cerber

General

Target

VoicemodSetup_2.51.0.0.exe
Size

112.5MB
Sample

240803-rj2vbswaml
MD5

026266fd4b4b126552e83b0a9e2b84f0
SHA1

218fb93e21734979ba651de7787f65fb28b519a1
SHA256

a26734f57480f592e82afea3b4743c2b6bcc5d3b5a7f08b5ffdad8135bafaba2
SHA512

4140de68b5a3d88a4ea89f4ff5035f8c5f0d8a5c9b3df09c7e8c102f4b42524465914df4c7ca3d2c8eb65dbc29f5f7700f965fcf3418bc335bd997c828fbafcc
SSDEEP

3145728:gFFJNHiVdYZxPKyZ+DXfCF1j6A/YBcSljvl+:gFTliV4z+bG5f/WljvE

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___7X3CIF8C_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/B6D0-5458-B269-0098-B21B Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/B6D0-5458-B269-0098-B21B 2. http://xpcx6erilkjced3j.19kdeh.top/B6D0-5458-B269-0098-B21B 3. http://xpcx6erilkjced3j.1mpsnr.top/B6D0-5458-B269-0098-B21B 4. http://xpcx6erilkjced3j.18ey8e.top/B6D0-5458-B269-0098-B21B 5. http://xpcx6erilkjced3j.17gcun.top/B6D0-5458-B269-0098-B21B ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/B6D0-5458-B269-0098-B21B

http://xpcx6erilkjced3j.1n5mod.top/B6D0-5458-B269-0098-B21B

http://xpcx6erilkjced3j.19kdeh.top/B6D0-5458-B269-0098-B21B

http://xpcx6erilkjced3j.1mpsnr.top/B6D0-5458-B269-0098-B21B

http://xpcx6erilkjced3j.18ey8e.top/B6D0-5458-B269-0098-B21B

http://xpcx6erilkjced3j.17gcun.top/B6D0-5458-B269-0098-B21B

Targets

- Target
  
  VoicemodSetup_2.51.0.0.exe
- Size
  
  112.5MB
- MD5
  
  026266fd4b4b126552e83b0a9e2b84f0
- SHA1
  
  218fb93e21734979ba651de7787f65fb28b519a1
- SHA256
  
  a26734f57480f592e82afea3b4743c2b6bcc5d3b5a7f08b5ffdad8135bafaba2
- SHA512
  
  4140de68b5a3d88a4ea89f4ff5035f8c5f0d8a5c9b3df09c7e8c102f4b42524465914df4c7ca3d2c8eb65dbc29f5f7700f965fcf3418bc335bd997c828fbafcc
- SSDEEP
  
  3145728:gFFJNHiVdYZxPKyZ+DXfCF1j6A/YBcSljvl+:gFTliV4z+bG5f/WljvE
Score

10^/10

discovery cerber cryptolocker evasion persistence privilege_escalation ransomware trojan
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Contacts a large (1132) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Drops startup file
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Downloads MZ/PE file
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2