MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cerber

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44
SHA3-384 hash:	b21ce08e2d2d18f1512e909f2bc84691d6f35f2813410e24636c65df726cdc9ebd8d0b0e78373fedfe23d1a9a75f995a
SHA1 hash:	f2218540985d22624021b4acb9966d20d480edff
MD5 hash:	4b75efc2a9c47bbbf2cc1f9761922cb2
humanhash:	four-ack-monkey-beer
File name:	60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44
Download:	download sample
Signature	Cerber Create hunting rule
File size:	276'629 bytes
First seen:	2020-11-07 17:16:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7bdf484e04ff3560b3a25691c25e7656 (11 x Cerber)
ssdeep	3072:6ThF64nITykERhNerm7qgIJsvArxl0BrlnURZYvoVgNXhlvQ/+Us2HKIacaUc22J:1uAso+rlURZqoVgXhs/DdDYuWX5
TLSH	93449E113DCBB89BFCABA0F0B24B05AFF3460BB127637CDF24866D665240ED59A31654
Reporter	seifreed
Tags:	Cerber

Intelligence

File Origin

# of uploads :

# of downloads :

1'815

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Ransomware.Cerber-9777248-0

Win.Ransomware.Cerber-9777249-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

DNS request

Using the Windows Management Instrumentation requests

Sending an HTTP GET request

Searching for the window

Launching a process

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a single autorun event

Launching a tool to kill processes

Enabling autorun by creating a file

Enabling autorun

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44/

Threat name:

Win32.Ransomware.Cerber

Status:

Malicious

First seen:

2020-11-07 17:21:42 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=md4lnvdcmwps4m7c3ahoo2lb5ae3mmnstfmeok7g2frqiyy7pnca._file

Result

Malware family:

ursnif_rm3

Score:

10/10

Tags:

family:cerber family:ursnif_rm3 banker evasion persistence ransomware spyware trojan

Link:

https://tria.ge/reports/201108-4vkgpyp2hj/

Behaviour

Kills process with taskkill

Modifies Control Panel

Modifies Internet Explorer settings

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: MapViewOfSection

Drops file in Program Files directory

Drops file in Windows directory

Sets desktop wallpaper using registry

Adds Run key to start application

Checks whether UAC is enabled

JavaScript code in executable

Looks up external IP address via web service

Deletes itself

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Adds policy Run key to start application

Executes dropped EXE

Modifies extensions of user files

Cerber

Ursnif RM3

Unpacked files

SH256 hash:

60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44

MD5 hash:

4b75efc2a9c47bbbf2cc1f9761922cb2

SHA1 hash:

f2218540985d22624021b4acb9966d20d480edff

Link:

https://www.unpac.me/results/e1078799-187e-4426-bd52-0aeb8a75a8f1/

SH256 hash:

7299b76e03cdfab7dd0d5baea352123291f30ae4e39081ba213790336b16247c

MD5 hash:

2628e2adb0077c876b68745e966e5d9f

SHA1 hash:

6e39c78b210c62962c61c3ce676a2851a745cc68

Detections:

win_cerber_auto

Link:

https://www.unpac.me/results/e1078799-187e-4426-bd52-0aeb8a75a8f1/

Parent samples :

1cb6e2a2526f332fe132ab8905cd4cae65a1f7ef7aa4f9bf351f7f323f3b32c9
824ab34b2a34ccc9ef69f5fa851ba7ec87042443ecaeb6a573f43f9c944f43a4
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44
1eef5d3f564b8768d3356319fb4bd081b961bfb2fd7fefce3f4dadc80ef534d4
7a61ca0cd624f85a02a3d168764a589593ff19ca4edb41be92f16ffb521ffad1
75dd3608de0296ec53cebaf935b7142265799894b4eeea2a7794a059ffc5e3e6
9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9
28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample