MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1eef5d3f564b8768d3356319fb4bd081b961bfb2fd7fefce3f4dadc80ef534d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cerber

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	1eef5d3f564b8768d3356319fb4bd081b961bfb2fd7fefce3f4dadc80ef534d4
SHA3-384 hash:	a367f9533e1be43b07b7569fbcceb810a5c58ca45c3e2fc4c672770cd1e26a84f54ffa099760d79de6e9949ab94dd2af
SHA1 hash:	928ed756321f9fedb5c013f0d9a64ffc234fa620
MD5 hash:	fe3e59ba0fd4cfa9438a2d95a629d4a5
humanhash:	idaho-louisiana-lamp-aspen
File name:	1eef5d3f564b8768d3356319fb4bd081b961bfb2fd7fefce3f4dadc80ef534d4
Download:	download sample
Signature	Cerber Create hunting rule
File size:	276'629 bytes
First seen:	2020-11-11 11:09:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7bdf484e04ff3560b3a25691c25e7656 (11 x Cerber)
ssdeep	3072:6LhF64nITckE4h5dri7qgIJsvArxl0BrlnURZYvoVgNXhlvQ/+Us2HKIacaUc22J:5fvso+rlURZqoVgXhs/DdDYuWX5
Threatray	5 similar samples on MalwareBazaar
TLSH	42449E1139CBB89BFCABB0F0B24B05AFF3460BB127637CDF24866D665240ED59A31654
Reporter	seifreed
Tags:	Cerber

Intelligence

File Origin

# of uploads :

# of downloads :

1'798

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Ransomware.Cerber-9777248-0

Win.Ransomware.Cerber-9777249-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

Sending a UDP request

DNS request

Using the Windows Management Instrumentation requests

Searching for the window

Sending an HTTP GET request

Launching a process

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a single autorun event

Launching a tool to kill processes

Enabling autorun by creating a file

Enabling autorun

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1eef5d3f564b8768d3356319fb4bd081b961bfb2fd7fefce3f4dadc80ef534d4/

Threat name:

Win32.Ransomware.Cerber

Status:

Malicious

First seen:

2020-11-11 11:11:27 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d3xv2p2wjodwruzvmmm7ws6qqg4wdp5s7v767tr7jww4qdxvgtka._file

Verdict:

malicious

Cerber

3dc6116deb18fa9aec4e567b26ca77b9f7681cbdb2b6f29ce1665fcfd8b8f5ce

Cerber

6d5ee8b9ce1f9548ff8cd1198fc7934fe3f9f2034d215f406cca14e533670d3d

Cerber

726f87f336b6d8257d564bf27f2f8fd22ee3a9a6da2e2a2103fe764a5e8af04d

Cerber

a71db9bee94bb26348cf911d8aae34e84cdf94317ce65e1bd749391125ffaade

Cerber

Result

Malware family:

ursnif_rm3

Score:

10/10

Tags:

family:cerber family:ursnif_rm3 banker evasion persistence ransomware spyware trojan

Link:

https://tria.ge/reports/201111-ysy8tk2fzj/

Behaviour

Kills process with taskkill

Modifies Control Panel

Modifies Internet Explorer settings

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: MapViewOfSection

Drops file in Program Files directory

Drops file in Windows directory

Sets desktop wallpaper using registry

Adds Run key to start application

Checks whether UAC is enabled

JavaScript code in executable

Looks up external IP address via web service

Deletes itself

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Adds policy Run key to start application

Executes dropped EXE

Modifies extensions of user files

Cerber

Ursnif RM3

Unpacked files

SH256 hash:

1eef5d3f564b8768d3356319fb4bd081b961bfb2fd7fefce3f4dadc80ef534d4

MD5 hash:

fe3e59ba0fd4cfa9438a2d95a629d4a5

SHA1 hash:

928ed756321f9fedb5c013f0d9a64ffc234fa620

Link:

https://www.unpac.me/results/dbd60a62-a5ed-438d-8a25-da4a7c9c0b2a/

SH256 hash:

7299b76e03cdfab7dd0d5baea352123291f30ae4e39081ba213790336b16247c

MD5 hash:

2628e2adb0077c876b68745e966e5d9f

SHA1 hash:

6e39c78b210c62962c61c3ce676a2851a745cc68

Detections:

win_cerber_auto

Link:

https://www.unpac.me/results/dbd60a62-a5ed-438d-8a25-da4a7c9c0b2a/

Parent samples :

1cb6e2a2526f332fe132ab8905cd4cae65a1f7ef7aa4f9bf351f7f323f3b32c9
824ab34b2a34ccc9ef69f5fa851ba7ec87042443ecaeb6a573f43f9c944f43a4
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44
1eef5d3f564b8768d3356319fb4bd081b961bfb2fd7fefce3f4dadc80ef534d4
7a61ca0cd624f85a02a3d168764a589593ff19ca4edb41be92f16ffb521ffad1
75dd3608de0296ec53cebaf935b7142265799894b4eeea2a7794a059ffc5e3e6
9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9
28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_cerber_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample