General
-
Target
fe1bc60a95b2c2d77cd5d232296a7fa4.zip
-
Size
182KB
-
Sample
221002-xteqfafed6
-
MD5
7ae78d3f9ef94936cb2033f580690ba0
-
SHA1
11146bc927eed0cc6c6dec736ff4d23ecc732afe
-
SHA256
f90b42c26866bc81db881f0258ab8fd1d41b8b8976515d4224d88bcfd90d2fc6
-
SHA512
73654de636214cb75921b7c6d8ac312650b6e0ee9dfcb1528050e4de7c71f196901aa7be5cbdb3c03aec760c82a14ce20cde8cf6d8fb1cd468dd62ea105462b7
-
SSDEEP
3072:66HvHDPNmKDfcJwPwQkHJ8e44dHHpS/66EQ6KUXlbIAfqbmjvAmoNpeBOrY72N0t:6mbd5CJ8/AHKmKU+UqajvAmoNpedJoG3
Static task
static1
Behavioral task
behavioral1
Sample
Endermanch@Cerber5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Endermanch@Cerber5.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
\??\c:\_R_E_A_D___T_H_I_S___ISAN7_.txt
cerber
http://xpcx6erilkjced3j.onion/4866-EB89-FAE0-0098-B4D8
http://xpcx6erilkjced3j.1n5mod.top/4866-EB89-FAE0-0098-B4D8
http://xpcx6erilkjced3j.19kdeh.top/4866-EB89-FAE0-0098-B4D8
http://xpcx6erilkjced3j.1mpsnr.top/4866-EB89-FAE0-0098-B4D8
http://xpcx6erilkjced3j.18ey8e.top/4866-EB89-FAE0-0098-B4D8
http://xpcx6erilkjced3j.17gcun.top/4866-EB89-FAE0-0098-B4D8
Extracted
\??\c:\_R_E_A_D___T_H_I_S___YSPYQ_.txt
cerber
http://xpcx6erilkjced3j.onion/EAD5-77F2-AF90-0098-BE7F
http://xpcx6erilkjced3j.1n5mod.top/EAD5-77F2-AF90-0098-BE7F
http://xpcx6erilkjced3j.19kdeh.top/EAD5-77F2-AF90-0098-BE7F
http://xpcx6erilkjced3j.1mpsnr.top/EAD5-77F2-AF90-0098-BE7F
http://xpcx6erilkjced3j.18ey8e.top/EAD5-77F2-AF90-0098-BE7F
http://xpcx6erilkjced3j.17gcun.top/EAD5-77F2-AF90-0098-BE7F
Targets
-
-
Target
Endermanch@Cerber5.bin
-
Size
313KB
-
MD5
fe1bc60a95b2c2d77cd5d232296a7fa4
-
SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684
-
SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
-
SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
SSDEEP
6144:nl578cxdGY87FohbnmM2i8ito7wTmCbL94KCT3OAmK:nl59zH8MiM2z+NLQBN
Score10/10-
Blocklisted process makes network request
-
Contacts a large (1095) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Contacts a large (1111) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-