Overview

overview

10

Static

static

3

2025-03-20...uk.exe

windows7-x64

10

2025-03-20...uk.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-03-20_89638b8691bbabd7b3ff93c64612c8fa_ryuk

  • Size

    139KB

  • Sample

    250320-b6q4catnt8

  • MD5

    89638b8691bbabd7b3ff93c64612c8fa

  • SHA1

    1301e3b4efe398c067e0696a3db41f962c7e4593

  • SHA256

    5d3d9b6382e76ef0385c275bff4cb58893befc6e5289e9023eace844ce87119f

  • SHA512

    125d57166c5f9a153f55c457142ae96ea258da10c1b3374059ef6d3b0868b3bfe6ff77b969f9d6b338eb7aff14634115a9a41940b504c3a0dc265388419cfcdd

  • SSDEEP

    3072:aiVBxBxlij/H9qU4j5rbZwpfHUSBMB/x8LMj4bfq:fVB1Yj/8vj5/iTM5x8wjyf

Score
10/10
ryukcredential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'qAw3tyv'; $torlink = 'http://v6nhthxmhpfsody4hitwmk3ug4tavdwl2av57qqid2lvz3nppikrmxqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://v6nhthxmhpfsody4hitwmk3ug4tavdwl2av57qqid2lvz3nppikrmxqd.onion

Targets

    • Target

      2025-03-20_89638b8691bbabd7b3ff93c64612c8fa_ryuk

    • Size

      139KB

    • MD5

      89638b8691bbabd7b3ff93c64612c8fa

    • SHA1

      1301e3b4efe398c067e0696a3db41f962c7e4593

    • SHA256

      5d3d9b6382e76ef0385c275bff4cb58893befc6e5289e9023eace844ce87119f

    • SHA512

      125d57166c5f9a153f55c457142ae96ea258da10c1b3374059ef6d3b0868b3bfe6ff77b969f9d6b338eb7aff14634115a9a41940b504c3a0dc265388419cfcdd

    • SSDEEP

      3072:aiVBxBxlij/H9qU4j5rbZwpfHUSBMB/x8LMj4bfq:fVB1Yj/8vj5/iTM5x8wjyf

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (418) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks