Extracted

Extracted

• • Target

    2024-11-06_9fc1a894f48c14ca703edb75b4b1d340_cobalt-strike_ryuk

  • Size

    2.4MB

  • MD5

    9fc1a894f48c14ca703edb75b4b1d340

  • SHA1

    64e7263f9c572e65d69eaab3f30c4dfb91cca87a

  • SHA256

    c7b6685f52c3b23d1bc350ab366bcf2acd94c9fe35f18cc3167df325e701ef64

  • SHA512

    36dd4871de58aa05c77a84fb6c5ab818cc36ade818fad3a3fbe10ccc161f095febfae6300ffcd6f433b19d6e9d7ad130d5654da9a32ad39b26b1f0a5629639fb

  • SSDEEP

    49152:By2cW23etDz1x5bhnUHiBRuiH28jbp5ccpnpuoijYT4Uf:pzV5RHVp5Jai

  Score

  10^/10

  phorphiexdiscoveryevasionexecutionloaderpersistencespywarestealertrojanworm

  • Modifies security service

    evasion

  • Phorphiex family

    phorphiex

  • Phorphiex payload

  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Windows security bypass

    evasiontrojan

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Stops running service(s)

    evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence
  behavioral1behavioral2