cerber

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/
Sample

241026-kf6wjstcrl

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___K0UVL7BK_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/F8F1-31DF-D7A2-0098-B0F0 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/F8F1-31DF-D7A2-0098-B0F0 2. http://xpcx6erilkjced3j.19kdeh.top/F8F1-31DF-D7A2-0098-B0F0 3. http://xpcx6erilkjced3j.1mpsnr.top/F8F1-31DF-D7A2-0098-B0F0 4. http://xpcx6erilkjced3j.18ey8e.top/F8F1-31DF-D7A2-0098-B0F0 5. http://xpcx6erilkjced3j.17gcun.top/F8F1-31DF-D7A2-0098-B0F0 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/F8F1-31DF-D7A2-0098-B0F0

http://xpcx6erilkjced3j.1n5mod.top/F8F1-31DF-D7A2-0098-B0F0

http://xpcx6erilkjced3j.19kdeh.top/F8F1-31DF-D7A2-0098-B0F0

http://xpcx6erilkjced3j.1mpsnr.top/F8F1-31DF-D7A2-0098-B0F0

http://xpcx6erilkjced3j.18ey8e.top/F8F1-31DF-D7A2-0098-B0F0

http://xpcx6erilkjced3j.17gcun.top/F8F1-31DF-D7A2-0098-B0F0

Targets

- Target
  
  https://github.com/Da2dalus/The-MALWARE-Repo/
Score

10^/10

cerber cryptolocker dharma credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Cerber family
  cerber
- CryptoLocker
  Ransomware family with multiple variants.
  ransomware cryptolocker
- Cryptolocker family
  cryptolocker
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (306) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Blocklisted process makes network request
- Contacts a large (1118) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Downloads MZ/PE file
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Program crash
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1