cerber

Sharing

Copy URL

Twitter E-mail

General

Target

Ransomware-Samples-main.zip
Size

15.1MB
Sample

240226-h5eggsfh39
MD5

e88a0140466c45348c7b482bb3e103df
SHA1

c59741da45f77ed2350c72055c7b3d96afd4bfc1
SHA256

bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7
SHA512

2dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431
SSDEEP

393216:+8HaL/eOo2nfFSrjIMVePFmu/GyBSib+JYSWTmZ:LHayONnnBNmkPbDSWm

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___Z1OG_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="l4KH3" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yojHELf3vu find the necessary files? Is the cXikaLontent of your files not readable? It is normal beHevVjbLEdcause the files' names and the data in your files have been encrypQgt2T06wted by "CezGmZSe5auwrber Ransomware". It mecWgdans your files are NOT damageXEBAA6QBhd! Your files are modified only. This modification is reversible. FFqWrom now it is not possn584yible to use your files until they will be decrypted. The only way to decNjYrFqrypt your files safely is to buy the special decryption software "C7OLerber Decryptor". Any attempts to restELEDore your files with the thirlwUd-party software will be fatal for your files! <hr> You can procjTmWeed with purchasing of the decryption softwcare at your personal page: Ple0vase wait...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/F4CE-E26B-DC7A-0446-905C</a> If tB3his page cannot be opened  cli8Ae8dck here  to get a new addrFaess of your personal page. If the addreN3ss of your personal page is the same as befodre after you tried to get a new one, you cSw9cLcDan try to get a new address in one hour. At tha0Yis page you will receive the complete instrZF75juctions how to buy the decryptiXcoon software for restoring all your files. Also at this page you will be able to resBlOKotore any one file for free to be sure "CerbefXFcxr Decryptor" will help you. <hr> If your perOsonal page is not availalkfvbtable for a long period there is another way to open your personal page - instajQ2jTkZKnVllation and use of Tor Browser: <ol> <li>run your Intelrnet browser (if you do not know what it is run the Internet Explorer);</li> <li>entvgAYO3cydger or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loadzc8k8prFing;</li> <li>on the site you will be offered to doYiwnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ruebd71FZswn Tor Browser;</li> <li>connect with the buttkon "Connect" (if you use the English version);</li> <li>a normal Internet broRpRwser window will be opened after the initialization;</li> <li>type or copy the add1lress http://p27dokhpz2n7nvgr.onion/F4CE-E26B-DC7A-0446-905C in this browser address bar;</li> <li>preU1SQJHfAss ENTER;</li> <li>the site shoIuld be loaded; if for some reason the site is not loWhading wait for a moment and try again.</li> </ol> If you have any prNNlBJPOHoblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searcS3Dh bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> AdditNIyCkRYURnional information: You will fi7F7a3MgqErnd the instruqft2LLJnbctions ("*_READ_THIS_FILE_*.hta") for reeINhcsewcBstoring your files in any fDolder with your enc4orypted files. The instr5FfR9QPuctions "*_READ_THIS_FILE_*.hta" in the fL96qRDZpwoldercEACCjrmvrs with your encry05TNP6pted files are not virLCnuses! The instruczF4GXHctions "*_READ_THIS_FILE_*.hta" will heNSaflp you to dec8em8LkWrypt your files. RemembeTt2r! The worst siGbExCuekc5tuation already happ2WPsened and now the future of your files deDjteJo9CUpends on your determAPryination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/F4CE-E26B-DC7A-0446-905C</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/F4CE-E26B-DC7A-0446-905C" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/F4CE-E26B-DC7A-0446-905C</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/F4CE-E26B-DC7A-0446-905C في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضwr28aNsافية: سQوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرشqqtادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ مو7mU7Lقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！您的文件只是被修改了，这个修改是可逆的

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___AII4_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/F4CE-E26B-DC7A-0446-905C Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/F4CE-E26B-DC7A-0446-905C 2. http://p27dokhpz2n7nvgr.14ewqv.top/F4CE-E26B-DC7A-0446-905C 3. http://p27dokhpz2n7nvgr.14vvrc.top/F4CE-E26B-DC7A-0446-905C 4. http://p27dokhpz2n7nvgr.129p1t.top/F4CE-E26B-DC7A-0446-905C 5. http://p27dokhpz2n7nvgr.1apgrn.top/F4CE-E26B-DC7A-0446-905C ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/F4CE-E26B-DC7A-0446-905C

http://p27dokhpz2n7nvgr.12hygy.top/F4CE-E26B-DC7A-0446-905C

http://p27dokhpz2n7nvgr.14ewqv.top/F4CE-E26B-DC7A-0446-905C

http://p27dokhpz2n7nvgr.14vvrc.top/F4CE-E26B-DC7A-0446-905C

http://p27dokhpz2n7nvgr.129p1t.top/F4CE-E26B-DC7A-0446-905C

http://p27dokhpz2n7nvgr.1apgrn.top/F4CE-E26B-DC7A-0446-905C

Targets

- Target
  
  Ransomware-Samples-main.zip
- Size
  
  15.1MB
- MD5
  
  e88a0140466c45348c7b482bb3e103df
- SHA1
  
  c59741da45f77ed2350c72055c7b3d96afd4bfc1
- SHA256
  
  bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7
- SHA512
  
  2dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431
- SSDEEP
  
  393216:+8HaL/eOo2nfFSrjIMVePFmu/GyBSib+JYSWTmZ:LHayONnnBNmkPbDSWm
Score

1^/10
behavioral1
- Target
  
  Ransomware-Samples-main/Cerber/Ransomware.Cerber.zip
- Size
  
  215KB
- MD5
  
  5c571c69dd75c30f95fe280ca6c624e9
- SHA1
  
  b0610fc5d35478c4b95c450b66d2305155776b56
- SHA256
  
  416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c
- SHA512
  
  8e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2
- SSDEEP
  
  3072:EJk9kcytz1Qg4kViSMoq9OsLvz8L5HINY8lYdeIX8woWJQHr6LqK2fU0MwL0b06R:EUkcyVlDq8rIblYomoWnvfp0g
Score

1^/10
behavioral2
- Target
  
  cerber.exe
- Size
  
  604KB
- MD5
  
  8b6bc16fd137c09a08b02bbe1bb7d670
- SHA1
  
  c69a0f6c6f809c01db92ca658fcf1b643391a2b7
- SHA256
  
  e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
- SHA512
  
  b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
- SSDEEP
  
  6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01
Score

10^/10

cerber discovery evasion ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Contacts a large (1092) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral3
- Target
  
  Ransomware-Samples-main/Cryptowall/Ransomware.Cryptowall.zip
- Size
  
  100KB
- MD5
  
  8710ea46c2db18965a3f13c5fb7c5be8
- SHA1
  
  24978c79b5b4b3796adceffe06a3a39b33dda41d
- SHA256
  
  60d574055ae164cc32df9e5c9402deefa9d07e5034328d7b41457d35b7312a0e
- SHA512
  
  c71de7a60e7edeedbdd7843a868b6f5a95f2718f0f35d274cf85951ee565ef3ba1e087881f12aeede686ce6d016f3fd533b7ef21d878a03d2455acc161abf583
- SSDEEP
  
  3072:OCDc19avf1fHqOhdzVD/9Ae7RT5f6IiL+WfXS21o4D:OCD0QvlqGRlAlX+sXjo4D
Score

1^/10
behavioral4
- Target
  
  cryptowall.bin
- Size
  
  240KB
- MD5
  
  47363b94cee907e2b8926c1be61150c7
- SHA1
  
  ca963033b9a285b8cd0044df38146a932c838071
- SHA256
  
  45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
- SHA512
  
  93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
- SSDEEP
  
  3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
Score

3^/10
behavioral5
- Target
  
  Ransomware-Samples-main/Jigsaw/Ransomware.Jigsaw.zip
- Size
  
  239KB
- MD5
  
  3ad6374a3558149d09d74e6af72344e3
- SHA1
  
  e7be9f22578027fc0b6ddb94c09b245ee8ce1620
- SHA256
  
  86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff
- SHA512
  
  21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720
- SSDEEP
  
  3072:p7ykj3uuY4NsJD7kPdSRQLqas/pkPm9jvkEL60Uf7k2BgS6/aFybrNN5ZAdNstk7:p7ym3VNA7w8R5/rxv7O0yng0UtVw5NJ
Score

1^/10
behavioral6
- Target
  
  jigsaw
- Size
  
  283KB
- MD5
  
  2773e3dc59472296cb0024ba7715a64e
- SHA1
  
  27d99fbca067f478bb91cdbcb92f13a828b00859
- SHA256
  
  3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
- SHA512
  
  6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
- SSDEEP
  
  6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX
Score

10^/10

jigsaw persistence ransomware spyware stealer
- Jigsaw Ransomware
  Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
  ransomware jigsaw
- Renames multiple (3772) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral7
- Target
  
  Ransomware-Samples-main/LICENSE
- Size
  
  34KB
- MD5
  
  1ebbd3e34237af26da5dc08a4e440464
- SHA1
  
  31a3d460bb3c7d98845187c716a30db81c44b615
- SHA256
  
  3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986
- SHA512
  
  d361e5e8201481c6346ee6a886592c51265112be550d5224f1a7a6e116255c2f1ab8788df579d9b8372ed7bfd19bac4b6e70e00b472642966ab5b319b99a2686
- SSDEEP
  
  768:Fo1acy3LTB2VsrHG/OfvMmnBCtLmJ9A7J:Fhcycsrfrnoum
Score

1^/10
behavioral8
- Target
  
  Ransomware-Samples-main/Locky/Ransomware.Locky.zip
- Size
  
  125KB
- MD5
  
  b265305541dce2a140da7802442fbac4
- SHA1
  
  63d0b780954a2bc96b3a77d9a2b3369d865bf1fd
- SHA256
  
  0537fa38b88755f39df1cd774b907ec759dacab2388dc0109f4db9f0e9d191a0
- SHA512
  
  af65384f814633fe1cde8bf4a3a1a8f083c7f5f0b7f105d47f3324cd2a8c9184ccf13cb3e43b47473d52f39f4151e7a9da1e9a16868da50abb74fcbc47724282
- SSDEEP
  
  1536:6mXbzYYlSESr+LdgbfzNTBstcc6yVeHuwuY5pzl5Lypx0DIY6KQOoTFKmN9YMKW8:dbSr+Jg7lB2cV1aQ+WQVTFX9YPGQi1Mf
Score

1^/10
behavioral9
- Target
  
  Locky
- Size
  
  180KB
- MD5
  
  b06d9dd17c69ed2ae75d9e40b2631b42
- SHA1
  
  b606aaa402bfe4a15ef80165e964d384f25564e4
- SHA256
  
  bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
- SHA512
  
  8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c
- SSDEEP
  
  3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6
Score

10^/10

locky ransomware
- Locky
  Ransomware strain released in 2016, with advanced features like anti-analysis.
  ransomware locky
behavioral10
- Target
  
  Ransomware-Samples-main/Mamba/Ransomware.Mamba.zip
- Size
  
  1.0MB
- MD5
  
  f94d1f4e2ce6c7cc81961361aab8a144
- SHA1
  
  88189db0691667653fe1522c6b5673bf75aa44aa
- SHA256
  
  610a52c340ebaff31093c5ef0d76032ac2acdc81a3431e68b244bf42905fd70a
- SHA512
  
  7b7cf9a782549e75f87b8c62d091369b47c1b22c9a10dcf4a5d9f2db9a879ed3969316292d3944f95aeb67f34ae6dc6bbe2ae5ca497be3a25741a2aa204e66ad
- SSDEEP
  
  24576:Uy0yC/fh9Dnt24GZrEXdjl3Fha3fXUkWpfnb:CyGf7TtCZrOll1svX0fb
Score

1^/10
behavioral11
- Target
  
  Ransomware-Samples-main/Matsnu/Ransomware.Matsnu.zip
- Size
  
  62KB
- MD5
  
  0a3487070911228115f3a13e9da2cb89
- SHA1
  
  c2d57c288bc9951dee4cc289d15e18158ef3f725
- SHA256
  
  f73027dd665772cc94dbe22b15938260be61cbaad753efdccb61c4fa464645e0
- SHA512
  
  996f839d347d8983e01e6e94d2feb48f2308ab7410c6743a72b7ecff15b34a30cd12a5764c0470c77138cf8724d5641d03dd81793e28d47fe597f315e116fa77
- SSDEEP
  
  1536:Wtmvcv25VrNQnc+6KmmjnFcqbq6eXq8GPHTDAY:WBUNQnc+6Vmmv6e8fP
Score

1^/10
behavioral12
- Target
  
  Ransomware-Samples-main/Petrwrap/Ransomware.Petrwrap.zip
- Size
  
  1.1MB
- MD5
  
  6884a35803f2e795fa4b121f636332b4
- SHA1
  
  527bfbf4436f9cce804152200c4808365e6ba8f9
- SHA256
  
  cf01329c0463865422caa595de325e5fe3f7fba44aabebaae11a6adfeb78b91c
- SHA512
  
  262732a9203e2f3593d45a9b26a1a03cc185a20cf28fad3505e257b960664983d2e4f2b19b9ff743015310bf593810bd049eb03d0fd8912a6d54de739742de60
- SSDEEP
  
  24576:XtZfUANeQHLqNZ2rl5zkFGPI/9+4C/BGq/Om00pN5m:XtZc+trnHkxVqQqm
Score

1^/10
behavioral13
- Target
  
  Ransomware-Samples-main/Petya/Ransomware.Petya.zip
- Size
  
  538KB
- MD5
  
  e8fb95ebb7e0db4c68a32947a74b5ff9
- SHA1
  
  6f93f85342aa3ea7dcbe69cfb55d48e5027b296c
- SHA256
  
  33ca487a65d38bad82dccfa0d076bad071466e4183562d0b1ad1a2e954667fe9
- SHA512
  
  a2dea77b0283f4ed987c4de8860a9822bfd030be9c3096cda54f6159a89d461099e58efbc767bb8c04ae21ddd4289da578f8d938d78f30d40f9bca6567087320
- SSDEEP
  
  12288:h62An+lYWejkM9KIIoyoAWPPpxS8yrST5UvF50VHCJvD3DpNu7NwRUDxuJnU:hJA+BncEoyojpxS8yrSV0nvHpNu7eQxH
Score

1^/10
behavioral14
- Target
  
  Ransomware-Samples-main/README.md
- Size
  
  549B
- MD5
  
  ec3725f86203d73125aa3070816bb4a3
- SHA1
  
  4ebfd463e20656581f328d21ca7226d46c46da88
- SHA256
  
  1e54544721a7c12cdc7e79e4212fc116f6f7b71cdc7a2b51ae142ab69e8784bc
- SHA512
  
  fee577aec39892858d13e26f862354755467d54137a289cf353f8a47512066a1a0be2dd575e2608422745c2a52812d5d80ce145dc41c900eabb46b154f5a96d5
Score

3^/10
behavioral15
- Target
  
  Ransomware-Samples-main/Radamant/Ransomware.Radamant.zip
- Size
  
  59KB
- MD5
  
  fce365d60e13df34a6843894ac9be499
- SHA1
  
  5211ac4e7d8459f0db9aa19a03c55cb2063fee5f
- SHA256
  
  3e1813da2d561157df7667cde0117fdddd883c5b1272f76d1ae85ad889c38220
- SHA512
  
  9747c95c1a1314fd0fb462951feafa51a75c0794e56a6bbbd16d192e366907aa764bc9adbc7d8319e5d43a37b10889808ae5d619ae1202200d7dba34afa2bc1b
- SSDEEP
  
  1536:cKmaCJ5RF2bf2mwPUv0M47ChtgxyZShQ9FttDUFQ1VkJA/:XmHJAY23iSOxygkFttQFSkJA/
Score

1^/10
behavioral16
- Target
  
  Ransomware-Samples-main/RedBoot/Ransomware.RedBoot.zip
- Size
  
  1.2MB
- MD5
  
  51250dabf7df7832640e4a680676cb46
- SHA1
  
  74ba41bb17af6e5638171f7a6d9d49e978d8d3b3
- SHA256
  
  7fa2bf61405ac573a21334e34bf713dcb5d1fc0c72674e6cebc48d33a4a14d44
- SHA512
  
  43f898d7e5752312a79138dcce94c117a20fb6efd9e522fc1ed3cc2d407d13cacf5b6f810c7c1966c4c03217aeb51fce641feb31b26620ff239756132b17f57a
- SSDEEP
  
  24576:X55snqlV0L1X93CIhhFrJK/Hw75gIiaC+4llRCIPY7tdyPHno51SCUR:J53lV0LX5hFrswyVFlMEYSnCw
Score

1^/10
behavioral17
- Target
  
  Ransomware-Samples-main/Rex/Ransomware.Rex.zip
- Size
  
  2.7MB
- MD5
  
  50188823168525455c273c07d8457b87
- SHA1
  
  0d549631690ea297c25b2a4e133cacb8a87b97c6
- SHA256
  
  32856e998ff1a8b89e30c9658721595d403ff0eece70dc803a36d1939e429f8d
- SHA512
  
  b1a58ebcc48142fa4f79c600ea70921f883f2f23185a3a60059cb2238ed1a06049e701ccdab6e4ea0662d2d98a73f477f791aa1eec1e046b74dc1ce0a9680f70
- SSDEEP
  
  49152:vWKde2aWpNtWWKPqd0c1OWfD6vAcxntjWPNeJ5Rf/coFN0LZkyIEsNdd:eKI2FpNtfaqGc1EAczjk41EuN0LZky9y
Score

1^/10
behavioral18
- Target
  
  Ransomware-Samples-main/Satana/Ransomware.Satana.zip
- Size
  
  57KB
- MD5
  
  82f621944ee2639817400befabedffcf
- SHA1
  
  c183ae5ab43b9b3d3fabdb29859876c507a8d273
- SHA256
  
  4785c134b128df624760c02ad23c7e345a234a99828c3fecf58fbd6d5449897f
- SHA512
  
  7a2257af32b265596e9f864767f2b86fb439b846f7bffa4b9f477f2e54bc3ff2bb56a39db88b72a0112972959570afc697c3202839a836a6d10409a10985031b
- SSDEEP
  
  1536:GBfLHxIOBET2Uvk6w5yD5O92x2HtYli0kR5sJ7LNeeSLK/TJ:GBf9IOXok6DODtY40kDsjiL6F
Score

1^/10
behavioral19
- Target
  
  Ransomware-Samples-main/TeslaCrypt/Ransomware.TeslaCrypt.zip
- Size
  
  479KB
- MD5
  
  f755a44bbb97e9ba70bf38f1bdc67722
- SHA1
  
  f70331eb64fd893047f263623ffb1e74e6fe4187
- SHA256
  
  3b246faa7e4b2a8550aa619f4da893db83721aacf62b46e5863644a5249aa87e
- SHA512
  
  f8ce666ae273e6c5cd57447189a8cf0e53c7704cf269fa120068f21e6faf6c89e2e75f37aee43cac83f4534790c5c6f1827621684034ef3eb7e94d7ee1ac365e
- SSDEEP
  
  6144:xQAq0svy/pQhk1NBePvxGNWeOyqYAGfr/H/h60BHtzbprAvNGTG/fi5QCIq3h11Z:LyKoUlWeOP8HXrINZ/2uJUgVu
Score

1^/10
behavioral20
- Target
  
  Ransomware-Samples-main/Thanos/Ransomware.Thanos.zip
- Size
  
  145KB
- MD5
  
  00184463f3b071369d60353c692be6f0
- SHA1
  
  d3c1e90f39da2997ef4888b54d706b1a1fde642a
- SHA256
  
  cd0f55dd00111251cd580c7e7cc1d17448faf27e4ef39818d75ce330628c7787
- SHA512
  
  baa931a23ecbcb15dda6a1dc46d65fd74b46ccea8891c48f0822a8a10092b7d4f7ea1dc971946a161ac861f0aa8b99362d5bea960b47b10f8c91e33d1b018006
- SSDEEP
  
  3072:fn8L7y+NJQpRhkU0kbH2PNo/1GjTqOncYIOSsk:f8L7xNJQFzCo/ojTqOnYD
Score

1^/10
behavioral21
- Target
  
  Ransomware-Samples-main/Unnamed_0/Ransomware.Unnamed_0.zip
- Size
  
  835KB
- MD5
  
  abc651b27b067fb13cb11e00d33e5226
- SHA1
  
  1869459025fcf845b90912236af43a5d8d0f14dd
- SHA256
  
  690339e6d19da0b5c63406d68484a4984736f6c7159235afd9eeb2ae00cafc36
- SHA512
  
  4b85ae9001b9d1f11d57b6b2565ab0d468c3b8be469cad231e1203c4f6858af98d8e739b03fb849c2f3ec7b493781e88d32e7b7567c4b61cc1189daeea285bbf
- SSDEEP
  
  12288:9nmNxspjOW6b5EVZTf2qDByG/WNGeWnwnpiVdnBQzXwBdn+TMLCAZn23dr+/TaNT:MNO1OnbElqCnwni7cXo+ECYnq2Jd4l
Score

1^/10
behavioral22
- Target
  
  Ransomware-Samples-main/Vipasana/Ransomware.Vipasana.zip
- Size
  
  638KB
- MD5
  
  8d2c4c192772985776bacfd77f7bc4d9
- SHA1
  
  3b923b911d443e321e551f26c9588b16a994d52e
- SHA256
  
  1733b199a7063443c167e3caeae7dda2315f590341ea2152a9b132e1ad8e94a8
- SHA512
  
  6c24f2fe498cf38e3f3d66b62915e6fbc8c2746a1d4c3c3de270f994b02e1369b9540099c12d150712574ececbe63c8c9f28877d8aa4557fbbb7890d5a0de6c1
- SSDEEP
  
  12288:atcWK55CAyTliOve2dCbNF2NJ9lTYG6WxGc7jdw04YPghNxEvREoXIaK:k7KCP5tWiCpYj6/Cm04YPgvivRENL
Score

1^/10
behavioral23
- Target
  
  Ransomware-Samples-main/WannaCry/Ransomware.WannaCry.zip
- Size
  
  3.3MB
- MD5
  
  efe76bf09daba2c594d2bc173d9b5cf0
- SHA1
  
  ba5de52939cb809eae10fdbb7fac47095a9599a7
- SHA256
  
  707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a
- SHA512
  
  4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029
- SSDEEP
  
  98304:vhvb2BVmAw0p9jIVcEj5nnZNRyA30yBSRT:vhvq7Bu6EZnZN5EyBSN
Score

1^/10
behavioral24
- Target
  
  Ransomware-Samples-main/WannaCry_Plus/Ransomware.WannaCry_Plus.zip
- Size
  
  2.3MB
- MD5
  
  5641d280a62b66943bf2d05a72a972c7
- SHA1
  
  c857f1162c316a25eeff6116e249a97b59538585
- SHA256
  
  ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488
- SHA512
  
  0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752
- SSDEEP
  
  49152:9mqR0GTCRh8C9PYUYwm79evoBD2HSypKLZ5u/KU940CwmWtSQX5ddmL6T:RA8GY3b9ev62yypKLlUVCpSSQX5ddmeT
Score

1^/10
behavioral25
- Target
  
  Ransomware-Samples-main/ransomware.png
- Size
  
  36KB
- MD5
  
  01369d5062d49b270c8dd6ab535bc403
- SHA1
  
  39c654df64cd7386081da8108f23573f331debab
- SHA256
  
  ed672ed37bfdadddb835de8c346655a17b653094197a2d6080e6777fa59785ea
- SHA512
  
  de704934135717cb62e4d15ef1666e78b3d43c17ff5d50b279c21a5318ac2ce0cea88ebeb17b66f4668e1ca1a8801bdd6bab0194b157b1da6bd90c71b29da08e
- SSDEEP
  
  768:cfWDt10l7IWSENqPZxdv8aNdYjie60vLP2N4fUtbpSErCB3X:WI10loxxh8aNdWie6wb26f8m3X
Score

3^/10
behavioral26