MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75dd3608de0296ec53cebaf935b7142265799894b4eeea2a7794a059ffc5e3e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cerber

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	75dd3608de0296ec53cebaf935b7142265799894b4eeea2a7794a059ffc5e3e6
SHA3-384 hash:	0947bc4bfc12b4271a9e71b2bbff2294dc28d99feec689b4f441132e6dbaa5087e1c31140307c624376eff85cf9bd43c
SHA1 hash:	81f95143a249dffec618ee9b463dc9e3fd0b9307
MD5 hash:	afc1938955e21df97c24920cfe55acd7
humanhash:	december-jig-mike-charlie
File name:	75dd3608de0296ec53cebaf935b7142265799894b4eeea2a7794a059ffc5e3e6
Download:	download sample
Signature	Cerber Create hunting rule
File size:	272'329 bytes
First seen:	2020-11-13 15:27:51 UTC
Last seen:	2024-07-24 16:14:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7bdf484e04ff3560b3a25691c25e7656 (11 x Cerber)
ssdeep	3072:3ThF64nITgkEzhNQrg7qgIJsvArxl0BrlnURZYvoVgNXhlvQ/+Us2HKIacaUc225:Aqsso+rlURZqoVgXhs/DdDYuWZ
Threatray	7 similar samples on MalwareBazaar
TLSH	68448D113ECBB89BFCABB0F0B24B059FB3460BB127637CDF24866D665240ED59A31644
Reporter	seifreed
Tags:	Cerber

Intelligence

File Origin

# of uploads :

# of downloads :

1'816

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Ransomware.Cerber-9777248-0

Win.Ransomware.Cerber-9777249-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

DNS request

Using the Windows Management Instrumentation requests

Sending an HTTP GET request

Searching for the window

Launching a process

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a single autorun event

Launching a tool to kill processes

Enabling autorun by creating a file

Enabling autorun

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/75dd3608de0296ec53cebaf935b7142265799894b4eeea2a7794a059ffc5e3e6/

Threat name:

Win32.Ransomware.Cerber

Status:

Malicious

First seen:

2020-11-13 15:30:05 UTC

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oxotmcg6akloyu6oxl4tlnyuejsxtgeuwtxouktxssqft76f4pta._file

Verdict:

malicious

Cerber

3a7e74f0ecf5c9b44add16fceb394def8a7789334906a710e476e7f361cd38c2

Cerber

6b9693bfc7e7b3d26bafb65e7368c091e874fc8b05ca202076fd3ee3c2e9550a

Cerber

726f87f336b6d8257d564bf27f2f8fd22ee3a9a6da2e2a2103fe764a5e8af04d

Cerber

7a61ca0cd624f85a02a3d168764a589593ff19ca4edb41be92f16ffb521ffad1

Cerber

a71db9bee94bb26348cf911d8aae34e84cdf94317ce65e1bd749391125ffaade

Cerber

eec41a3e29e670a2590f9e37a8e1640853dd92aa70e00661c9e047b61273757d

Cerber

Result

Malware family:

cerber

Score:

10/10

Tags:

family:cerber evasion persistence ransomware spyware trojan

Link:

https://tria.ge/reports/201113-1chkcy6sbs/

Behaviour

Kills process with taskkill

Modifies Control Panel

Modifies Internet Explorer settings

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: MapViewOfSection

Drops file in Program Files directory

Drops file in Windows directory

Sets desktop wallpaper using registry

Adds Run key to start application

Checks whether UAC is enabled

JavaScript code in executable

Looks up external IP address via web service

Deletes itself

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Adds policy Run key to start application

Executes dropped EXE

Modifies extensions of user files

Cerber

Unpacked files

SH256 hash:

75dd3608de0296ec53cebaf935b7142265799894b4eeea2a7794a059ffc5e3e6

MD5 hash:

afc1938955e21df97c24920cfe55acd7

SHA1 hash:

81f95143a249dffec618ee9b463dc9e3fd0b9307

Link:

https://www.unpac.me/results/553239c0-8368-4fe8-939e-59814b89159c/

SH256 hash:

7299b76e03cdfab7dd0d5baea352123291f30ae4e39081ba213790336b16247c

MD5 hash:

2628e2adb0077c876b68745e966e5d9f

SHA1 hash:

6e39c78b210c62962c61c3ce676a2851a745cc68

Detections:

win_cerber_auto

Link:

https://www.unpac.me/results/553239c0-8368-4fe8-939e-59814b89159c/

Parent samples :

1cb6e2a2526f332fe132ab8905cd4cae65a1f7ef7aa4f9bf351f7f323f3b32c9
824ab34b2a34ccc9ef69f5fa851ba7ec87042443ecaeb6a573f43f9c944f43a4
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44
1eef5d3f564b8768d3356319fb4bd081b961bfb2fd7fefce3f4dadc80ef534d4
7a61ca0cd624f85a02a3d168764a589593ff19ca4edb41be92f16ffb521ffad1
75dd3608de0296ec53cebaf935b7142265799894b4eeea2a7794a059ffc5e3e6
9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9
28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/75dd3608de0296ec53cebaf935b7142265799894b4eeea2a7794a059ffc5e3e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample