cerber | 7185e8c694984f512a44f240e4b89647c759ba756bd9e9947414941e4342d466

Sharing

General

Target

RANSOMWARE1122.rar
Size

18.7MB
Sample

240717-x2m2savdqk
MD5

72febf0ec268cde630057072be0101c5
SHA1

c362ee6905a8d66358fcc7b9541828e1f7ac459e
SHA256

7185e8c694984f512a44f240e4b89647c759ba756bd9e9947414941e4342d466
SHA512

81aafa86342cc892d33e2d8c6530832cd4d66c04ecc867f3ef516ab775017a35deb47a24f93a82bdf6e7dc0d7fb673ac746fba51a93d86ba4ae94411e840c6b0
SSDEEP

393216:hUZLKVIW/ExVOPG3FM3j7YWRC/k+cJRQB+C2Ol5UuL1pcjrt5r/UwT450xkPJFUp:hImaCF3vlRQc4N3L1ijrt5r/UQ450xya

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf

Ransom Note

[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. [FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 1Mb [HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins [ATTENTION] Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files Your ID: j3Tjd3fs1LodjY9VuaKGfXXlKimB5hng1Su5RjgqSss94riM/pzdzewpzY+6tUbDsmby4j+CQhdNcrI1F6eV8gpfbYGHN/qbffoY/8BFqhqo658cH43rpTXTixRrMc6eFz4+UzAQLyLktcDLEe6F+SMBkKYkyJmS+NJxIG8JV6Q=

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___3G73_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/8B23-1C09-72A9-0098-9A69 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.19kxwa.top/8B23-1C09-72A9-0098-9A69 2. http://xpcx6erilkjced3j.1eht65.top/8B23-1C09-72A9-0098-9A69 3. http://xpcx6erilkjced3j.1t2jhk.top/8B23-1C09-72A9-0098-9A69 4. http://xpcx6erilkjced3j.1e6ly3.top/8B23-1C09-72A9-0098-9A69 5. http://xpcx6erilkjced3j.16umxg.top/8B23-1C09-72A9-0098-9A69 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/8B23-1C09-72A9-0098-9A69

http://xpcx6erilkjced3j.19kxwa.top/8B23-1C09-72A9-0098-9A69

http://xpcx6erilkjced3j.1eht65.top/8B23-1C09-72A9-0098-9A69

http://xpcx6erilkjced3j.1t2jhk.top/8B23-1C09-72A9-0098-9A69

http://xpcx6erilkjced3j.1e6ly3.top/8B23-1C09-72A9-0098-9A69

http://xpcx6erilkjced3j.16umxg.top/8B23-1C09-72A9-0098-9A69

Extracted

Path

C:\MSOCache\All Users\_HELP_INSTRUCTION.TXT

Ransom Note

!!INFORMATIONS!! All of your files are encrypted with RSA2048 and AES128 ciphers. More information about the RSA and AES can be found here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server. Follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://supportxxgbefd7c.onion/ 4. Follow the instructions on the site. !! Your DECRYPT-ID: d5d66682-f089-4355-8aa3-7efe1e3d9639 !!

URLs

http://supportxxgbefd7c.onion/

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Doz0JokIxnIySJiJ.hta

Ransom Note

<html> <head> <hta:application BORDER = "none" CAPTION = "No" CONTEXTMENU = "NO" INNERBORDER = "No" MAXIMIZEBUTTON = "No" MINIMIZEBUTTON = "No" NAVIGABLE = "No" SCROLL = "No" SCROLLFLAT = "No" SELECTION = "Yes" SHOWINTASKBAR = "No" SINGLEINSTANCE = "Yes" SYSMENU = "No"/> <style> body{ background-color:#000000; margin:0; } .vau{ margin:10px; height:520px; width:750px } .sc{ margin:1px 50px; font-size:40px; width:750px; height:30px; padding: 10px 20px 10px 20px; background-color:#000000; color:#e92124; font-family: Impact; text-transform: uppercase; text-align: center; } .sc1{ margin:1px 50px; font-size:20px; width: 750px; padding:20px; background-color:#000000; color: #e0dede; font-family: Georgia; text-align: left; } .gr{ margin: 10px 0px; color:#189f29; } .red{ margin: 10px 0px; color:#e92124; } .wh{ margin-top:0px; margin-bottom:10px; } .wt{ margin-top:10px; margin-bottom:0px; } </style> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Notification</title> <script language="vbscript"> sub Window_Onload window.resizeTo 850,725 screenWidth = Document.ParentWindow.Screen.AvailWidth screenHeight = Document.ParentWindow.Screen.AvailHeight posLeft = (screenWidth - 850) / 2 posTop = (screenHeight - 725) / 2 window.moveTo posLeft, posTop end sub </script> </head> <body scroll="no"> <div class="vau"> <div class="sc"> All your files have been encrypted! </div> <div class="sc1"> <p class="wh">All of important data on this computer was encrypted with strong RSA-2048 algorithm due to the violation of the federal laws of the United States of America! (Article 1, Section 8, Clause 8; Article 202; Arcticle 210 of the Criminal Code of U.S.A. provides for a deprivation of liberty for four to twelve years.)</p> <b>Following violations were detected:</b><br /> Your IP adress was used to visit websites containing pornography, child pornography, zoophilia and child abuse!<br /> <p class="gr"><b>To unlock your files you have to pay the penalty!</b></p> <p class="red">You have only <b>96 hours</b> to recover your personal data! After this time your unique key will be deleted and file decryption will become impossible!</p> <p class="red">Each <b>12 hours</b> the payment size will be automatically increased by <b>100$</b>!</p> <p class="gr"><b>You must pay the penalty through the Bitcoin Wallet.</b></p> <p class="wt">To get your unique key and unlock files, you should send the following code:</p> <b class="gr">TAVOb1nrt0pLc0ui-1E1B6352286734D3</b><br /> to our agent e-mails:<br /> <b class="gr">[email protected]</b> or<br /> <b class="gr">[email protected]</b><br /> You will recieve all necessary instructions! </div> <div class="sc"> Hurry up or you will be arrested!!! </div> </div> </body> </html>

Emails

class="gr">[email protected]</b>

class="gr">[email protected]</b><br

URLs

http-equiv="Content-Type"

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf

Ransom Note

[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. [FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 1Mb [HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins [ATTENTION] Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files Your ID: zxtjW4UJF5TSKRaKWXub+Sk86bIyuYfScGLuzdSpTKGyTQIjXRV7xZ+ICKWMUprVUyptmG7Ve6aq8KP1ESlo7nnuVynLo/4XePhI9B5flZobcTTNd2+GeX6Z8jomPKRuhiyCn891JRi/P9prkkl3jR93lGO2DCjcdwgWzF7asZI=

Emails

[email protected]

Targets

- Target
  
  00FAEE82AB5B800CF6DBE97AFD39790B856AD1EC25DC7ED8F798ACA702BEE7AD.exe
- Size
  
  1.3MB
- MD5
  
  b53d9a3861ba2e66a83ed1827aef11c8
- SHA1
  
  e3d021ae61b901fc0e375269aeea8a956b5d170a
- SHA256
  
  00faee82ab5b800cf6dbe97afd39790b856ad1ec25dc7ed8f798aca702bee7ad
- SHA512
  
  c7478893531fbaf674dc90b404dada8ffefba4dfa2209063061a3c30df7992e3d95a9b5aa598ef2e5b6730fa961e44d15b70f5ea2075859ed8dfc528b1b5f434
- SSDEEP
  
  24576:jnbkBTLZO5z2gux4qXrNuN6zZkMPPX47Ypk2z364swWUpZKfO+fIQ:jIBTL8HPq7NS6tY7Uzps6pZcfn
Score

10^/10

evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1
- Target
  
  01D2E2B398D6017D5114464E39C40E9243AE492106CCA8B2D3EB1A95F9E228A9.exe
- Size
  
  2.0MB
- MD5
  
  c5d373a1954822afcddcc785e6ad6045
- SHA1
  
  4db2eea6bd6cf5ea40ea14c3ecbf3845d05dae73
- SHA256
  
  01d2e2b398d6017d5114464e39c40e9243ae492106cca8b2d3eb1a95f9e228a9
- SHA512
  
  67a44eef568aa7d3444313256146af4e26a8614326f0b6ecf029f765733c38fb8ab54986f25969a9030de3a3bf9408373e0c1d23b049e0cfb908fa8faf1d981a
- SSDEEP
  
  24576:S2IOcUV7/Fbi06CFZZxdhf8T7njJfl0POn2AknzL+STqPeoAt6ae7yStHq+p19Sk:S1UVbRioFZZxT6SOn2AHbSTJA9TyC131
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Renames multiple (64) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral2
- Target
  
  0B760ABF108DB9BF5EA14F96A53F6D8E1B36FCC28BC75114E923482157B89A23.exe
- Size
  
  2.0MB
- MD5
  
  07f5b6c3ca2d31c3ab45b8f8c0664f1f
- SHA1
  
  2170fac82dd6f0d2ed7d594faaac6d1ed28b5099
- SHA256
  
  0b760abf108db9bf5ea14f96a53f6d8e1b36fcc28bc75114e923482157b89a23
- SHA512
  
  6b1bd3bb18d258c3f3e49f1b4f6610e573fce887dc51119c394cd151a1d21166a5d07b7f9863375468cde5235c7325d5349bae942b700daea7f6f692521b7ac7
- SSDEEP
  
  24576:UliaAjUsNyXNyMscNueYVvfnaabHc9X0TjXbke1TxB1JvP0ks6aFttWH:CbAIsNyXXbLYFnb2ETEmJF
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Renames multiple (61) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral3
- Target
  
  0B8E9BC31964C9433BD5CC20E556CFD0590C3B17B0DB23CDC3AD0547683F3820.exe
- Size
  
  2.0MB
- MD5
  
  e32ef8a36b6a6c010b27a7871ebda037
- SHA1
  
  0ea7d9bf90c5fc6bfadaf3c14e140fc9c9aa5361
- SHA256
  
  0b8e9bc31964c9433bd5cc20e556cfd0590c3b17b0db23cdc3ad0547683f3820
- SHA512
  
  e98f941c7be2c650de033048b8a9d4556da2204f9b0c90d399c981dcb9e215d5322a765884aad1a4e5b31b23227827cb21fd1ed5d3a79cc7f83226c07f579eb3
- SSDEEP
  
  49152:pdGNHxQXLx6cHqNQDQg6nNw1WCj/vd2Xptvh4:pd0QXL/t
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Renames multiple (57) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral4
- Target
  
  0D0E7D86268F7ACD51E9D4AC94F016034FB949B605B21405CBA0B5581E4532E5.exe
- Size
  
  2.0MB
- MD5
  
  7e3ffb20da3685265b2ceb428a661536
- SHA1
  
  459f15272146c9b24279cdd04d98ba44ca5f0804
- SHA256
  
  0d0e7d86268f7acd51e9d4ac94f016034fb949b605b21405cba0b5581e4532e5
- SHA512
  
  468e3b381939d5cd66c5e7500ecdaf24ab4cd4e10887547e3c88f0ec8a4049b44184c1e84a69effdff5f9167d4cfedc419176b209e3d60ea7c5133930abed501
- SSDEEP
  
  49152:bPDE+iGJYpuZYmqHx0PQLjXp/cfO2aMkekh94n:k+iGJY2fqHePQL0
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Renames multiple (60) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral5
- Target
  
  0E9765528C4E8FDCFF83FA07A78F5E73B41B3D9295159C823FE3B1F97C113469.exe
- Size
  
  2.5MB
- MD5
  
  dde4e07ddb8b8aa4669abc688504112d
- SHA1
  
  a9260ada32e49444ecbe6df5d474314ff6c74b9a
- SHA256
  
  0e9765528c4e8fdcff83fa07a78f5e73b41b3d9295159c823fe3b1f97c113469
- SHA512
  
  5f009610c4eea37a72d54673525a026821df4719878884856a8aec508bcc4ed83432713576deb34b71deb2671280e08c0e0acd2d796880fe74e73e70afe41eb5
- SSDEEP
  
  49152:9dhfq+I03uLpmwpKML2fyU3ZlMnMc3hQlKp8NqdnB:Az03nLyAZlA
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Renames multiple (61) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral6
- Target
  
  0c9fa52ace8019b43c91f4859ecddfde6705141b9283fef05c6c4c37a5c1777a.exe
- Size
  
  596KB
- MD5
  
  922b22f3be97b5974e317c5b55b07d15
- SHA1
  
  96eef7001f9b555ac686a640e43a38cfbd963c4a
- SHA256
  
  0c9fa52ace8019b43c91f4859ecddfde6705141b9283fef05c6c4c37a5c1777a
- SHA512
  
  33a93de5d7e3927d3dd750dac4e12f9be5384ac2d5edbf8d5947708bdf18a7542e9fde3fb3dd526cd00e1973b18eb20b2793fe517469c831a39f7a5917d08179
- SSDEEP
  
  12288:zbiqlq3Z3wSGTjDPOnpLWGJFFQgKzL+EFHUNrkqJgtK2b:zbNgd1wOpLWGF5C+EF0+qJgtZ
Score

7^/10
- Drops startup file
behavioral7
- Target
  
  15f7ea290d832bc32ebf660690b42616264fc0be8969934c1f8d7e5a5d3cd18c.exe
- Size
  
  473KB
- MD5
  
  aadb6e0f1cc845e196570e800380fe85
- SHA1
  
  72b088cf546c36b6dda67cfb430874f83645397f
- SHA256
  
  15f7ea290d832bc32ebf660690b42616264fc0be8969934c1f8d7e5a5d3cd18c
- SHA512
  
  55ba8c4734b9fb1c08b3c0be3c6c524a265aa1d3dc4a9f3a2f97f172c2913fc66ea7a002ad877d786e03db54b0a35f3244e9230c49fb30c6c6284404cffaf1b7
- SSDEEP
  
  6144:ULIaDW2Dm6jNkcZjvw6RQVe0yV4JMaT710E5BmutiO3XwGk/Rz+wLefC9rB6uN:XaiajeUjvw6RQHVJMau43XwG25NW4rd
Score

10^/10

modiloader discovery evasion persistence trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Contacts a large (3341) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VirtualBox drivers on disk
  evasion
- ModiLoader Second Stage
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral8
- Target
  
  1CB82039822CB89811F42B2C3BDBB4256D85D66E942CD69F38D3CB123596C926.exe
- Size
  
  2.0MB
- MD5
  
  53ca26fbcd0c54a9529dde33d5bc2042
- SHA1
  
  20fd30d5957986143fca7488762e23f97f85d28a
- SHA256
  
  1cb82039822cb89811f42b2c3bdbb4256d85d66e942cd69f38d3cb123596c926
- SHA512
  
  da4275c57f04fbcf3811336a46396ab754a3df91ea25a5ba3d89bf7499cfe700b65ec66ba4a8e4d374283a641e3e0e70aaf2337520e6c56b300693696b2442f6
- SSDEEP
  
  24576:kxm0iO/DQ3eyqvtsJe30RxVIxplYJ1B3J7hoBTl+mRezac3hWYo7wszC9BPnfCvJ:kA0T/kwKQ0nVe+JGR0nBinx
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Renames multiple (61) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral9
- Target
  
  1CF69170F7419E097EB71B514C01D2A028C95D0605F8B91C90A2E28B3216775E.exe
- Size
  
  2.0MB
- MD5
  
  1d121198cedd059c29ce90d946478ff4
- SHA1
  
  1adf4c766aae9bfd6a1007f82b5fff8bf1020f11
- SHA256
  
  1cf69170f7419e097eb71b514c01d2a028c95d0605f8b91c90a2e28b3216775e
- SHA512
  
  c7d6cb50380f79491b23ba566a4169f7822bf640f5ae5b48de0c595e5f375de06af09b29710169edaf6f4d9fb867fb7ad7a1bedceb26458121203964d8e81ff6
- SSDEEP
  
  24576:llh2hvfNBh/ZZqHv/lF3ME9AO7CfLAFtz95BfeutNjow27HI4WlUWnHxtkbf/pcT:lKhvfNBh/ZZQnl+OGWPvjoP7kn91N
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Renames multiple (62) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral10
- Target
  
  1CFEDCBA10B4C90789F2C4A6A1CE2C3D4197058E574942400F571BC5D06DF70E.exe
- Size
  
  526KB
- MD5
  
  7b8dc7d090f8b8fae9fc8f7549ae6411
- SHA1
  
  20b5f05713e7634a79f448df747b694039df3d2b
- SHA256
  
  1cfedcba10b4c90789f2c4a6a1ce2c3d4197058e574942400f571bc5d06df70e
- SHA512
  
  d4fa012b06fa6c4bdc6905f7edbbe3a589a3be41d4b1f782625496423394cf7ea621d6b9b8510168bbef2720e96858b39a7615d3b849a95da3c0f94d17608b9f
- SSDEEP
  
  6144:gek+uyH2txMRwdckwb1E+4t9YwScDPWQ6ur4bRL6C:3kn06edqSI/6KU
Score

7^/10
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral11
- Target
  
  1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
- Size
  
  716KB
- MD5
  
  cc3f68e8a50b05aa77d88b6119583b9e
- SHA1
  
  71c7b93a8947265fe30e6928730504a5456ca788
- SHA256
  
  1dd70e803623d5311b71129976710b11a8942d206a5d8d86cdf8417255f15725
- SHA512
  
  e4fe7c8ec1d88c0bc81834de0a1212902849d7c9f6228e26fb8aaf3f046011f934d6de01becb339ab88169533ff8dc0d6fad7d6d7ff7e956e408242a21809e55
- SSDEEP
  
  12288:ZMMpXKb0hNGh1kG0HWnAsaHy41Dxm1zRRaMMMMM2MMMMMu:ZMMpXS0hN0V0HYah1I1zRRaMMMMM2MMd
Score

10^/10

aspackv2 persistence ransomware
- Modifies WinLogon for persistence
  persistence
- Renames multiple (93) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral12
- Target
  
  1E229029B2D3FF00EDDE061B1AAF470EE437FA8196D97FAD2C2C6C9EDE5B44DA.exe
- Size
  
  1.9MB
- MD5
  
  92318a59ed03b2d195a8d08befd0efbb
- SHA1
  
  33c974d620ceede52581194ef99f3f57a9cd5d11
- SHA256
  
  1e229029b2d3ff00edde061b1aaf470ee437fa8196d97fad2c2c6c9ede5b44da
- SHA512
  
  ea57ebd9484ade992b5b7b1b1a43b84b5af37491b063de0718e3ae6897fa84f500194dc251f117d11a1361f3164eea11becddb394e697400b7eb1ea40c568230
- SSDEEP
  
  24576:TAlFsCeXap8KGLTg/6PeXTAg6L+Gzt0DkyYz1/oM5i7eXTXbQ5MTjrp2WHa/1jlE:kICe+cmxj4LlWoB/oeDfF
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Renames multiple (67) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral13
- Target
  
  1F5FEB3211A640804B3951DE9EA2037EFCB0D6EE1019D8853F98DAFD6132A76D.exe
- Size
  
  2.0MB
- MD5
  
  2100b481c49d960e4a8b7b4790206190
- SHA1
  
  497b005e34313efa145ef9e24d067d798fb98c29
- SHA256
  
  1f5feb3211a640804b3951de9ea2037efcb0d6ee1019d8853f98dafd6132a76d
- SHA512
  
  e5483bbe66367703c0ad8323b603901336e828451423a926c539dc17dc5c0c54e9a78dc30b436fd9a9481032a4c9ea595e61246ff28f71e9bbd27c1757ffb13d
- SSDEEP
  
  24576:OqwHLoO7sjSMhlcSXrR5P7zsQ3SkK/S/VloaEDM+C9Jn1Em7kR2:jKLoeRMhvNjlwkn1EA
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Renames multiple (65) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral14
- Target
  
  1FD11B5CBB32F4CD5E7947F25E900BB4E59C1C5A21922F0A842EC62C20FAF2ED.exe
- Size
  
  2.0MB
- MD5
  
  249aada560c223d2da8155bb1be20992
- SHA1
  
  cba2450471ca63043885e26d19ab72f2dda38fd2
- SHA256
  
  1fd11b5cbb32f4cd5e7947f25e900bb4e59c1c5a21922f0a842ec62c20faf2ed
- SHA512
  
  5bc77d39d87a382a40d11ca8402cc43f16eea74fd742a72edc7d2cd003cd059ddecc68e98c33490be90913f522c4a5bc3c8a8470f9db1efb9be6d97b9637afae
- SSDEEP
  
  49152:6Q9RshfjHef9POYbasCy3ctSSA7FkaH37:nCrHefdnl
Score

10^/10

evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies visibility of file extensions in Explorer
  evasion
- UAC bypass
  evasion trojan
- Renames multiple (57) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral15
- Target
  
  21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061.exe
- Size
  
  235KB
- MD5
  
  fac89802b3db89ba74cf8891824af3d6
- SHA1
  
  27b57dfdc8b1b265e3755cc0068be846c4c4981e
- SHA256
  
  21977fc851dfbcd7c5edcc24ef56750065fcd01e5c9fa4f270424f186a83b061
- SHA512
  
  2c604a00446fe4901341a4c8093443cba06fc00ee90a946749c3b66b2205339850740406edd0553ef55a33573599c7e494eb1b0552395d1cd9e54a8d4268b3e5
- SSDEEP
  
  3072:thrQ6J0Exp7gW31x+S/EkuIDNGqLW4t5P0tz/aMgb2JpL7Ag0FujYWkcv23nNT3I:tiHgpR31kS8kuIpW60tRPAOs3sc8
Score

10^/10

defense_evasion execution impact persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (301) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral16
- Target
  
  21e1bc4340221fbccee28d59333c20b20755e34e2f3391b90837172bd07fbf01.exe
- Size
  
  708KB
- MD5
  
  987a06a5c02be92cdeae2a99a408a716
- SHA1
  
  31e4c64f1fcff7824b023e86482e75870389edef
- SHA256
  
  21e1bc4340221fbccee28d59333c20b20755e34e2f3391b90837172bd07fbf01
- SHA512
  
  90db12153f5abd1f8d20a89a473c46f0577ffc2c3a681f4f2bd68f53b8cd2d45c372bce6e0d11d2832ae223eebcb2b9a8a1dc806b5cd8a510134cad830c2596e
- SSDEEP
  
  12288:VROJm7hOOdN2++KEjDz/lnp2WBILtj+fITU4Td9T31r6U2dEV7uikFg:VROJ8hjkLKgP/n2WaLtj+fINR979N/l/
Score

7^/10
- Drops startup file
behavioral17
- Target
  
  2C3542B5D9AB4EED2DD88CD74A02236A944AFD76E8717F65DCD544912229CA85.exe
- Size
  
  10KB
- MD5
  
  ffb938c96bb741d2d1dcc05930072926
- SHA1
  
  643508e98cd746eb91adb0b3a0096ff3d7497dad
- SHA256
  
  2c3542b5d9ab4eed2dd88cd74a02236a944afd76e8717f65dcd544912229ca85
- SHA512
  
  09c63015e0a6f1c97f657106d01c7a5399686039f75ccbd9a097544d458edee3ca094b24c1d075658bd34ef332deee5736711f0ac6f7ea273baa42dda5c18215
- SSDEEP
  
  192:xjpBKnwR27YRs/5+K/OUzbx/wz93ADv8Ei:NunwR2JQKZx/wz93ADUv
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral18
- Target
  
  3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338.exe
- Size
  
  390KB
- MD5
  
  08109df08fa4a035c59d56d1e6c5baf4
- SHA1
  
  bec86bce6f6963d0cc69c441c6d5fb6d04d3a833
- SHA256
  
  3ac7f91e37572c0d15de4de96ab4719531c30536409fda4acb3e0071ab726338
- SHA512
  
  61e6cc3e94ddb7a980bfb0a2e5e5ffeeb5414c9e2ef3e42551820017dbedab5cccdd8ece1fed2ca057e240bdb7836663a7f9be28f1bb9136da972750caf59704
- SSDEEP
  
  12288:s8TC7FeAA9IsQwycG888888888888W88888888888E7xCYsdG:s8TygVinw1Z7xCZdG
Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Blocklisted process makes network request
- Contacts a large (1095) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Deletes itself
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral19
- Target
  
  3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
- Size
  
  947KB
- MD5
  
  39217b125403ff7c755622ef9bbef974
- SHA1
  
  9fc607b7c17919c83999bdd119e9cd6bf413101a
- SHA256
  
  3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816
- SHA512
  
  1252ea94931eaf4426ca1eb94a070645238775c447a09286109fe894c569de29ca502882a0fa34e97e09109c43c486a3aa32081e3a3afef0b6557db59c71fc50
- SSDEEP
  
  12288:3+Zn/gJtKaNIBpB+iMMOD30ZnZ47m0T3JF9j3GOF0l7B2FzqL2aZa7rf58bs:3+RYeaNILZi/JDLG60y1aZvs
Score

10^/10

troldesh defense_evasion execution impact persistence ransomware spyware stealer trojan upx
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral20
- Target
  
  41c53e90f0861b068eaa512edff28a586128f808b437122399347bcb3774914a.exe
- Size
  
  27KB
- MD5
  
  b0492e56e1246873173e8f7d32f8a278
- SHA1
  
  b31e8e98a4b570f739dd1e1098f4e593f930f450
- SHA256
  
  41c53e90f0861b068eaa512edff28a586128f808b437122399347bcb3774914a
- SHA512
  
  fa078565f4eab7b1a618dff2182ac0f630f32a151fdbb5c3d73d1544cc4371d283cc76f597dde990eaa9e389355aca9c73cd1e8b3087b769340f3b9642642979
- SSDEEP
  
  384:U0Ne12bO+rTx8S0VL+5ka0OXE8vDIXam7JV4DXi4EECyBsnK/8kHaHKczlyDqq:612hTa7JULXEfXamDIy4HBs7HKwQx
Score

10^/10

defense_evasion evasion execution impact persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral21
- Target
  
  467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
- Size
  
  363KB
- MD5
  
  36a0cefeb8b0a606358142d4140ea7cf
- SHA1
  
  03ce13b4f60d2fc632b67b41b82b5e8cfaf9939f
- SHA256
  
  467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be
- SHA512
  
  63304f3ddca578beac157197581e6a2a762d9cf1fb08fa6ae85dcdc26340ae64badb0f4a9cb47521315c366b70bd0cf89bf1b72be29f89e2d91504cec7ca9093
- SSDEEP
  
  6144:VEwaWsAzrp8viKgjdCU641BHoKIPi2CRp2pFSnfJxLw/mq3pT+Qrm9m7s:G9UjdtzIKl2YY3SRxLw/BT+X
Score

10^/10

defense_evasion evasion execution impact ransomware upx
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral22
- Target
  
  5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
- Size
  
  236KB
- MD5
  
  6aa5d9b03d34c87026ac11a6f30524fe
- SHA1
  
  c0c532d64bc1d16aeb12ea58c9e94c48eb3d64d4
- SHA256
  
  5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0
- SHA512
  
  1e0cdbfd5399c03e6db32b309d38f56dc0761d6a9d2319c712f771fecc9fec8aac0c2dd2ee00e4674b26168265558e4d02a810a6326c73e36a1e453ecc394069
- SSDEEP
  
  3072:A2XIX/5EEAmkN7HqOaeV/RPMObiZif2fXSF9uvm8dDuCb4NeIAg0Fuj3RK3o1yL:AliN3qO1hR0UiZi+fC+iAObo41I
Score

10^/10

defense_evasion execution impact persistence ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (278) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral23
- Target
  
  712affaa8b84e8fb7d4e71feb6c1074185bc43b5a2f265fbfb248f7ed40a5489 (1).exe
- Size
  
  1.7MB
- MD5
  
  1c526b6bd496e217833972f77a235928
- SHA1
  
  49dde9bf9e2f11abf13dc55cbf901af49e575bc1
- SHA256
  
  712affaa8b84e8fb7d4e71feb6c1074185bc43b5a2f265fbfb248f7ed40a5489
- SHA512
  
  884b01546adc3c64ec04cc5856fdd7ce5f851dea2eb4066ea398dfeb62a23eab14a592e7be4f286625cd94b3c8b6254d3646eb05ddf0d6a70aa160e7e2cba2a8
- SSDEEP
  
  24576:lTnv8YkXw+xfggJJmlm5SJPC/QMyKesckckSZahVY06uIxf+ubfOLVU:J0Husckc4Y0/IACmL2
Score

1^/10
behavioral24
- Target
  
  8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
- Size
  
  1020KB
- MD5
  
  496f86f951e1dbd3c4534d51a5297668
- SHA1
  
  1199c5f30f5724841905cbdb9787649d15aae3d5
- SHA256
  
  8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621
- SHA512
  
  382abc596081ca5d0fdea39b12afe433e446cd50f59e4abca818162d96e46465beb1cda631109083071e7c050af6bfcf867be41d02c1e2ebe5dd99f61f45d510
- SSDEEP
  
  24576:es0fVWVbd8fKT0KqTAFFCa/2yDEmdvAkomBbOsn51D:es0fVWVR8fKTeU1imBbl51D
Score

10^/10

troldesh defense_evasion execution impact persistence ransomware spyware stealer trojan upx
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral25