2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk

Sharing

Copy URL

Twitter E-mail

General

Target

2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk
Size

2.1MB
MD5

ca22db896e169195523be246ee685e4d
SHA1

c7f399c2314dbd81da4a6ce5ec7875181bad7e5f
SHA256

9106395ddc362fe7b169d97eb7266c85e91b9d1c1934e27e2ea06ac8fa947e2d
SHA512

180b91fd83c496dd4f63a1b60e07daea50fa84b5ca56ff1b4848c45603870fa70ba6d32458a24a3d03a1120ee0e72013a703a941ea2723b8270f76cf3b4323ce
SSDEEP

24576:TxSXu0frXd2agL9T+YEt5RFgbBbx97z7fIoggWD:TxSe0zXUagBTpEHRqbBvz7Rg

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk

Files

2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk
.exe windows:5 windows x64 arch:x64

a1499e4b2dc29e8417d8c0cd1824fa91

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

G:\se15_122\src\out\Release\initialexe\360chromex.exe.pdb

Imports

kernel32

AcquireSRWLockExclusive
AssignProcessToJobObject
CancelWaitableTimer
CloseHandle
CompareStringW
CopyFileW
CreateDirectoryW
CreateEventW
CreateFileA
CreateFileMappingW
CreateFileW
CreateIoCompletionPort
CreateJobObjectW
CreateMutexW
CreateProcessW
CreateRemoteThread
CreateThread
CreateToolhelp32Snapshot
CreateWaitableTimerW
DebugBreak
DecodePointer
DeleteCriticalSection
DeleteFileW
DeleteProcThreadAttributeList
DeviceIoControl
DuplicateHandle
EncodePointer
EnterCriticalSection
EnumSystemLocalesEx
EnumSystemLocalesW
ExitProcess
ExitThread
ExpandEnvironmentStringsW
FindClose
FindFirstFileExW
FindNextFileW
FindResourceW
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FlushInstructionCache
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
FreeLibraryAndExitThread
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetConsoleMode
GetConsoleOutputCP
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentProcessorNumber
GetCurrentThread
GetCurrentThreadId
GetDateFormatW
GetDiskFreeSpaceExW
GetDriveTypeW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetExitCodeProcess
GetFileAttributesExW
GetFileAttributesW
GetFileSize
GetFileSizeEx
GetFileType
GetFullPathNameW
GetLastError
GetLocalTime
GetLocaleInfoW
GetLogicalProcessorInformation
GetLongPathNameW
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExW
GetModuleHandleW
GetNativeSystemInfo
GetOEMCP
GetPrivateProfileIntW
GetProcAddress
GetProcessHandleCount
GetProcessHeap
GetProcessHeaps
GetProcessId
GetProductInfo
GetQueuedCompletionStatus
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemDirectoryW
GetSystemInfo
GetSystemTimeAsFileTime
GetTempFileNameW
GetTempPathW
GetThreadContext
GetThreadId
GetThreadPriority
GetTickCount
GetTimeFormatW
GetTimeZoneInformation
GetUserDefaultLCID
GetUserDefaultLangID
GetUserDefaultLocaleName
GetVersionExW
GetWindowsDirectoryW
GlobalMemoryStatusEx
HeapAlloc
HeapDestroy
HeapFree
HeapLock
HeapReAlloc
HeapSetInformation
HeapSize
HeapUnlock
HeapWalk
InitOnceExecuteOnce
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
InitializeProcThreadAttributeList
InitializeSListHead
IsBadReadPtr
IsBadWritePtr
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
IsValidLocale
IsWow64Process
K32GetModuleInformation
K32GetProcessImageFileNameW
K32QueryWorkingSetEx
LCMapStringW
LeaveCriticalSection
LoadLibraryExA
LoadLibraryExW
LoadLibraryW
LoadResource
LocalFileTimeToFileTime
LocalFree
LockResource
MapViewOfFile
MultiByteToWideChar
OpenProcess
OpenThread
OutputDebugStringW
PostQueuedCompletionStatus
Process32FirstW
Process32NextW
ProcessIdToSessionId
QueryDosDeviceW
QueryInformationJobObject
QueryPerformanceCounter
QueryPerformanceFrequency
QueryThreadCycleTime
RaiseException
ReadConsoleW
ReadFile
ReadProcessMemory
RegisterWaitForSingleObject
ReleaseMutex
ReleaseSRWLockExclusive
ReplaceFileW
ResetEvent
ResumeThread
RtlCaptureContext
RtlCaptureStackBackTrace
RtlLookupFunctionEntry
RtlPcToFileHeader
RtlUnwind
RtlUnwindEx
RtlVirtualUnwind
SetCurrentDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetEvent
SetFileAttributesW
SetFilePointer
SetFilePointerEx
SetFileTime
SetHandleInformation
SetInformationJobObject
SetLastError
SetProcessShutdownParameters
SetStdHandle
SetThreadAffinityMask
SetThreadContext
SetThreadPriority
SetUnhandledExceptionFilter
SetWaitableTimer
SizeofResource
Sleep
SleepConditionVariableSRW
SuspendThread
SystemTimeToFileTime
TerminateJobObject
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryAcquireSRWLockExclusive
UnhandledExceptionFilter
UnmapViewOfFile
UnregisterWait
UnregisterWaitEx
UpdateProcThreadAttribute
VerSetConditionMask
VerifyVersionInfoW
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtect
VirtualProtectEx
VirtualQuery
WTSGetActiveConsoleSessionId
WaitForMultipleObjects
WaitForSingleObject
WaitForSingleObjectEx
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteConsoleW
WriteFile
WritePrivateProfileStringW
WriteProcessMemory
lstrcmpA
lstrcmpiA
lstrlenA

ole32

CoCreateInstance
CoTaskMemFree

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

ntdll

NtDeleteKey
RtlInitUnicodeString

netapi32

Netbios

winmm

timeGetTime

Exports

Exports

GetHandleVerifier
GetPakFileHashes
IsSandboxedProcess
get_launch_failed
get_start

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 224KB - Virtual size: 223KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 60KB - Virtual size: 498KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 41KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gxfg
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.retplne
Size: 512B - Virtual size: 172B

.tls
Size: 1024B - Virtual size: 522B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

malloc_h
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 582KB - Virtual size: 581KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.zero
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a1499e4b2dc29e8417d8c0cd1824fa91

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

ole32

version

ntdll

netapi32

winmm

Exports

Exports

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 224KB - Virtual size: 223KB

.data Size: 60KB - Virtual size: 498KB

.pdata Size: 41KB - Virtual size: 41KB

.detourc Size: 8KB - Virtual size: 8KB

.gxfg Size: 12KB - Virtual size: 12KB

.retplne Size: 512B - Virtual size: 172B

.tls Size: 1024B - Virtual size: 522B

_RDATA Size: 512B - Virtual size: 348B

malloc_h Size: 1KB - Virtual size: 1KB

.rsrc Size: 582KB - Virtual size: 581KB

.reloc Size: 7KB - Virtual size: 7KB

.zero Size: 8KB - Virtual size: 4KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 224KB - Virtual size: 223KB

.data
Size: 60KB - Virtual size: 498KB

.pdata
Size: 41KB - Virtual size: 41KB

.detourc
Size: 8KB - Virtual size: 8KB

.gxfg
Size: 12KB - Virtual size: 12KB

.retplne
Size: 512B - Virtual size: 172B

.tls
Size: 1024B - Virtual size: 522B

_RDATA
Size: 512B - Virtual size: 348B

malloc_h
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 582KB - Virtual size: 581KB

.reloc
Size: 7KB - Virtual size: 7KB

.zero
Size: 8KB - Virtual size: 4KB