cerber

General

Target

Goblin Free Permanent Woofer V2.0.rar
Size

376KB
Sample

240412-2phczsae3y
MD5

4882f98ad0850be7c70ec19dac46d044
SHA1

09c2f13897a1764032b48c98cd00bd3bf5fafb34
SHA256

f89faa5364df8789f137338ca55375693a2c18516fa0f28d85f61958ff4e4d50
SHA512

e6f17ce27d5f74b18564bdbad350b791893a6ff92956f0320e317023e6ed1e6eb917708ae78bf8a3fd38d5d026d0120c8d2b346573b1a48e653cd215088fdee8
SSDEEP

6144:PqkJJjtcbkW6tITVf/OHDQPUo1r3rkwvAOUKucwneI1FCg/mHjOWq3WIteVQAzR4:SijtcgWvTV+HDoF3rzvJU+OeI1FCgeD6

Score

10^/10

Malware Config

Targets

- Target
  
  Goblin Free Permanent Woofer V2.0.rar
- Size
  
  376KB
- MD5
  
  4882f98ad0850be7c70ec19dac46d044
- SHA1
  
  09c2f13897a1764032b48c98cd00bd3bf5fafb34
- SHA256
  
  f89faa5364df8789f137338ca55375693a2c18516fa0f28d85f61958ff4e4d50
- SHA512
  
  e6f17ce27d5f74b18564bdbad350b791893a6ff92956f0320e317023e6ed1e6eb917708ae78bf8a3fd38d5d026d0120c8d2b346573b1a48e653cd215088fdee8
- SSDEEP
  
  6144:PqkJJjtcbkW6tITVf/OHDQPUo1r3rkwvAOUKucwneI1FCg/mHjOWq3WIteVQAzR4:SijtcgWvTV+HDoF3rzvJU+OeI1FCgeD6
Score

3^/10
behavioral1
- Target
  
  Goblin.exe
- Size
  
  724KB
- MD5
  
  d244d14f356f5f7d4736ebd0a536c597
- SHA1
  
  4482e7a876b8a07992ebe6681b0b0a65c9de9b62
- SHA256
  
  83efb0e288be5b31dfc4ba04a05e26c5df398ef23879fadd89a0e815284e3c10
- SHA512
  
  c7f9eb8e0504f2bb15ca79826c9aa04085cdfc3af707b9b4328292351142880196a4f338c369e2d82599c9df4ba4b09ca9ff673cd84ff39d770c046d4ee91278
- SSDEEP
  
  12288:q9exCpICTTwF+jZMP7iRaltjsTaVkXsDWnuSgtBs738+BC8:q9QCpIYTwkVMORaltjsWIsauSIBs73p7
Score

10^/10

cerber pyinstaller ransomware spyware stealer
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Nirsoft
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral2