MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 679684697ee06a22c48b9ffa98fc4aa76ebec4ca1433b21ae19e0c7f8a5eeab3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cerber

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	679684697ee06a22c48b9ffa98fc4aa76ebec4ca1433b21ae19e0c7f8a5eeab3
SHA3-384 hash:	0ab47af50d15cb300e4b8fd2cb5c49d53e778a73b02a285a31c4d099c67a1503845d861d2d4e29e25091de7dfd5c3ecf
SHA1 hash:	c21a7258a73dfdc051a8458d1dda41ccfa60d544
MD5 hash:	df4ab81b67ccfbde82ce0d87953be5d9
humanhash:	skylark-oklahoma-fruit-maine
File name:	679684697ee06a22c48b9ffa98fc4aa76ebec4ca1433b21ae19e0c7f8a5eeab3
Download:	download sample
Signature	Cerber Create hunting rule
File size:	333'695 bytes
First seen:	2020-11-14 18:08:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7a9a7b90fa5c8bf6997159a9b9dcb76c (3 x Cerber)
ssdeep	6144:xzed1xAVVSnn/lm2IGh+ASR3mW/ALal6x:xzed1xAmn/1xZU2WoLal+
Threatray	12 similar samples on MalwareBazaar
TLSH	BD64DF1EB413CD2CD2D629B7C885C4A24E07CF7E1D0756537AEAC57ABB872654E30268
Reporter	seifreed
Tags:	Cerber

Intelligence

File Origin

# of uploads :

# of downloads :

1'832

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Ransomware.Cerber-7460267-0

Win.Ransomware.Cerber-7460273-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Sending a UDP request

Launching cmd.exe command interpreter

Creating a process with a hidden window

Launching a service

Launching a process

Deleting volume shadow copies

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Cerber

Detection:

malicious

Classification:

rans.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/535805

Signature

Antivirus / Scanner detection for submitted sample

Deletes shadow drive data (may be related to ransomware)

Detected Cerber Ransomware

Found Tor onion address

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Sigma detected: Delete shadow copy via WMIC

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Cerber ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/679684697ee06a22c48b9ffa98fc4aa76ebec4ca1433b21ae19e0c7f8a5eeab3/

Threat name:

Win32.Ransomware.Cerber

Status:

Malicious

First seen:

2020-11-14 18:11:04 UTC

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m6lii2l64bvcfrelt75jr7cku5xl5rgkcqz3egxbtygh7cs65kzq._file

Result

Malware family:

cerber

Score:

10/10

Tags:

family:cerber persistence ransomware spyware

Link:

https://tria.ge/reports/201114-1nqv9a86pa/

Behaviour

Kills process with taskkill

Modifies Internet Explorer settings

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Modifies registry class

Drops file in Program Files directory

Modifies service

Sets desktop wallpaper using registry

Deletes itself

Reads user/profile data of web browsers

Blacklisted process makes network request

Modifies extensions of user files

Deletes shadow copies

Cerber

Unpacked files

SH256 hash:

679684697ee06a22c48b9ffa98fc4aa76ebec4ca1433b21ae19e0c7f8a5eeab3

MD5 hash:

df4ab81b67ccfbde82ce0d87953be5d9

SHA1 hash:

c21a7258a73dfdc051a8458d1dda41ccfa60d544

Link:

https://www.unpac.me/results/82cc9e95-aa46-4f04-86d2-c192de00131a/

SH256 hash:

d34a0118e2e3a70e67080c4fff18e1f602ad18858429807dc5d60391287aa38c

MD5 hash:

3d7adbd398967fe3c8c9248ac1643b59

SHA1 hash:

3e2bb7837cf38a7a1110527c2db69c82e0922a96

Detections:

win_cerber_auto

Link:

https://www.unpac.me/results/82cc9e95-aa46-4f04-86d2-c192de00131a/

Parent samples :

a71db9bee94bb26348cf911d8aae34e84cdf94317ce65e1bd749391125ffaade
679684697ee06a22c48b9ffa98fc4aa76ebec4ca1433b21ae19e0c7f8a5eeab3

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/679684697ee06a22c48b9ffa98fc4aa76ebec4ca1433b21ae19e0c7f8a5eeab3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_cerber_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample