW
SetSecurityDescriptorGroup
MakeSelfRelativeSD
GetSecurityDescriptorLength
InitializeSecurityDescriptor
FreeSid
IsValidSecurityDescriptor
SetSecurityDescriptorSacl
GetSecurityDescriptorControl
AllocateAndInitializeSid
SetSecurityDescriptorOwner
SetSecurityDescriptorDacl
RegDeleteValueA
LookupAccountNameW
ConvertSidToStringSidW
CryptEnumProvidersW
RegDeleteKeyA
RegCreateKeyExA
CloseServiceHandle
QueryServiceStatusEx
OpenServiceW
ChangeServiceConfigW
QueryServiceConfigW
ControlService
DeleteService
ChangeServiceConfig2W
OpenSCManagerW
CreateServiceW
CryptExportKey
CryptGetUserKey
GetUserNameA
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
ReportEventW
RegisterEventSourceW
DeregisterEventSource
CryptGenRandom

shlwapi

PathCombineW
PathFileExistsA

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

ws2_32

getaddrinfo
inet_addr
WSAPoll
WSASendTo
WSARecvFrom
socket
sendto
send
recvfrom
recv
freeaddrinfo
WSAAddressToStringW
WSASocketW
WSASend
WSARecv
WSASetLastError
shutdown
setsockopt
ntohs
ntohl
listen
htons
htonl
getsockopt
getsockname
getpeername
ioctlsocket
closesocket
bind
WSACleanup
WSAStartup
gethostname
gethostbyname
connect
accept
inet_ntoa
WSAGetLastError

dbghelp

MiniDumpWriteDump

kernel32

CloseHandle
DeviceIoControl
InitializeCriticalSection
DeleteCriticalSection
SetEvent
WaitForSingleObject
CreateEventW
WaitForMultipleObjects
VerSetConditionMask
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
SleepEx
SetWaitableTimer
CreateWaitableTimerW
QueueUserAPC
TerminateThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
ProcessIdToSessionId
GetModuleHandleA
GetProcAddress
LocalFree
FormatMessageA
VerifyVersionInfoW
WideCharToMultiByte
GetCurrentProcess
TerminateProcess
GetExitCodeProcess
OpenProcess
GetTickCount64
Process32NextW
Sleep
DeleteFileA
FindClose
FindFirstFileA
FindNextFileA
RemoveDirectoryA
GetTempFileNameA
MoveFileExA
GetLocalTime
DecodePointer
RaiseException
HeapDestroy
HeapAlloc
HeapReAlloc
HeapFree
HeapSize
GetProcessHeap
InitializeCriticalSectionEx
lstrcmpiW
GetComputerNameA
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
MoveFileA
CreateToolhelp32Snapshot
Process32FirstW
GetCurrentProcessId
LoadLibraryExA
LoadResource
LockResource
FindResourceW
SizeofResource
GetSystemWow64DirectoryW
GetStdHandle
DuplicateHandle
CreateFileA
GetStartupInfoW
GetConsoleWindow
ReadFile
WriteFile
CreatePipe
GetCurrentDirectoryW
GetTempPathW
GetSystemTimeAsFileTime
FormatMessageW
CreateDirectoryW
CreateFileW
DeleteFileW
GetFileAttributesW
GetFileAttributesExW
SetEndOfFile
SetFilePointer
SetFileTime
MoveFileExW
GetSystemInfo
GetVersionExW
ResetEvent
ReleaseMutex
CreateMutexW
TryEnterCriticalSection
MultiByteToWideChar
GetCurrentThreadId
SetNamedPipeHandleState
WaitNamedPipeW
FlushFileBuffers
GetProcessId
SetFilePointerEx
LocalAlloc
CancelWaitableTimer
GetModuleFileNameW
GetModuleHandleW
CopyFileA
MoveFileW
GetFileTime
CreateNamedPipeW
DisconnectNamedPipe
GetOverlappedResult
ConnectNamedPipe
FreeLibrary
ResumeThread
GetTimeZoneInformation
GetFileSize
OutputDebugStringA
HeapCreate
GetWindowsDirectoryA
lstrlenA
GetSystemDirectoryA
GetModuleFileNameA
LoadLibraryA
ExpandEnvironmentStringsA
GetDriveTypeA
MapViewOfFile
UnmapViewOfFile
GetSystemWow64DirectoryA
CreateFileMappingA
GetACP
GetTickCount
QueryPerformanceCounter
CreateFileMappingW
GetSystemTime
SystemTimeToFileTime
LockFileEx
UnlockFile
HeapCompact
LoadLibraryW
WaitForSingleObjectEx
FlushViewOfFile
OutputDebugStringW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapValidate
UnlockFileEx
GetFullPathNameA
LockFile
GetDiskFreeSpaceW
GetFullPathNameW
AreFileApisANSI
SetFileAttributesA
GetThreadPriority
CreateProcessA
GetNativeSystemInfo
SetUnhandledExceptionFilter
GetFileInformationByHandle
GetDriveTypeW
SetConsoleCtrlHandler
GetModuleHandleExW
ExitThread
RtlUnwindEx
RtlPcToFileHeader
UnregisterWaitEx
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
ReleaseSemaphore
VirtualProtect
VirtualFree
VirtualAlloc
LoadLibraryExW
FreeLibraryAndExitThread
GetThreadTimes
UnregisterWait
RegisterWaitForSingleObject
SetThreadAffinityMask
GetProcessAffinityMask
GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
GetLogicalProcessorInformation
SetThreadPriority
CreateThread
SwitchToThread
SignalObjectAndWait
CreateTimerQueue
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetStringTypeW
GetLocaleInfoW
LCMapStringW
CompareStringW
GetCPInfo
EncodePointer
QueryPerformanceFrequency
GetExitCodeThread
GetCurrentThread
GetComputerNameW
GetComputerNameExW
SetLastError
GetLastError
GetFileType
PeekNamedPipe
ExitProcess
GetCommandLineA
GetCommandLineW
GetDateFormatW
GetTimeFormatW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetConsoleCP
GetConsoleMode
ReadConsoleW
SetStdHandle
FindFirstFileExA
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
WriteConsoleW
GlobalMemoryStatus
FlushConsoleInputBuffer
ReadConsoleInputA
SetConsoleMode
CreateProcessW

user32

MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation
wsprintfA
LoadStringA
GetForegroundWindow
wsprintfW
GetKeyNameTextA
EnumDisplaySettingsA
GetKeyboardLayout
MapVirtualKeyA
SetCursor
MapVirtualKeyExA

shell32

CommandLineToArgvW
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHGetFolderPathA
SHGetMalloc

ole32

CoInitialize
CoUninitialize
CoCreateInstance

oleaut32

VariantClear
VariantInit
SysAllocString
SysAllocStringLen
SysFreeString

mswsock

GetAcceptExSockaddrs
AcceptEx

urlmon

CreateUri

crypt32

CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
CertGetCertificateContextProperty

Sections

.text
Size: 4.2MB - Virtual size: 4.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 365KB - Virtual size: 421KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 234KB - Virtual size: 233KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 41KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

342e54bad768e293f1884196e0530884

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

02:d6:93:2f:72:12:c9:9e:a6:02:87:0e:63:e3:8e:32Certificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4Certificate

Extended Key Usages

Key Usages

26:b5:64:bc:1d:2b:5b:1b:66:e4:59:5c:5b:63:e9:f6:97:ed:4e:2aSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

iphlpapi

netapi32

secur32

wtsapi32

advapi32

shlwapi

version

ws2_32

dbghelp

kernel32

user32

shell32

ole32

oleaut32

mswsock

urlmon

crypt32

Sections

.text Size: 4.2MB - Virtual size: 4.2MB

.rdata Size: 1.7MB - Virtual size: 1.7MB

.data Size: 365KB - Virtual size: 421KB

.pdata Size: 234KB - Virtual size: 233KB

.gfids Size: 3KB - Virtual size: 2KB

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 1.1MB - Virtual size: 1.1MB

.reloc Size: 41KB - Virtual size: 41KB

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

02:d6:93:2f:72:12:c9:9e:a6:02:87:0e:63:e3:8e:32
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

26:b5:64:bc:1d:2b:5b:1b:66:e4:59:5c:5b:63:e9:f6:97:ed:4e:2a
Signer

.text
Size: 4.2MB - Virtual size: 4.2MB

.rdata
Size: 1.7MB - Virtual size: 1.7MB

.data
Size: 365KB - Virtual size: 421KB

.pdata
Size: 234KB - Virtual size: 233KB

.gfids
Size: 3KB - Virtual size: 2KB

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 1.1MB - Virtual size: 1.1MB

.reloc
Size: 41KB - Virtual size: 41KB