cerber

Sharing

Copy URL

Twitter E-mail

General

Target

ggpermV3.zip
Size

1.2MB
Sample

231229-ber7bsbgfr
MD5

53966312c3041a20dfdfec9b1cad7916
SHA1

ae5deb357969c426cdf9cf831c29eb32f132863d
SHA256

7c89499d85795d6727f8d864733b78870f3ce076ed4aa065c8f8cc44ee126b1f
SHA512

8e2b1103dc5db7d98b408af07114214cf752dfbd20109e4f6d1a8d11afbbad69048c221750dc2dbebb2df3351a8d40a662e8b272dc2af93d368bf65f470086e1
SSDEEP

24576:AOMg2q4I4kVAeVvTov0bdBL//FJztDzViSeYUgNW9O5zcNU:rwfkVjVvzT/FnligUVK3

Score

10^/10

Malware Config

Targets

- Target
  
  ggpermV3/AMIDEWINx64.EXE
- Size
  
  453KB
- MD5
  
  6a6505b2413d2c7b16c6d059448db9e5
- SHA1
  
  dfe6c6b6051c26326a12dc9d0d5701cb4728266c
- SHA256
  
  53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955
- SHA512
  
  1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3
- SSDEEP
  
  6144:JIeh4+TOKGuTSuXCJ6AtCoZPhGL/TnJ+z5rsxQhsCI9t/tk7MP:jpPTxXihA+zBhsC2Z
Score

1^/10
behavioral1 behavioral2
- Target
  
  ggpermV3/Trinity Cleaner.exe
- Size
  
  752KB
- MD5
  
  5ff39c44ff3eaf7798bffa670fb4b600
- SHA1
  
  cd22cc93964fdeb470460642c44fd4ce31f3bf1e
- SHA256
  
  fd5d49ac3a9a4130261f43ef6e6c9c6a4a317e7ba421f88e22e0fbe96fd45429
- SHA512
  
  6ec8f1e38d78a773f8b0764f7aa5d8902c8c556a2583bdf62b6485e093c8a193b5965e3d908abe60d80b0fc690e2def7721aa896f14f6e77c80f72aa11fa3878
- SSDEEP
  
  12288:FBTyBtZmiNYQtIFc5oiJfJulj1CBMeIFjKuQdGhSaApNrWSvUghmjpoVb3/k2JP:eBtZicIFc5oiJfJulj1CBMeIFjKuQdGP
Score

10^/10

evasion ransomware spyware stealer
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
behavioral3 behavioral4
- Target
  
  ggpermV3/ggpermV3.exe
- Size
  
  62KB
- MD5
  
  eac37455baace3357722d2bc5cf40be9
- SHA1
  
  bfbb2b0f876a0784e5a0d78b7981b27254c0a766
- SHA256
  
  e333b29fa06d2138c9a4c634fde1fe4212bd2a027c0175008001c8af60d34053
- SHA512
  
  78065623e0bafa450e49c91b700da3a31536033d005a6d20126cc886bc1075788a4e5d5f7b689b47c4eea01f58f797e696f06038dd967b6143d07204048ad067
- SSDEEP
  
  1536:eh4f8xsBb7KAMFYieXfRc/onjx6FXs+ceAP5w:bBbnRJfROqwFcZbP5w
Score

10^/10

cerber evasion ransomware spyware stealer
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  ggpermV3/sxghr-driver.exe
- Size
  
  137KB
- MD5
  
  84c83f1f50bed460d9bd13fa4d83304b
- SHA1
  
  e4c17ffcc97654efa537310f81702d922b3101f3
- SHA256
  
  a89fcdf02e9d587c2c00cbfa5efada6b308f62d7d8a296f7a1cfc8c4991de375
- SHA512
  
  4d19b7c31265507c7962a45c2babd266bd8dceae4e9d3cd3c9359083c066a77028158790f3f14cbb22a46ec90d754efa6fa811774b330f6910b7e5576335c289
- SSDEEP
  
  3072:1efQZKfOC31VwyY9egNtfNjJvjmqqF7Hb/LMm5MqDC:1DewyY9egLRePYm5B
Score

1^/10
behavioral7 behavioral8
- Target
  
  ggpermV3/woof.bat
- Size
  
  1KB
- MD5
  
  9dfe4e730dcc5e0d3951038ad2a095a1
- SHA1
  
  e033d9a40234b9544606ec4d603add264cb38841
- SHA256
  
  bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8
- SHA512
  
  297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd
Score

8^/10

evasion
- Stops running service(s)
  evasion
- Drops file in System32 directory
behavioral10 behavioral9