ryuk | 700df345dae5267e41e774f1e4e45b2a2addb0d4d50a59815e2a34ec589fb33d | Triage

Submit
Reports

Overview

overview

Static

static

1

bad_boi.exe

windows7-x64

bad_boi.exe

windows10-ltsc 2021-x64

3

Sharing

General

Target

201001-ht2j1d6c1s_pw_infected.zip
Size

267KB
Sample

250128-xgcejsxrc1
MD5

1a9c08ef4bc6f92bc7cd412b5a1ba7f2
SHA1

8deccbc4fa45a2fb409897623aa8181123025a3b
SHA256

700df345dae5267e41e774f1e4e45b2a2addb0d4d50a59815e2a34ec589fb33d
SHA512

7db8d92ccdf8706ff2807a62e205bd17c876eb97d15b8121e07e0a657f29679c46459c6f188db6d0a8a7c3ed77e4e708bb08081250389a81de7efab2393b335b
SSDEEP

6144:K/YazAO7cSSU/a7WSfcnISTFPByuGG7ocjsT8v3atFV47QXLzUqa:K/TzzGU/aiSfcIST9B7ocj/v3aa5

Score

10^/10

ryuk credential_access dave discovery ransomware stealer

Static task

static1

Behavioral task

behavioral1

Sample

bad_boi.exe

Resource

win7-20241023-es

ryuk credential_access dave discovery ransomware stealer

windows7-x64

22 signatures

300 seconds

Behavioral task

behavioral2

Sample

bad_boi.exe

Resource

win10ltsc2021-20250128-es

windows10-ltsc 2021-x64

9 signatures

300 seconds

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  bad_boi.exe
- Size
  
  376KB
- MD5
  
  7d3f19b760cb1958a2c4d9ca7492c406
- SHA1
  
  c3fa91438850c88c81c0712204a273e382d8fa7b
- SHA256
  
  f8bc1638ec3b04412f708233e8586e1d91f18f6715d68cba1a491d4a7f457da0
- SHA512
  
  64d14a7a3866c76d45bea7bee19d40f63241c777d8d259a8a79279cac51396fe9469f28fc68eaa8ab688af13a47c4c5af0d62005d93a4649f81e411b8f2eae91
- SSDEEP
  
  6144:jwHqh+1uu3RVmPY55eExdAev5wuSiRqAO1iNgLTBs4LhVJqRcelLQMo8:P+1uu3RVmPYaad5wuSiRqLNeRcZMo8
Score

10^/10

ryuk credential_access dave discovery ransomware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (8298) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Dave packer
  Detects executable using a packer named 'Dave' by the community, based on a string at the end.
  dave
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Credentials from Password Stores

Windows Credential Manager

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ryukcredential_accessdavediscoveryransomwarestealer

behavioral2

© 2018-2025

Terms | Privacy