2024-10-05_ac703de3a8ed3c1d77f4f3279765bb68_cobalt-strike_megazord_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-10-05_ac703de3a8ed3c1d77f4f3279765bb68_cobalt-strike_megazord_ryuk
Size

29.0MB
MD5

ac703de3a8ed3c1d77f4f3279765bb68
SHA1

359fdbe2d351e688ac7ca2d71b9af09150210db2
SHA256

ab4bf5c49d9456fb8d18e475b6aa68017dfd34be23905f999572edef816600d8
SHA512

159d82028f17b75843bcea9a8d1a9d4d78baffced79b199d2d76016aa3f1a612015093ec2f9c5dd5fec60a55b8105c9a04d680b2e477dc008b2df077153e9f27
SSDEEP

786432:o+AZe0JprDzKsOl9uj/NfgpXX9qNMTrhPrbCtR:XAZHrDGKj1wXXANEPqR

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-10-05_ac703de3a8ed3c1d77f4f3279765bb68_cobalt-strike_megazord_ryuk

Files

2024-10-05_ac703de3a8ed3c1d77f4f3279765bb68_cobalt-strike_megazord_ryuk
.exe windows:6 windows x64 arch:x64

1d294a89dfa5cccc79f25d6bb7b51ae4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

gamedriver.pdb

Imports

kernel32

AddVectoredExceptionHandler
CheckRemoteDebuggerPresent
CloseHandle
CompareStringOrdinal
CompareStringW
CreateDirectoryW
CreateFileW
CreateNamedPipeW
CreateProcessW
CreateThread
CreateWaitableTimerExW
DeleteCriticalSection
DeleteProcThreadAttributeList
DuplicateHandle
EnterCriticalSection
ExitProcess
FindClose
FindFirstFileExA
FindFirstFileW
FindNextFileA
FlushFileBuffers
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetComputerNameExW
GetConsoleCP
GetConsoleMode
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStringsW
GetEnvironmentVariableW
GetExitCodeProcess
GetFileAttributesW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFileType
GetFullPathNameW
GetLastError
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessIoCounters
GetProcessTimes
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemDirectoryW
GetSystemInfo
GetSystemTimeAsFileTime
GetSystemTimePreciseAsFileTime
GetSystemTimes
GetTickCount64
GetWindowsDirectoryW
GlobalMemoryStatusEx
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSectionAndSpinCount
InitializeProcThreadAttributeList
InitializeSListHead
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
K32GetPerformanceInfo
LCMapStringW
LeaveCriticalSection
LoadLibraryExW
LocalFree
MultiByteToWideChar
OpenProcess
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReadFileEx
ReadProcessMemory
RtlCaptureContext
RtlLookupFunctionEntry
RtlUnwindEx
RtlVirtualUnwind
SetEnvironmentVariableA
SetFileInformationByHandle
SetFilePointerEx
SetLastError
SetStdHandle
SetThreadExecutionState
SetThreadStackGuarantee
SetUnhandledExceptionFilter
SetWaitableTimer
Sleep
SleepEx
SwitchToThread
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
UpdateProcThreadAttribute
VirtualQueryEx
WaitForSingleObject
WideCharToMultiByte
WriteConsoleW
WriteFile
WriteFileEx

bcryptprimitives

ProcessPrng

api-ms-win-core-synch-l1-2-0

WaitOnAddress
WakeByAddressAll
WakeByAddressSingle

ntdll

NtQueryInformationProcess
NtQuerySystemInformation
NtWriteFile
RtlGetVersion
RtlNtStatusToDosError

advapi32

CopySid
GetLengthSid
GetTokenInformation
IsValidSid
OpenProcessToken
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
SystemFunction036

bcrypt

BCryptGenRandom

powrprof

CallNtPowerInformation

ole32

CoCreateInstance
CoInitializeEx
CoInitializeSecurity
CoSetProxyBlanket
PropVariantClear

shell32

CommandLineToArgvW
ShellExecuteExW

oleaut32

GetErrorInfo
SafeArrayAccessData
SafeArrayDestroy
SafeArrayUnaccessData
SysAllocStringLen
SysFreeString
SysStringLen
VariantClear

psapi

GetModuleFileNameExW

pdh

PdhAddEnglishCounterW
PdhCloseQuery
PdhCollectQueryData
PdhGetFormattedCounterValue
PdhOpenQueryA
PdhRemoveCounter

propsys

PropVariantToBSTR
VariantToPropVariant

Sections

.text
Size: 349KB - Virtual size: 349KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28.7MB - Virtual size: 28.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 128B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 161B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.voltbl
Size: 512B - Virtual size: 42B

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1d294a89dfa5cccc79f25d6bb7b51ae4

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

bcryptprimitives

api-ms-win-core-synch-l1-2-0

ntdll

advapi32

bcrypt

powrprof

ole32

shell32

oleaut32

psapi

pdh

propsys

Sections

.text Size: 349KB - Virtual size: 349KB

.rdata Size: 28.7MB - Virtual size: 28.7MB

.data Size: 2KB - Virtual size: 6KB

.pdata Size: 7KB - Virtual size: 6KB

.gfids Size: 512B - Virtual size: 128B

.tls Size: 512B - Virtual size: 161B

.voltbl Size: 512B - Virtual size: 42B

_RDATA Size: 512B - Virtual size: 244B

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 349KB - Virtual size: 349KB

.rdata
Size: 28.7MB - Virtual size: 28.7MB

.data
Size: 2KB - Virtual size: 6KB

.pdata
Size: 7KB - Virtual size: 6KB

.gfids
Size: 512B - Virtual size: 128B

.tls
Size: 512B - Virtual size: 161B

.voltbl
Size: 512B - Virtual size: 42B

_RDATA
Size: 512B - Virtual size: 244B

.reloc
Size: 2KB - Virtual size: 1KB