MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 824ab34b2a34ccc9ef69f5fa851ba7ec87042443ecaeb6a573f43f9c944f43a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cerber

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	824ab34b2a34ccc9ef69f5fa851ba7ec87042443ecaeb6a573f43f9c944f43a4
SHA3-384 hash:	67083b796c7624bb81f42badc14436d01a2b3fc23c99d2bc1f5a01e1eaa28bccc9d9a35a30bf74f7167bdc7f19fbde58
SHA1 hash:	659df551db4342ab5896c0092d3a6487ebf5c229
MD5 hash:	f88352a6d3b2004925005c4994805d92
humanhash:	comet-helium-quebec-blue
File name:	824ab34b2a34ccc9ef69f5fa851ba7ec87042443ecaeb6a573f43f9c944f43a4
Download:	download sample
Signature	Cerber Create hunting rule
File size:	276'629 bytes
First seen:	2020-11-06 11:41:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7bdf484e04ff3560b3a25691c25e7656 (11 x Cerber)
ssdeep	3072:6+hF64nITVkEQhNtra7qgIJsvArxl0BrlnURZYvoVgNXhlvQ/+Us2HKIacaUc22J:Q0jso+rlURZqoVgXhs/DdDYuWX5
TLSH	08448E1139CBB89BFCABA0F0B24B05AFF3460BB127637CDF24866D665240ED59A31654
Reporter	seifreed
Tags:	Cerber

Intelligence

File Origin

# of uploads :

# of downloads :

1'846

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Ransomware.Cerber-9777248-0

Win.Ransomware.Cerber-9777249-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

DNS request

Using the Windows Management Instrumentation requests

Searching for the window

Sending an HTTP GET request

Launching a process

Creating a file

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Setting a single autorun event

Launching a tool to kill processes

Enabling autorun by creating a file

Enabling autorun

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/824ab34b2a34ccc9ef69f5fa851ba7ec87042443ecaeb6a573f43f9c944f43a4/

Threat name:

Win32.Ransomware.Cerber

Status:

Malicious

First seen:

2020-10-12 14:24:29 UTC

AV detection:

29 of 29 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qjflgszkgtgmt33j6x5ikg5h5sdqijcd5sxlnjlt6q7zzfcpiosa._file

Verdict:

malicious

Result

Malware family:

cerber

Score:

10/10

Tags:

family:cerber evasion persistence ransomware spyware trojan

Link:

https://tria.ge/reports/201106-ymprz7t686/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: MapViewOfSection

Kills process with taskkill

Modifies Control Panel

Modifies Internet Explorer settings

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Drops file in Windows directory

Drops file in Program Files directory

Sets desktop wallpaper using registry

Adds Run key to start application

Checks whether UAC is enabled

JavaScript code in executable

Looks up external IP address via web service

Checks computer location settings

Deletes itself

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Adds policy Run key to start application

Executes dropped EXE

Modifies extensions of user files

Cerber

Unpacked files

SH256 hash:

824ab34b2a34ccc9ef69f5fa851ba7ec87042443ecaeb6a573f43f9c944f43a4

MD5 hash:

f88352a6d3b2004925005c4994805d92

SHA1 hash:

659df551db4342ab5896c0092d3a6487ebf5c229

Link:

https://www.unpac.me/results/2ff5d816-51c4-4cd4-96ba-e78bdbf6c405/

SH256 hash:

7299b76e03cdfab7dd0d5baea352123291f30ae4e39081ba213790336b16247c

MD5 hash:

2628e2adb0077c876b68745e966e5d9f

SHA1 hash:

6e39c78b210c62962c61c3ce676a2851a745cc68

Detections:

win_cerber_auto

Link:

https://www.unpac.me/results/2ff5d816-51c4-4cd4-96ba-e78bdbf6c405/

Parent samples :

1cb6e2a2526f332fe132ab8905cd4cae65a1f7ef7aa4f9bf351f7f323f3b32c9
824ab34b2a34ccc9ef69f5fa851ba7ec87042443ecaeb6a573f43f9c944f43a4
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44
1eef5d3f564b8768d3356319fb4bd081b961bfb2fd7fefce3f4dadc80ef534d4
7a61ca0cd624f85a02a3d168764a589593ff19ca4edb41be92f16ffb521ffad1
75dd3608de0296ec53cebaf935b7142265799894b4eeea2a7794a059ffc5e3e6
9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9
28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_cerber_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_cerber_g0 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample