ryuk

Resubmissions

25-12-2024 03:42

241225-d9c21axjdn 10

25-12-2024 03:39

241225-d74ryawqfw 10

25-12-2024 03:37

241225-d6fzgswqbw 10

25-12-2024 03:21

241225-dwt4cswpdj 10

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748
Size

7.8MB
Sample

241225-d74ryawqfw
MD5

4a9819c2f6c56a1275165c507a00c6e5
SHA1

5f1ef638e5d1d90c77d00f7a2e10757d90667e98
SHA256

59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748
SHA512

e8e0a2eee2e4ad464687717a2aa67b2dcd3708da7307f8ed4382f9a72502ad5c98dc329aa1aa60ca6232bb35e9ba2245ea53de280488fe87829d84b7ca83bf5a
SSDEEP

196608:tk0ZvI6FNtoYRmqKSAEu8Dmf/aUR8BeOmR1RzfYmIxDa6yaDZu:tk2w66YIqTd4sDjE

Score

10^/10

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'JZwuk732'; $torlink = 'http://ylohxrulsdb4ex6hmartra3g63khdb4ku7qkh4qcal2n3nm33vokiiyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://ylohxrulsdb4ex6hmartra3g63khdb4ku7qkh4qcal2n3nm33vokiiyd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'RCCF8gd'; $torlink = 'http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'nO49CJnf9vO'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'oqsuyezb'; $torlink = 'http://v6nhthxmhpfsody4hitwmk3ug4tavdwl2av57qqid2lvz3nppikrmxqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://v6nhthxmhpfsody4hitwmk3ug4tavdwl2av57qqid2lvz3nppikrmxqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'TyorjXA0'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'NJ5BUX47E'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'CRAny5Nq'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '5PcRSFW'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'J5U8YdUCr'; $torlink = 'http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion

Targets

- Target
  
  0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702
- Size
  
  208KB
- MD5
  
  aa5abadf25aa3f30c1c83c5d43a7ee8f
- SHA1
  
  ff50650068de776d2c0a8962cbccd7ffc431327a
- SHA256
  
  0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702
- SHA512
  
  033139017097fc0b5f296f9a861ee0ebc2faacb0a9ce172898a5765906010cce4bb30d7436afaeafe131b25ff2c51362825e25c60b2ab9d858672a555b28d7fb
- SSDEEP
  
  3072:PKNg7ImkKWV/B6LXWhL7UHwT5aOff+2l7Fpxt9PJ30YoV4MQQbz4kB:SN8WBB6LXWhLLT5tf+2PpZo2m4q
Score

10^/10

ryuk credential_access discovery ransomware stealer spyware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (8181) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral1 behavioral2
- Target
  
  0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892
- Size
  
  124KB
- MD5
  
  b16db2ad22dfe39c289f9ebd9ef4c493
- SHA1
  
  23ccb60927905eb9be2a9ee4230ebac0836b611c
- SHA256
  
  0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892
- SHA512
  
  5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1
- SSDEEP
  
  1536:Oe3QTh4VRf+T+c/7pFqkogzZ+QKfLzP1QLorq3caR09dA77hQHfsWdSLcdc/Zwi6:Q9yjSzZ+QKfLztQLomsktUlcx
Score

10^/10

ryuk credential_access discovery ransomware stealer spyware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (8077) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral3 behavioral4
- Target
  
  0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591
- Size
  
  468KB
- MD5
  
  9296a9b81bfe119bd786a6f5a8ad43ad
- SHA1
  
  581cf7c453358cd94ceed70088470c32a7307c8e
- SHA256
  
  0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591
- SHA512
  
  64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1
- SSDEEP
  
  6144:TDsDjEwQj9kQGxBOfJWgqimbqMS4oXVqhTA4G2PGYWAl/uSp:cDEj9kQG6JNfmMJqWDIl//p
Score

10^/10

ryuk discovery ransomware credential_access stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (1099) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
behavioral5 behavioral6
- Target
  
  150e8ef3f1b0d5b5b2af2ffc8d540cb0e36ecdcaf5001bab2f318e36a3c25302
- Size
  
  261KB
- MD5
  
  4de76198ea4488eae192d0ca4e4bd66b
- SHA1
  
  5ac5585b13ea356969b168b86df12053a6de4ee2
- SHA256
  
  150e8ef3f1b0d5b5b2af2ffc8d540cb0e36ecdcaf5001bab2f318e36a3c25302
- SHA512
  
  db6c2ebbd9d01ebf8af3e68ef8e938c7b6da2c0eef5fc22f63fe69665c56ec19c2d241558984e03afb116b98a4e7dc2b0f4aa8dadd90f44caf3f72ae5f2ee52f
- SSDEEP
  
  6144:+yNu/ItUREJ/KKNbS8wf7wmphBgl3gMT6nRx1ASqm:+WlJC6Csm5gRTD
Score

7^/10
- Drops startup file
behavioral7 behavioral8
- Target
  
  23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f
- Size
  
  121KB
- MD5
  
  7364f6222ac58896e8920f32e4d30aac
- SHA1
  
  915fd6fb4e20909025f876f3bb453ec52e21b7be
- SHA256
  
  23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f
- SHA512
  
  f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026
- SSDEEP
  
  3072:BXJu7BIjMhO2mKWmHgeBsVEu2w9+RXdd:BX6B7WmHdp
Score

10^/10

ryuk credential_access discovery ransomware spyware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (6868) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral10 behavioral9
- Target
  
  28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33
- Size
  
  321KB
- MD5
  
  04ba14a9828b000add142d0bcb42ac2d
- SHA1
  
  928a705a481384dee3aa9985bb2a9e1e6827902f
- SHA256
  
  28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33
- SHA512
  
  2fc56d6fdf360c0435f76822f3d99288c3b31462931eb128c7ed895bf93d88b00663801c1a5394b1ae5bb081ac76b004deaf46fdf2b0b9c027b2945a7c030909
- SSDEEP
  
  6144:ba4FsUiep6JzvI74kZO/+SJtwOW8HFBwK3SBDmhYfFQ:ba4Fs/7IfO/+SJFW8HF+KCIG
Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware spyware stealer vmprotect
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral11 behavioral12
- Target
  
  350b0d6ae25e81c8394b119f4d569c083df8d17e6241d8efed0858cf91c745d7
- Size
  
  353KB
- MD5
  
  2d438f5ca86f9813dd17346c8865bd4d
- SHA1
  
  65b2e9be5770e294bed07fa9b5ecfdadb94203c3
- SHA256
  
  350b0d6ae25e81c8394b119f4d569c083df8d17e6241d8efed0858cf91c745d7
- SHA512
  
  dd979e28370fbb5606cdcd14c0ded0be1a8e6cbd98d8ae57d4e1c97ef47e0b2387462b66914cf600d3a93dfdb794addc4b29d7ff40948a761a968d3527e4db3c
- SSDEEP
  
  6144:OxN7NO77pzXFZ2m9TqbwWMIyBkq+OF3B:ON7U777Zwb7MIyW4j
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca
- Size
  
  200KB
- MD5
  
  ad3a5956dc4e8fd6a62671a6204d11b9
- SHA1
  
  aac34bd5c2f8e63dca20034f24384c2ce1d641b5
- SHA256
  
  3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca
- SHA512
  
  23edec2ddc72277efca922dc7c66fef2220d0ad3709b277c236bd883214e423143a947ff48ec2a8b57b1835b715a06b39b7d1c2a423e62dc4166ad5097742f13
- SSDEEP
  
  3072:URQTlkAsGqrezGACPTPr74tOGOq+z3M1EgimoiY6RRerR5GyK231/Bdz:JTlEG9SAWTPr5zgimoiPRRe9HH
Score

10^/10

ryuk credential_access discovery ransomware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (337) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral15 behavioral16
- Target
  
  3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f
- Size
  
  279KB
- MD5
  
  5df4ac6e94ae7e9f9eb28d8f7f464946
- SHA1
  
  79f222f94fa265896c5e4578b91ed4ebc100058d
- SHA256
  
  3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f
- SHA512
  
  18826a1cb94e73402c279607d1348ba532966fe3223cbeec9cfb534ab425966fadeb001bc80518411b2f8c8d884b2936779950fbc0c5f48dfc01d33e766f749a
- SSDEEP
  
  6144:IS1cGDFCQuthKvzggi4quAM8QRofVjjdQxpBkAI5rZ/OuHqxwbmmjO8Sw6Z/rqS8:71cGlutwSuAM8QRC6pBAZmo9sZ/rhgt
Score

10^/10

ryuk credential_access dave discovery ransomware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (1569) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Dave packer
  Detects executable using a packer named 'Dave' by the community, based on a string at the end.
  dave
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
behavioral17 behavioral18
- Target
  
  41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700
- Size
  
  544KB
- MD5
  
  526fa2ecb5f8fee6aec4b5d7713d909a
- SHA1
  
  51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a
- SHA256
  
  41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700
- SHA512
  
  f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4
- SSDEEP
  
  6144:0foeu9rlMfTOC5TGdQJEMpc35IA0dOYiUeinhn6:0fdsUCiYQJxc3YiUeinhn6
Score

10^/10

ryuk credential_access discovery ransomware stealer spyware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (6473) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral19 behavioral20
- Target
  
  48f4749f13582fea3e9bcc6775cce82c3c6391d2d58acd98b99d1e6acc810277
- Size
  
  353KB
- MD5
  
  c1da8e9bc9dcf68ed2e281049e11740d
- SHA1
  
  25e8fe884ca927e91142dacaaf92fcb544da0058
- SHA256
  
  48f4749f13582fea3e9bcc6775cce82c3c6391d2d58acd98b99d1e6acc810277
- SHA512
  
  68ed339320ae064f4245e68f14bc16275766d730c780392150755db474344582d405dd58ba5f5fde18b3057bc61f453fad6df78996934de48873c0ca2d4481af
- SSDEEP
  
  6144:fxN7Na77pLQFP2D97RrwWMIMq2Bt8GuSeBt:JN7w77yPcr7MIlcJuD
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  499d936c223743c3d2a40c3b7b1f974cedb98951f846b163d0f17d2d38ffc282
- Size
  
  116KB
- MD5
  
  be0626010b7f7f47f7416dcac841edb5
- SHA1
  
  d377e8211ae7a5249758402a170362164f1d8498
- SHA256
  
  499d936c223743c3d2a40c3b7b1f974cedb98951f846b163d0f17d2d38ffc282
- SHA512
  
  fe9091bc9fbe089ca541213ce6f33167832d4c18aa5713da8ff77266245ad3741d4cd3341b87156949f2b2e9c344090eb6f5ea36149a23ed4989467766c0b50a
- SSDEEP
  
  1536:wI6gch0tsfgWTaPyWvSUgqyx4mYcX/jsLHcaPql4HqhBmQSsWZcdHC91/ISeCh:rbsROAeyx4m5PjI8GpqhBmEHMV5
Score

10^/10

ryuk credential_access discovery ransomware stealer spyware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (3756) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral23 behavioral24
- Target
  
  4b5a6926ab9b487fca2d33ba00b4e25f731bc52a3222a6ef3141b8703c1e2cd1
- Size
  
  253KB
- MD5
  
  d57bb1c7e710dbae2444505a2127f6ac
- SHA1
  
  26b98cf0f844ebf5ca0ff2d8f9c572a90c8e9c1a
- SHA256
  
  4b5a6926ab9b487fca2d33ba00b4e25f731bc52a3222a6ef3141b8703c1e2cd1
- SHA512
  
  ccf3520d9634755a9e270fde3267776f0fcfa0f73a26a951439f2e7ade52a73b5c20207bf270e18fdf9042033cf45cc3de1842fe3a4529232a36f1b665753766
- SSDEEP
  
  3072:4b4qQtwbOfZ7QC2mCdDWHiGe42Ayn6R0tIawjLLFSjuqdAg0Fujo+sjmsOCPmGRD:4s5eOfy6yyv3jCAOa3dRUI
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581
- Size
  
  143KB
- MD5
  
  b77cc8a1ede23a80a4a4c9d0a8b40735
- SHA1
  
  254c97abab837687c779b57c7ef1bec4c1e2351a
- SHA256
  
  4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581
- SHA512
  
  f94546161808210ada027d03465f88336de4f2d24581801566f7ff17a9641b389c43946a98275ed637759a0205b8d09f9028d26bb75ab44e3f7038c5b4667ffd
- SSDEEP
  
  3072:dgKsEF7Wf33SdvlRmhYHP+CPt1OOxkgQe:WBwK3SBDmhYfFQe
Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware spyware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral27 behavioral28
- Target
  
  5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed
- Size
  
  140KB
- MD5
  
  75a3cf8ced873ee7bc415e27e108496b
- SHA1
  
  ac94165d63c75f4adf1728aa2ecb776ac7c1c18e
- SHA256
  
  5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed
- SHA512
  
  7c3e166ff75ad32f70bfb355167333be4f9bc5b5740a231b4a1fb5c391bd8e137ebea6a3ba5370797f016cbdb83631bb5e459e0bc64beb3246ed9605b3bdb903
- SSDEEP
  
  1536:HhwpMRUR8gpO3fM/CvmHWvW7l4y0RPG4UnmPqAibDe7bvjk/J0LcJQ6f8EPhQmGD:ZZi++b0Hb6bDIbvjkmwRPhuHmrOB
Score

10^/10

ryuk discovery ransomware credential_access spyware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (86) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral29 behavioral30
- Target
  
  5e2b2fe65df310fe6c81acb628701c1847e772f7cf49aaa486e298a86ae85620
- Size
  
  170KB
- MD5
  
  209e3cc5afd55350bf92c13c2e38e49f
- SHA1
  
  57219932cfc98a94179337ea9aa82d9fcf2cbcd2
- SHA256
  
  5e2b2fe65df310fe6c81acb628701c1847e772f7cf49aaa486e298a86ae85620
- SHA512
  
  142135a9623cfd47d3ff85a90ac836cf18805a81dd382e7841a0980cca65ae3175c5e261720c06f6dd159988b594f4d52eb3c2d26529eea39651702b45ca00cd
- SSDEEP
  
  1536:rThgbefUOjxB/lwSorJD5DfcA1b5n304/8WGXsvgfx7zLIfk:vqiftL/WSo1xDb531/8WGXsCx3LI8
Score

1^/10
behavioral31 behavioral32