cerber

Sharing

Copy URL

Twitter E-mail

General

Target

Ransomware-master.zip
Size

12.9MB
Sample

240802-t92clawgja
MD5

30da61eabe92b48ce784f7ee31f5ec44
SHA1

4922cfc2c10b5d92b2fb199fc6a2aaed095035e0
SHA256

2e156957ffdc73801662b89b1f6773434c4d13bb4b9bc1670827e399ad64aa7e
SHA512

648a9e6ddce09e5bf5da680f8d031afe3224b236cea9598e64e0d592f64ec0bed61e0ff089a931772d0f758a42a463e7ee6ea7ef117ad1c1453dbc2240b9f209
SSDEEP

393216:67aFd62nfFSrjIkV4mu/GyBSKb+JYSWTmq:67aHnnNmkpbDSWD

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___5AV0M_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/FF3F-B604-C23A-0446-99CA Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/FF3F-B604-C23A-0446-99CA 2. http://p27dokhpz2n7nvgr.14ewqv.top/FF3F-B604-C23A-0446-99CA 3. http://p27dokhpz2n7nvgr.14vvrc.top/FF3F-B604-C23A-0446-99CA 4. http://p27dokhpz2n7nvgr.129p1t.top/FF3F-B604-C23A-0446-99CA 5. http://p27dokhpz2n7nvgr.1apgrn.top/FF3F-B604-C23A-0446-99CA ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/FF3F-B604-C23A-0446-99CA

http://p27dokhpz2n7nvgr.12hygy.top/FF3F-B604-C23A-0446-99CA

http://p27dokhpz2n7nvgr.14ewqv.top/FF3F-B604-C23A-0446-99CA

http://p27dokhpz2n7nvgr.14vvrc.top/FF3F-B604-C23A-0446-99CA

http://p27dokhpz2n7nvgr.129p1t.top/FF3F-B604-C23A-0446-99CA

http://p27dokhpz2n7nvgr.1apgrn.top/FF3F-B604-C23A-0446-99CA

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___MKQYX_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="R5dCEAPV" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yoZmGJhheEXu find the necessary files? Is the csRUHMfxpo8ontent of your files not readable? It is normal beepoDWyPKscause the files' names and the data in your files have been encrypzNted by "Ce2rber Ransomware". It menfsans your files are NOT damages6uQ6Rd! Your files are modified only. This modification is reversible. FrvsxvsS1rom now it is not posssnible to use your files until they will be decrypted. The only way to decsMl2fNrypt your files safely is to buy the special decryption software "Coed6QULoerber Decryptor". Any attempts to restXIH40ore your files with the thir07AkCLlTsd-party software will be fatal for your files! <hr> You can procOWZ2pFXeed with purchasing of the decryption softwZPN8czare at your personal page: PleyGdscN1Tase wait...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/FF3F-B604-C23A-0446-99CA</a> If tvG5H6his page cannot be opened  clixck here  to get a new addrTdess of your personal page. If the addreAsss of your personal page is the same as befofgr5qrdXre after you tried to get a new one, you cOan try to get a new address in one hour. At th5674HIVFgAis page you will receive the complete instromqR6Kuctions how to buy the decryptii2owzVon software for restoring all your files. Also at this page you will be able to reszOFtore any one file for free to be sure "Cerbec4rkq7Wpogr Decryptor" will help you. <hr> If your per3Uy874OMIsonal page is not availaeYUCRpble for a long period there is another way to open your personal page - instaJAPllation and use of Tor Browser: <ol> <li>run your InteKz8N7dF8rnet browser (if you do not know what it is run the Internet Explorer);</li> <li>entMZqmdLqer or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loadmVjrLing;</li> <li>on the site you will be offered to doGPwnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ruvH7n Tor Browser;</li> <li>connect with the buttaMBREVT2wqon "Connect" (if you use the English version);</li> <li>a normal Internet broplqddlgwser window will be opened after the initialization;</li> <li>type or copy the add0ress http://p27dokhpz2n7nvgr.onion/FF3F-B604-C23A-0446-99CA in this browser address bar;</li> <li>preGjbgss ENTER;</li> <li>the site shox8uld be loaded; if for some reason the site is not loXnbHsbsjading wait for a moment and try again.</li> </ol> If you have any prbuCCuA9oblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searcxQrjh bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> AdditQiB1puRional information: You will fi8wNWvQIn3nd the instruTMR7HCXSVctions ("*_READ_THIS_FILE_*.hta") for reBaeQstoring your files in any fLolder with your encWZ2wVLwCrypted files. The instrljRPDuctions "*_READ_THIS_FILE_*.hta" in the f3L7FjlolderqjNrXAfs with your encryD28dUKeaGkpted files are not vir6vBXuses! The instrucpttions "*_READ_THIS_FILE_*.hta" will hedm95mi7Olp you to decmrypt your files. RemembeA51CQn7r! The worst sitC0sSJwqKtuation already happ9clYrrened and now the future of your files deYOpk6HBtYspends on your determSut2HEDdination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/FF3F-B604-C23A-0446-99CA</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/FF3F-B604-C23A-0446-99CA" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/FF3F-B604-C23A-0446-99CA</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/FF3F-B604-C23A-0446-99CA في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضtmافية: س5rوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرش7J4livادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موJLraقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！您的文件只是��

Targets

- Target
  
  Ransomware-master.zip
- Size
  
  12.9MB
- MD5
  
  30da61eabe92b48ce784f7ee31f5ec44
- SHA1
  
  4922cfc2c10b5d92b2fb199fc6a2aaed095035e0
- SHA256
  
  2e156957ffdc73801662b89b1f6773434c4d13bb4b9bc1670827e399ad64aa7e
- SHA512
  
  648a9e6ddce09e5bf5da680f8d031afe3224b236cea9598e64e0d592f64ec0bed61e0ff089a931772d0f758a42a463e7ee6ea7ef117ad1c1453dbc2240b9f209
- SSDEEP
  
  393216:67aFd62nfFSrjIkV4mu/GyBSKb+JYSWTmq:67aHnnNmkpbDSWD
Score

3^/10

discovery
behavioral1
- Target
  
  Ransomware-master/LICENSE
- Size
  
  1KB
- MD5
  
  a31887cbb9ee63d417035c0c01213070
- SHA1
  
  6beb39510e95e12f4f0426999fdb652c7742252b
- SHA256
  
  13d93567d2d97b99868b6f263fe00f425aa95007d30297c3c55c685bde51d460
- SHA512
  
  77e75fd7038201b602da56e86d2fff9eea22f1e703fee34f35fde0e6e3bb8434bd9b939db6853068d54fdb46182800e7638850a396a409dad83c3ecbc17bfb75
Score

1^/10
behavioral2
- Target
  
  Ransomware-master/README.md
- Size
  
  1KB
- MD5
  
  ec42c9f687d906db4c64b31e1da2fbb0
- SHA1
  
  4e57f51ac2263e7ca317efb759ba145d375d8859
- SHA256
  
  78585fb1ce39b3d4df15fb07d59bb276d15c830c6df0b0f780c6f7ae6fa31c8b
- SHA512
  
  ea4ba33763a0914d99df7d8888f35bfec8dd0f701a48bb3eae53a9958447e6655f1cece5a4d44cb7aa7af11dfb2e73ce417cc897674902550000d3a515b6e793
Score

3^/10
behavioral3
- Target
  
  Ransomware-master/Ransomware
- Size
  
  25KB
- MD5
  
  d54b447020c50a74fefeeacd7be46733
- SHA1
  
  96f347b8545bde22d52e36d95779dceff0401697
- SHA256
  
  d1ebf588dbbcca6b21d20ef37d368d48bf6d7a9cdb6636245010fe87e4533f70
- SHA512
  
  415825c912210b5115dab8f2388631120eab7ee98bd7cba04705b700d10e325e1b42b6f8dbe5ff37a3b411a203ae436915d4dd6b655750f354817382d31f0954
- SSDEEP
  
  384:7B866666r66666966666EVGWml1VZAs9SX9BO9:7BUGWml1VZAs9Sm9
Score

1^/10
behavioral4
- Target
  
  Ransomware-master/etc/Ransomware.Cerber.zip
- Size
  
  215KB
- MD5
  
  5c571c69dd75c30f95fe280ca6c624e9
- SHA1
  
  b0610fc5d35478c4b95c450b66d2305155776b56
- SHA256
  
  416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c
- SHA512
  
  8e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2
- SSDEEP
  
  3072:EJk9kcytz1Qg4kViSMoq9OsLvz8L5HINY8lYdeIX8woWJQHr6LqK2fU0MwL0b06R:EUkcyVlDq8rIblYomoWnvfp0g
Score

1^/10
behavioral5
- Target
  
  cerber.exe
- Size
  
  604KB
- MD5
  
  8b6bc16fd137c09a08b02bbe1bb7d670
- SHA1
  
  c69a0f6c6f809c01db92ca658fcf1b643391a2b7
- SHA256
  
  e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
- SHA512
  
  b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
- SSDEEP
  
  6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01
Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Contacts a large (1093) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral6
- Target
  
  Ransomware-master/etc/Ransomware.Cryptowall.zip
- Size
  
  100KB
- MD5
  
  8710ea46c2db18965a3f13c5fb7c5be8
- SHA1
  
  24978c79b5b4b3796adceffe06a3a39b33dda41d
- SHA256
  
  60d574055ae164cc32df9e5c9402deefa9d07e5034328d7b41457d35b7312a0e
- SHA512
  
  c71de7a60e7edeedbdd7843a868b6f5a95f2718f0f35d274cf85951ee565ef3ba1e087881f12aeede686ce6d016f3fd533b7ef21d878a03d2455acc161abf583
- SSDEEP
  
  3072:OCDc19avf1fHqOhdzVD/9Ae7RT5f6IiL+WfXS21o4D:OCD0QvlqGRlAlX+sXjo4D
Score

1^/10
behavioral7
- Target
  
  cryptowall.bin
- Size
  
  240KB
- MD5
  
  47363b94cee907e2b8926c1be61150c7
- SHA1
  
  ca963033b9a285b8cd0044df38146a932c838071
- SHA256
  
  45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d
- SHA512
  
  93dfaafc183360829448887a112dd49c90ec5fe50dcd7c7bbc06c1c8daa206eeea5577f726d906446322c731d0520e93700d5ff9cefd730fba347c72b7325068
- SSDEEP
  
  3072:xkeyloECBch6ZCGBGSmHJ0y5lj6jdojK7+MGOXpXx8z3Lp7Yoq:xGlnCIwMpj6ijKfxx8z3F0V
Score

3^/10

discovery
behavioral8
- Target
  
  Ransomware-master/etc/Ransomware.Jigsaw.zip
- Size
  
  239KB
- MD5
  
  3ad6374a3558149d09d74e6af72344e3
- SHA1
  
  e7be9f22578027fc0b6ddb94c09b245ee8ce1620
- SHA256
  
  86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff
- SHA512
  
  21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720
- SSDEEP
  
  3072:p7ykj3uuY4NsJD7kPdSRQLqas/pkPm9jvkEL60Uf7k2BgS6/aFybrNN5ZAdNstk7:p7ym3VNA7w8R5/rxv7O0yng0UtVw5NJ
Score

1^/10
behavioral9
- Target
  
  jigsaw
- Size
  
  283KB
- MD5
  
  2773e3dc59472296cb0024ba7715a64e
- SHA1
  
  27d99fbca067f478bb91cdbcb92f13a828b00859
- SHA256
  
  3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
- SHA512
  
  6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
- SSDEEP
  
  6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX
Score

10^/10

jigsaw persistence ransomware spyware stealer
- Jigsaw Ransomware
  Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
  ransomware jigsaw
- Renames multiple (3748) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral10
- Target
  
  Ransomware-master/etc/Ransomware.Locky.zip
- Size
  
  125KB
- MD5
  
  b265305541dce2a140da7802442fbac4
- SHA1
  
  63d0b780954a2bc96b3a77d9a2b3369d865bf1fd
- SHA256
  
  0537fa38b88755f39df1cd774b907ec759dacab2388dc0109f4db9f0e9d191a0
- SHA512
  
  af65384f814633fe1cde8bf4a3a1a8f083c7f5f0b7f105d47f3324cd2a8c9184ccf13cb3e43b47473d52f39f4151e7a9da1e9a16868da50abb74fcbc47724282
- SSDEEP
  
  1536:6mXbzYYlSESr+LdgbfzNTBstcc6yVeHuwuY5pzl5Lypx0DIY6KQOoTFKmN9YMKW8:dbSr+Jg7lB2cV1aQ+WQVTFX9YPGQi1Mf
Score

1^/10
behavioral11
- Target
  
  Locky
- Size
  
  180KB
- MD5
  
  b06d9dd17c69ed2ae75d9e40b2631b42
- SHA1
  
  b606aaa402bfe4a15ef80165e964d384f25564e4
- SHA256
  
  bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
- SHA512
  
  8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c
- SSDEEP
  
  3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6
Score

10^/10

locky discovery ransomware
- Locky
  Ransomware strain released in 2016, with advanced features like anti-analysis.
  ransomware locky
behavioral12
- Target
  
  Ransomware-master/etc/Ransomware.Mamba.zip
- Size
  
  1.0MB
- MD5
  
  f94d1f4e2ce6c7cc81961361aab8a144
- SHA1
  
  88189db0691667653fe1522c6b5673bf75aa44aa
- SHA256
  
  610a52c340ebaff31093c5ef0d76032ac2acdc81a3431e68b244bf42905fd70a
- SHA512
  
  7b7cf9a782549e75f87b8c62d091369b47c1b22c9a10dcf4a5d9f2db9a879ed3969316292d3944f95aeb67f34ae6dc6bbe2ae5ca497be3a25741a2aa204e66ad
- SSDEEP
  
  24576:Uy0yC/fh9Dnt24GZrEXdjl3Fha3fXUkWpfnb:CyGf7TtCZrOll1svX0fb
Score

1^/10
behavioral13
- Target
  
  131.exe
- Size
  
  2.3MB
- MD5
  
  409d80bb94645fbc4a1fa61c07806883
- SHA1
  
  4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1
- SHA256
  
  2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63
- SHA512
  
  a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba
- SSDEEP
  
  49152:XM16E7qUoM5NWX7DP+1egOhcraQzK6j97V:c16/rM5oW1ZrRz
Score

3^/10

discovery
behavioral14
- Target
  
  Ransomware-master/etc/Ransomware.Matsnu.zip
- Size
  
  62KB
- MD5
  
  0a3487070911228115f3a13e9da2cb89
- SHA1
  
  c2d57c288bc9951dee4cc289d15e18158ef3f725
- SHA256
  
  f73027dd665772cc94dbe22b15938260be61cbaad753efdccb61c4fa464645e0
- SHA512
  
  996f839d347d8983e01e6e94d2feb48f2308ab7410c6743a72b7ecff15b34a30cd12a5764c0470c77138cf8724d5641d03dd81793e28d47fe597f315e116fa77
- SSDEEP
  
  1536:Wtmvcv25VrNQnc+6KmmjnFcqbq6eXq8GPHTDAY:WBUNQnc+6Vmmv6e8fP
Score

1^/10
behavioral15
- Target
  
  Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_
- Size
  
  102KB
- MD5
  
  1b2d2a4b97c7c2727d571bbf9376f54f
- SHA1
  
  1fc29938ec5c209ba900247d2919069b320d33b0
- SHA256
  
  7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e
- SHA512
  
  506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0
- SSDEEP
  
  1536:jj+Rj1lGIXKSmE17v97yiqHGMRPtbsLW8/V2k12v1/BDxVyCfCrCAc:jjw6Sf0iqmMnb2W02v3mCf4Nc
Score

3^/10

discovery
behavioral16
- Target
  
  Ransomware-master/etc/Ransomware.Petrwrap.zip
- Size
  
  1.1MB
- MD5
  
  6884a35803f2e795fa4b121f636332b4
- SHA1
  
  527bfbf4436f9cce804152200c4808365e6ba8f9
- SHA256
  
  cf01329c0463865422caa595de325e5fe3f7fba44aabebaae11a6adfeb78b91c
- SHA512
  
  262732a9203e2f3593d45a9b26a1a03cc185a20cf28fad3505e257b960664983d2e4f2b19b9ff743015310bf593810bd049eb03d0fd8912a6d54de739742de60
- SSDEEP
  
  24576:XtZfUANeQHLqNZ2rl5zkFGPI/9+4C/BGq/Om00pN5m:XtZc+trnHkxVqQqm
Score

1^/10
behavioral17
- Target
  
  027cc450ef5f8c5f653329641ec1fed9.exe
- Size
  
  353KB
- MD5
  
  71b6a493388e7d0b40c83ce903bc6b04
- SHA1
  
  34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
- SHA256
  
  027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
- SHA512
  
  072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
- SSDEEP
  
  6144:y/Bt80VmNTBo/x95ZjAetGDN3VFNq7pC+9OqFoK30b3ni5rdQY/CdUOs2:y/X4NTS/x9jNG+w+9OqFoK323qdQYKUG
Score

10^/10

mimikatz bootkit discovery persistence spyware stealer
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- mimikatz is an open source tool to dump credentials on Windows
- Deletes itself
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral18
- Target
  
  myguy.hta
- Size
  
  13KB
- MD5
  
  0487382a4daf8eb9660f1c67e30f8b25
- SHA1
  
  736752744122a0b5ee4b95ddad634dd225dc0f73
- SHA256
  
  ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
- SHA512
  
  e1e7d81d54efd526139ea8ac792ed2035c8e70f040319c0b65f723431d31077c7a6927553890c99151f2354f51c4020ed94e0e2e5d56386c2fc4828e95869106
- SSDEEP
  
  192:ScIsmNvaHz65bP/U/njs3NH0Z0UvDVE6Az6XVHBycT6iLMUpJ2seCYHlfeb:SPXTmnjs3BU9A27BNLMUTb
Score

3^/10

discovery
behavioral19
- Target
  
  Ransomware-master/etc/Ransomware.Petya.zip
- Size
  
  538KB
- MD5
  
  e8fb95ebb7e0db4c68a32947a74b5ff9
- SHA1
  
  6f93f85342aa3ea7dcbe69cfb55d48e5027b296c
- SHA256
  
  33ca487a65d38bad82dccfa0d076bad071466e4183562d0b1ad1a2e954667fe9
- SHA512
  
  a2dea77b0283f4ed987c4de8860a9822bfd030be9c3096cda54f6159a89d461099e58efbc767bb8c04ae21ddd4289da578f8d938d78f30d40f9bca6567087320
- SSDEEP
  
  12288:h62An+lYWejkM9KIIoyoAWPPpxS8yrST5UvF50VHCJvD3DpNu7NwRUDxuJnU:hJA+BncEoyojpxS8yrSV0nvHpNu7eQxH
Score

1^/10
behavioral20
- Target
  
  Ransomware-master/etc/Ransomware.Radamant.zip
- Size
  
  59KB
- MD5
  
  fce365d60e13df34a6843894ac9be499
- SHA1
  
  5211ac4e7d8459f0db9aa19a03c55cb2063fee5f
- SHA256
  
  3e1813da2d561157df7667cde0117fdddd883c5b1272f76d1ae85ad889c38220
- SHA512
  
  9747c95c1a1314fd0fb462951feafa51a75c0794e56a6bbbd16d192e366907aa764bc9adbc7d8319e5d43a37b10889808ae5d619ae1202200d7dba34afa2bc1b
- SSDEEP
  
  1536:cKmaCJ5RF2bf2mwPUv0M47ChtgxyZShQ9FttDUFQ1VkJA/:XmHJAY23iSOxygkFttQFSkJA/
Score

1^/10
behavioral21
- Target
  
  Ransomware-master/etc/Ransomware.Rex.zip
- Size
  
  2.7MB
- MD5
  
  50188823168525455c273c07d8457b87
- SHA1
  
  0d549631690ea297c25b2a4e133cacb8a87b97c6
- SHA256
  
  32856e998ff1a8b89e30c9658721595d403ff0eece70dc803a36d1939e429f8d
- SHA512
  
  b1a58ebcc48142fa4f79c600ea70921f883f2f23185a3a60059cb2238ed1a06049e701ccdab6e4ea0662d2d98a73f477f791aa1eec1e046b74dc1ce0a9680f70
- SSDEEP
  
  49152:vWKde2aWpNtWWKPqd0c1OWfD6vAcxntjWPNeJ5Rf/coFN0LZkyIEsNdd:eKI2FpNtfaqGc1EAczjk41EuN0LZky9y
Score

1^/10
behavioral22
- Target
  
  Ransomware-master/etc/Ransomware.Satana.zip
- Size
  
  57KB
- MD5
  
  82f621944ee2639817400befabedffcf
- SHA1
  
  c183ae5ab43b9b3d3fabdb29859876c507a8d273
- SHA256
  
  4785c134b128df624760c02ad23c7e345a234a99828c3fecf58fbd6d5449897f
- SHA512
  
  7a2257af32b265596e9f864767f2b86fb439b846f7bffa4b9f477f2e54bc3ff2bb56a39db88b72a0112972959570afc697c3202839a836a6d10409a10985031b
- SSDEEP
  
  1536:GBfLHxIOBET2Uvk6w5yD5O92x2HtYli0kR5sJ7LNeeSLK/TJ:GBf9IOXok6DODtY40kDsjiL6F
Score

1^/10
behavioral23
- Target
  
  Ransomware-master/etc/Ransomware.TeslaCrypt.zip
- Size
  
  479KB
- MD5
  
  f755a44bbb97e9ba70bf38f1bdc67722
- SHA1
  
  f70331eb64fd893047f263623ffb1e74e6fe4187
- SHA256
  
  3b246faa7e4b2a8550aa619f4da893db83721aacf62b46e5863644a5249aa87e
- SHA512
  
  f8ce666ae273e6c5cd57447189a8cf0e53c7704cf269fa120068f21e6faf6c89e2e75f37aee43cac83f4534790c5c6f1827621684034ef3eb7e94d7ee1ac365e
- SSDEEP
  
  6144:xQAq0svy/pQhk1NBePvxGNWeOyqYAGfr/H/h60BHtzbprAvNGTG/fi5QCIq3h11Z:LyKoUlWeOP8HXrINZ/2uJUgVu
Score

1^/10
behavioral24
- Target
  
  Ransomware-master/etc/Ransomware.Vipasana.zip
- Size
  
  638KB
- MD5
  
  8d2c4c192772985776bacfd77f7bc4d9
- SHA1
  
  3b923b911d443e321e551f26c9588b16a994d52e
- SHA256
  
  1733b199a7063443c167e3caeae7dda2315f590341ea2152a9b132e1ad8e94a8
- SHA512
  
  6c24f2fe498cf38e3f3d66b62915e6fbc8c2746a1d4c3c3de270f994b02e1369b9540099c12d150712574ececbe63c8c9f28877d8aa4557fbbb7890d5a0de6c1
- SSDEEP
  
  12288:atcWK55CAyTliOve2dCbNF2NJ9lTYG6WxGc7jdw04YPghNxEvREoXIaK:k7KCP5tWiCpYj6/Cm04YPgvivRENL
Score

1^/10
behavioral25
- Target
  
  Ransomware-master/etc/Ransomware.WannaCry.zip
- Size
  
  3.3MB
- MD5
  
  efe76bf09daba2c594d2bc173d9b5cf0
- SHA1
  
  ba5de52939cb809eae10fdbb7fac47095a9599a7
- SHA256
  
  707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a
- SHA512
  
  4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029
- SSDEEP
  
  98304:vhvb2BVmAw0p9jIVcEj5nnZNRyA30yBSRT:vhvq7Bu6EZnZN5EyBSN
Score

1^/10
behavioral26
- Target
  
  Ransomware-master/etc/Ransomware.Wannacry_Plus.zip
- Size
  
  2.3MB
- MD5
  
  5641d280a62b66943bf2d05a72a972c7
- SHA1
  
  c857f1162c316a25eeff6116e249a97b59538585
- SHA256
  
  ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488
- SHA512
  
  0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752
- SSDEEP
  
  49152:9mqR0GTCRh8C9PYUYwm79evoBD2HSypKLZ5u/KU940CwmWtSQX5ddmL6T:RA8GY3b9ev62yypKLlUVCpSSQX5ddmeT
Score

1^/10
behavioral27
- Target
  
  Ransomware-master/etc/Ransomware.library
- Size
  
  33B
- MD5
  
  4c3afa1c36b5d93cf231f23567fc0320
- SHA1
  
  98682eeb359d3e917c2292128f84f5134427e2c2
- SHA256
  
  a62d6f70aa846adb172d15706798faca370eadcc0ba8ad35ce5285232e8a501d
- SHA512
  
  5c72bfd0b1d948338a8adf72abae79b4130db30650db2e8a5965f761a3f304ae9f14b2f5a3ef50fe1869e475ef5bf0b5ef4a8d746267cb8a65ab086f00ff7dc1
Score

3^/10
behavioral28
- Target
  
  Ransomware-master/etc/load.sh
- Size
  
  4KB
- MD5
  
  8f14e34971812277edeb8a31376cb27a
- SHA1
  
  5a96858d0d97ca1e229a1270d1a34a09c3c677ea
- SHA256
  
  1a275cbf23a5a5620d40cda6bd3f621a48d7b2119b2c8bf97b87a97f83933e85
- SHA512
  
  a63a692e0d63944ee9824578b52f7eb41fd9d9f7e3414d22cb3b81f337571f0c8720672866f4f534eb1c7f3c87662b120addff038806363f3ccaf86a69949ca4
- SSDEEP
  
  96:v7fGWJIKNsm/kgrkSYpJhc0P+Z6psE8Gkh+mKuc3nWX5neEpT2:vbdp1fY3hlaG1kh+mjcm4EU
Score

3^/10
behavioral29
- Target
  
  Ransomware-master/test.py
- Size
  
  186B
- MD5
  
  f5c90d7b70869e8de04c7d7e3051dea9
- SHA1
  
  93cf6fd3b58cfa7e9ccb7c88bd2cccd65a4d4be7
- SHA256
  
  4bfe4b8e987cae3539dddec1fc0732a7b1195768f0c8ff3352dccd4fa76bc249
- SHA512
  
  64d5aaaa1bcbb17eff100bc83d1020660b6e4b6734f99bd5017e0d895753b70619bafd63809b72768815ce1ad1cc80fecd41e8414b1498201bd310dfed213d25
Score

3^/10
behavioral30
- Target
  
  Ransomware-master/test2.py
- Size
  
  554B
- MD5
  
  dc42f74575c40fc6c90d73b747df6803
- SHA1
  
  ff5d98b1f959810719299c5fb0042436634b1999
- SHA256
  
  d1f9f5e30ac4d8d5771af930b15a51fb040cb1a2b84c7b7feeebb7e4d5fdc1bb
- SHA512
  
  d4a311676aa16d11f678eaf32e5ee4c18ba2f3beab0d494e09ae6a8214575d5178b9de7126131ad0d5da909594a4e0dbbb791ebed62550b9080cf2a8fb78bb9e
Score

3^/10
behavioral31
- Target
  
  Ransomware-master/warna.py
- Size
  
  650B
- MD5
  
  19522678240a7e6d1e5531ed275b6a64
- SHA1
  
  01653b2ca19505c7e9a7972df2e7d6784cc627b6
- SHA256
  
  6986bfb870797a56611749719d8aabfdfcf272392765692a15c065c42f88c3cf
- SHA512
  
  8f2d1efd81a4bafa8d3a50fce740514469a7ccdb2d68f908b9e86d1714ca605525e75a5f0f5ac9dd798299db75810bdf0d06f88e0103609b4d0843ff12d24292
Score

3^/10
behavioral32