MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eebc9333049be75082af1cb0c8ecb798bcbea50e4b0208fa97a96c71aa68dc62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Cerber


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash: eebc9333049be75082af1cb0c8ecb798bcbea50e4b0208fa97a96c71aa68dc62
SHA3-384 hash: 9221719e890f549b425e476126ddc90d374c371a80b1fe8e72ddd4c19ca07881e645df2edd4e763feee2e13b9e4cacdf
SHA1 hash: c792ff6eb7b1338cf46607b40bc15664134f159a
MD5 hash: 879b24b80b987f27f051d4097a5bb6a2
humanhash: ten-mike-batman-hotel
File name:879b24b80b987f27f051d4097a5bb6a2
Download: download sample
Signature Cerber
File size:410'281 bytes
First seen:2020-10-25 17:24:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 18ea9ac65a70f0508412dab72d29c5ad (1 x Cerber)
ssdeep 6144:swwEQtofY29eG7pkEhXMOe90cd64kZ1lTrMG:cEFfCGbhKn6R1lL
Threatray 2'757 similar samples on MalwareBazaar
TLSH F694E1F0DED3A06AF9D18EF5D4E23B35FA75F457DE22D2939E2AD708511434A04A8B02
Reporter @Seifreed
Tags:Cerber

Intelligence


File Origin
# of uploads :
1
# of downloads :
1'589
Origin country :
US US
Mail intelligence
Gathering data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Launching the process to change network settings
Using the Windows Management Instrumentation requests
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Found Tor onion address
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Generic Dropper
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303968 Sample: OLhWka4IHt Startdate: 25/10/2020 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 9 other signatures 2->53 9 OLhWka4IHt.exe 2->9         started        process3 process4 11 OLhWka4IHt.exe 1 4 9->11         started        dnsIp5 37 149.202.122.12, 6892 OVHFR France 11->37 39 149.202.122.13, 6892 OVHFR France 11->39 41 98 other IPs or domains 11->41 35 C:\Users\user\AppData\Local\Temp\...\68f6.tmp, b.out 11->35 dropped 55 Writes to foreign memory regions 11->55 57 Allocates memory in foreign processes 11->57 16 cmd.exe 1 11->16         started        19 netsh.exe 3 11->19         started        21 netsh.exe 3 11->21         started        file6 signatures7 process8 signatures9 43 Uses ping.exe to sleep 16->43 45 Writes to foreign memory regions 16->45 23 conhost.exe 16->23         started        25 taskkill.exe 1 16->25         started        27 PING.EXE 1 16->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        process10 process11 33 conhost.exe 23->33         started       
Threat name:
Win32.Ransomware.Cerber
Status:
Malicious
First seen:
2020-10-17 11:20:31 UTC
AV detection:
28 of 28 (100.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Program crash
Unpacked files
SH256 hash:
eebc9333049be75082af1cb0c8ecb798bcbea50e4b0208fa97a96c71aa68dc62
MD5 hash:
879b24b80b987f27f051d4097a5bb6a2
SHA1 hash:
c792ff6eb7b1338cf46607b40bc15664134f159a

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:suspicious_packer_section
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_cerber_g0
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de

File information


The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments