- First seen: September 2022
- Aliases:
- Samples:
- 595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9 | windows | ransom | pe
- b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c | linux | ransom | elf
| Property | Value |
|---|---|
| Size | 2235392 bytes |
| CRC32 | 0xcad7f0d0 |
| MD5 | c46070b5e113a7f5d9a58de14a11e430 |
| SHA1 | 5007943bec2cf5310cfe8b8c49d6f55f79ad0e4c |
| SHA256 | 595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9 |
| SHA512 | e77a2bbc22974f79f30f6673adaf78c8818d674532ef1cff4d61514ecb3d1aec0459d76c05595d1c650624bf25d4e4f06ee14841b5c2b1c5a20a27e4861ae818 |
| Ssdeep | 24576:R+KpPzIzkQoU6TPF8mkoSW12GR7qMA6v0Xwq8UcNV++e/i5dv9jOlRJYzyiMAIQB:Bq9LmKKe36MmYJPAvIPtHzHlh4UC4qki |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(-)[-] PE: linker: Microsoft Linker(14.33**)[EXE32] |
| TrID | 32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13) |
+ Avast: clean
- Avira: TR/Ransom.ceukp
- Bitdefender: Gen:Variant.Ransom.Royal.6
- Clamav: Win.Ransomware.Royal-9980434-0
+ Comodo: clean
- Drweb: Trojan.Encoder.37038
- Eset: Win32/Filecoder.Royal.A
- Fsecure: Trojan.TR/Ransom.ceukp
- Kaspersky: HEUR:Trojan-Ransom.Win32.Generic
+ Mcafee: clean
+ Sophos: clean
- Symantec: Trojan Horse
+ Trendmicro: clean
- Windefender: Trojan:Win32/RoyalRansom!ic| Property | Value |
|---|---|
| Size | 2558055 bytes |
| CRC32 | 0x4f280c12 |
| MD5 | 2902e12f00a185471b619233ee8631f3 |
| SHA1 | 7e7f666a6839abe1b2cc76176516f54e46a2d453 |
| SHA256 | b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c |
| SHA512 | 0060f2e8b9ffe7c813a76597a76d899c2159318aacaff32f3b364801893573cb3c32c39d68cdde2c200a985dbad5944a52eefb3c3c5cae1690ccd465184a19d7 |
| Ssdeep | 49152:2bZPXEinhLENX/bX40MA4sDM9RIfiv2eZRBqnlptIU6iQnkgWbwL/KIRpvg9Suj:4KinhLEBo0MA4sDoIqv2eZOnlw+QnHp8 |
| Magic | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=bfc741433da42051ea6eaa8e946ab79463608ed2, not stripped |
| Packer | ELF64: library: GLIBC(2.7)[executable AMD64-64] ELF64: compiler: gcc(3.X)[executable AMD64-64] |
| TrID | 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1) |
+ Avast: clean
- Avira: Linux/Encoder.ttggl
- Bitdefender: Trojan.Linux.RoyalRansom.A
- Clamav: Multios.Ransomware.Royal-10002044-1
+ Comodo: clean
- Drweb: Linux.Encoder.314
- Eset: Linux/Filecoder.Royal.A
- Fsecure: Malware.LINUX/Encoder.ttggl
- Kaspersky: HEUR:Trojan-Ransom.Linux.Royal.a
+ Mcafee: clean
+ Sophos: clean
- Symantec: Ransom.Royal
+ Trendmicro: clean
- Windefender: Ransom:Linux/Royal.A!MTB- https://unit42.paloaltonetworks.com/royal-ransomware/
- https://www.trellix.com/en-us/about/newsroom/stories/research/a-royal-analysis-of-royal-ransom.html
- https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive
- https://socradar.io/dark-web-profile-royal-ransomware/ity/2020/02/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis.html