MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Cerber


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9
SHA3-384 hash: 6610b3c800937f585fafd7cf9756c9023c2bb61856f1720c92eac562b7e84a431f5bc907b7e2b579417c0c5ca523cd3e
SHA1 hash: a9bf1c6f3f08203cf10fdaf141012dc83646aee1
MD5 hash: e1f33c600d3cc76771aaa3bf940ff3fe
humanhash: fillet-black-aspen-grey
File name:9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9
Download: download sample
Signature Cerber
Create hunting rule
File size:276'629 bytes
First seen:2020-11-13 16:07:28 UTC
Last seen:2024-07-24 19:30:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7bdf484e04ff3560b3a25691c25e7656 (11 x Cerber)
ssdeep 3072:6LhF64nITOkE+hNFr27qgIJsvArxl0BrlnURZYvoVgNXhlvQ/+Us2HKIacaUc22J:5/fso+rlURZqoVgXhs/DdDYuWX5
TLSH AB449E1139CBB89BFCABB0F0B24B05AFF3460BB127637CDF24866D665240ED59A31654
Reporter seifreed
Tags:Cerber

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'835
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Ransomware.Cerber-9777248-0
Create hunting rule

Win.Ransomware.Cerber-9777249-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
DNS request
Sending an HTTP GET request
Launching a process
Creating a file
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Launching a tool to kill processes
Enabling autorun by creating a file
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cerber
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/534548
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionalty to change the wallpaper
Creates an undocumented autostart registry key
Detected Cerber Ransomware
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses TOR for connection hidding
Yara detected Cerber ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 316374 Sample: ZPRp2a6d1i Startdate: 14/11/2020 Architecture: WINDOWS Score: 100 57 btc.blockr.io 2->57 59 sochain.com 2->59 61 4 other IPs or domains 2->61 71 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->71 73 Antivirus detection for dropped file 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 5 other signatures 2->77 8 ZPRp2a6d1i.exe 7 5 2->8         started        12 iscsicli.exe 12 249 2->12         started        15 iscsicli.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 45 C:\Users\user\AppData\...\iscsicli.exe, PE32 8->45 dropped 47 C:\Users\...\iscsicli.exe:Zone.Identifier, ASCII 8->47 dropped 87 Detected Cerber Ransomware 8->87 89 Detected unpacking (changes PE section rights) 8->89 91 Detected unpacking (overwrites its own PE header) 8->91 95 2 other signatures 8->95 19 iscsicli.exe 8->19         started        22 cmd.exe 1 8->22         started        65 31.184.234.10, 6892 MATTEOGB Russian Federation 12->65 67 31.184.234.11, 6892 MATTEOGB Russian Federation 12->67 69 98 other IPs or domains 12->69 49 C:\Users\user\Desktop\...\UOOJJOZIRH.docx, data 12->49 dropped 51 C:\Users\user\Desktop\...51EBFQQYWPS.pdf, data 12->51 dropped 53 C:\Users\user\Desktop\...\UOOJJOZIRH.xlsx, data 12->53 dropped 55 2 other files (1 malicious) 12->55 dropped 93 Modifies existing user documents (likely ransomware behavior) 12->93 25 iexplore.exe 51 12->25         started        27 cmd.exe 12->27         started        29 notepad.exe 12->29         started        31 wscript.exe 12->31         started        file6 signatures7 process8 dnsIp9 79 Multi AV Scanner detection for dropped file 19->79 81 Detected unpacking (changes PE section rights) 19->81 83 Detected unpacking (creates a PE file in dynamic memory) 19->83 85 2 other signatures 19->85 63 127.0.0.1 unknown unknown 22->63 33 taskkill.exe 1 22->33         started        35 conhost.exe 22->35         started        37 iexplore.exe 25->37         started        39 iexplore.exe 25->39         started        41 conhost.exe 27->41         started        43 taskkill.exe 27->43         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9/
Threat name:
Win32.Ransomware.Cerber
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 16:24:25 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tjqwjmtcrikjkclb74idd5psu57t2wjazeqxjk6wqaxgn2zcfguq._file
Result
Malware family:
ursnif_rm3
Create hunting rule
Score:
  10/10
Tags:
family:cerber family:ursnif_rm3 banker evasion persistence ransomware spyware trojan
Link:
https://tria.ge/reports/201113-x1yv1gndme/
Behaviour
Gathers system information
Kills process with taskkill
Modifies Control Panel
Modifies Internet Explorer settings
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Drops file in Windows directory
Sets desktop wallpaper using registry
Adds Run key to start application
Checks whether UAC is enabled
JavaScript code in executable
Looks up external IP address via web service
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Adds policy Run key to start application
Executes dropped EXE
Modifies extensions of user files
Cerber
Ursnif RM3
Unpacked files
SH256 hash:
9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9
MD5 hash:
e1f33c600d3cc76771aaa3bf940ff3fe
SHA1 hash:
a9bf1c6f3f08203cf10fdaf141012dc83646aee1
Link:
https://www.unpac.me/results/7bb85139-1c9a-4c16-9fa0-068725a6a09c/
SH256 hash:
7299b76e03cdfab7dd0d5baea352123291f30ae4e39081ba213790336b16247c
MD5 hash:
2628e2adb0077c876b68745e966e5d9f
SHA1 hash:
6e39c78b210c62962c61c3ce676a2851a745cc68
Detections:
win_cerber_auto
Create hunting rule
Link:
https://www.unpac.me/results/7bb85139-1c9a-4c16-9fa0-068725a6a09c/
Parent samples :
1cb6e2a2526f332fe132ab8905cd4cae65a1f7ef7aa4f9bf351f7f323f3b32c9
824ab34b2a34ccc9ef69f5fa851ba7ec87042443ecaeb6a573f43f9c944f43a4
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44
1eef5d3f564b8768d3356319fb4bd081b961bfb2fd7fefce3f4dadc80ef534d4
7a61ca0cd624f85a02a3d168764a589593ff19ca4edb41be92f16ffb521ffad1
75dd3608de0296ec53cebaf935b7142265799894b4eeea2a7794a059ffc5e3e6
9a6164b2628a14950961ff1031f5f2a77f3d5920c92174abd6802e66eb2229a9
28b28111884badedf0870be7bef1e417b3ddea12eb06b1c431e992be39d6bf8e
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments