MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a71db9bee94bb26348cf911d8aae34e84cdf94317ce65e1bd749391125ffaade. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cerber

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	a71db9bee94bb26348cf911d8aae34e84cdf94317ce65e1bd749391125ffaade
SHA3-384 hash:	e97c1723084a644170a48c881a5f5bdaf979b65b8bacdbd296ba61f29be61d2ad71ece1e8e664aab6f50ec7fba1af812
SHA1 hash:	28bbd57cc35152cb498611208987471e59997553
MD5 hash:	ccad76afdd55d5128d76864a810eba04
humanhash:	solar-whiskey-utah-blue
File name:	a71db9bee94bb26348cf911d8aae34e84cdf94317ce65e1bd749391125ffaade
Download:	download sample
Signature	Cerber Create hunting rule
File size:	333'695 bytes
First seen:	2020-11-10 11:04:24 UTC
Last seen:	2024-07-24 20:01:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7a9a7b90fa5c8bf6997159a9b9dcb76c (3 x Cerber)
ssdeep	6144:Fx7d11AVVSnn/lm2IGh+ASR3mW/ALal6x:Fx7d11Amn/1xZU2WoLal+
TLSH	BD64DF1EB413CD2CD2D629BBC885C4A24E07CF7E1D0756537AEAC57ABB872654E30268
Reporter	seifreed
Tags:	Cerber

Intelligence

File Origin

# of uploads :

# of downloads :

1'814

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Ransomware.Cerber-7460267-0

Win.Ransomware.Cerber-7460273-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Sending a UDP request

Launching cmd.exe command interpreter

Creating a process with a hidden window

Launching a service

Launching a process

Deleting volume shadow copies

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a71db9bee94bb26348cf911d8aae34e84cdf94317ce65e1bd749391125ffaade/

Threat name:

Win32.Ransomware.Cerber

Status:

Malicious

First seen:

2020-11-10 11:06:35 UTC

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=u4o3tpxjjozggsgpseoyvlru5bgn7fbrpttf4g6xje4rcjp7vlpa._file

Verdict:

malicious

Result

Malware family:

cerber

Score:

10/10

Tags:

family:cerber persistence ransomware spyware

Link:

https://tria.ge/reports/201110-w4xkwqkges/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Modifies registry class

Kills process with taskkill

Modifies Internet Explorer settings

Drops file in Program Files directory

Modifies service

Sets desktop wallpaper using registry

Deletes itself

Reads user/profile data of web browsers

Blacklisted process makes network request

Modifies extensions of user files

Deletes shadow copies

Cerber

Unpacked files

SH256 hash:

d34a0118e2e3a70e67080c4fff18e1f602ad18858429807dc5d60391287aa38c

MD5 hash:

3d7adbd398967fe3c8c9248ac1643b59

SHA1 hash:

3e2bb7837cf38a7a1110527c2db69c82e0922a96

Detections:

win_cerber_auto

Link:

https://www.unpac.me/results/e143b518-6163-4b01-be07-5549eccec6a8/

Parent samples :

a71db9bee94bb26348cf911d8aae34e84cdf94317ce65e1bd749391125ffaade
679684697ee06a22c48b9ffa98fc4aa76ebec4ca1433b21ae19e0c7f8a5eeab3

SH256 hash:

a71db9bee94bb26348cf911d8aae34e84cdf94317ce65e1bd749391125ffaade

MD5 hash:

ccad76afdd55d5128d76864a810eba04

SHA1 hash:

28bbd57cc35152cb498611208987471e59997553

Link:

https://www.unpac.me/results/e143b518-6163-4b01-be07-5549eccec6a8/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_cerber_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample