MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 726f87f336b6d8257d564bf27f2f8fd22ee3a9a6da2e2a2103fe764a5e8af04d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cerber

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	726f87f336b6d8257d564bf27f2f8fd22ee3a9a6da2e2a2103fe764a5e8af04d
SHA3-384 hash:	a8fd865bf10a17784d8d70b66d460b2917547b93455cc9d9a217b6dd6dff4c3ff726990bab216b31fdea145b15fdee7a
SHA1 hash:	b331d4899bd47da9f9e007b586cdbf1ff287cd33
MD5 hash:	31f3e8eb03e020b462f6ece9ea9e744e
humanhash:	berlin-november-eleven-oscar
File name:	726f87f336b6d8257d564bf27f2f8fd22ee3a9a6da2e2a2103fe764a5e8af04d
Download:	download sample
Signature	Cerber Create hunting rule
File size:	236'356 bytes
First seen:	2020-11-11 10:59:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4ea4df5d94204fc550be1874e1b77ea7 (241 x GuLoader, 29 x RemcosRAT, 17 x VIPKeylogger)
ssdeep	6144:aBm/gSSkUVALNNDjqXVYmaCzzvQXPAwr26Iy2rXFUGNxgYb+W5fgn0RF72:a0CxVAnoceQfJix1HNSYbgn0z72
Threatray	2 similar samples on MalwareBazaar
TLSH	1134120533F2C977EAB30A713E7A6E275FA0A96504F5170727901A9E7621B439D8F3C2
Reporter	seifreed
Tags:	Cerber

Intelligence

File Origin

# of uploads :

# of downloads :

1'816

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Malware.Hpdefender-6725850-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% directory

Creating a file

Searching for the window

Unauthorized injection to a recently created process

Creating a window

Using the Windows Management Instrumentation requests

Changing a file

Reading critical registry keys

Launching a process

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Connecting to a cryptocurrency mining pool

Creating a file in the %AppData% subdirectories

Connection attempt

Creating a file in the mass storage device

Stealing user critical data

Encrypting user's files

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/726f87f336b6d8257d564bf27f2f8fd22ee3a9a6da2e2a2103fe764a5e8af04d/

Threat name:

Win32.Ransomware.Cerber

Status:

Malicious

First seen:

2020-11-11 11:00:38 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ojxyp4zww3mck7kwjpzh6l4p2ixohkng3ixcuiid7z3euxuk6bgq._file

Verdict:

malicious

Cerber

a71db9bee94bb26348cf911d8aae34e84cdf94317ce65e1bd749391125ffaade

Cerber

Result

Malware family:

cerber

Score:

10/10

Tags:

family:cerber ransomware

Link:

https://tria.ge/reports/201111-e8fm58p93x/

Behaviour

Kills process with taskkill

Modifies Internet Explorer settings

Modifies system certificate store

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry class

Drops file in Program Files directory

Drops file in Windows directory

Sets desktop wallpaper using registry

Suspicious use of SetThreadContext

Deletes itself

Loads dropped DLL

Drops startup file

Blacklisted process makes network request

Cerber

Unpacked files

SH256 hash:

726f87f336b6d8257d564bf27f2f8fd22ee3a9a6da2e2a2103fe764a5e8af04d

MD5 hash:

31f3e8eb03e020b462f6ece9ea9e744e

SHA1 hash:

b331d4899bd47da9f9e007b586cdbf1ff287cd33

Link:

https://www.unpac.me/results/f398dcee-51e3-4375-8ef7-fb96de296d21/

SH256 hash:

2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

MD5 hash:

a4dd044bcd94e9b3370ccf095b31f896

SHA1 hash:

17c78201323ab2095bc53184aa8267c9187d5173

Link:

https://www.unpac.me/results/f398dcee-51e3-4375-8ef7-fb96de296d21/

SH256 hash:

f83d4485c115d336c307e1d89def70b08dbc34b5549ad58fa0d6035ae3a04f9c

MD5 hash:

fb2e3ddf1d1a102c557efd4d08ecc52c

SHA1 hash:

7ee6a20a36acf16ba14130dccb3306ddf98e3667

Detections:

win_cerber_auto

Link:

https://www.unpac.me/results/f398dcee-51e3-4375-8ef7-fb96de296d21/

Parent samples :

726f87f336b6d8257d564bf27f2f8fd22ee3a9a6da2e2a2103fe764a5e8af04d
eec41a3e29e670a2590f9e37a8e1640853dd92aa70e00661c9e047b61273757d
21043cb4d201a6a5daf06ff34f703d6e306da8ff14aaf1b0880bcd79bf5833a7
b87394743bb5273cd237c863debf75c881236ff0525a979e82cb37ea539e2c9e

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_cerber_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_cerber_g0 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample