cerber

General

Target

RNSM00276.7z
Size

4.1MB
Sample

241122-vs4basvkft
MD5

39fb6bc4ba8a5113f3c9ef47e229e92b
SHA1

aaaa278089a53fd91d9ec5fd3e4baec2e9a57c28
SHA256

e135b3e7b476bb122662a05c539f79fe49d827871232835c708952a4df95ce4b
SHA512

016db01d77520c9fa21a696cb03c6239da6a458499e0f2db217e9f41305150b2eff4b98366e5c58793db85453da2b8593d37e3ba4ff6e3595ee96181fd64eef8
SSDEEP

98304:qVOn1PxwzMhM512CUclkyBcYDpdQysDyKu3xXN7zX:qVjzMWLrUclkkk6fBJL

Score

10^/10

Malware Config

Extracted

Family

gozi

Extracted

Path

C:\Users\Default\How To Recover Encrypted Files.hta

Ransom Note

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta charset="utf-8"> <title>GLOBE</title> <HTA:APPLICATION ICON="UserAccountControlSettings.exe" /> </head> <body> <center> <div><h2>Your files are Encrypted!</h2></div> <hr> <div class="note private"> <div class="title">Your personal ID</div> <pre>3596986768909002996298131113519231175384744339787198052149999934933749628428866965878469710985329298 0377206158483635205161288262654556097525494145349262189644812323708127467261931297965313552208909612 4071342589145091774518365310953273249525195770324797350168971059286531446956478492498257767986155646 9889889578445547579108135454805442002349054188865919096479958416450461747387934412965003113539739657 3022972975613891348331167588833643868218493714339821097659717768196180007609393361582084497134223402 0847042360362936479131732635564859852671779368166093961198168364632537971662735040878531214942853793 104614762014530288</pre> </div> <hr> <div class="bold"> Your documents, photos, databases, and other important data has been encrypted. </div> <div class="bold">For data recovery needs decryptor.</div> <br><hr> <div>To buy the decryptor, you must pay the cost of: <font color="#FF0000"> <b>0.5 Bitcoin</b></font> <br>on the Bitcoin wallet: <font color="#FF0000"> <b>18prjukrWtNRdKXtZLwL7bUgk6J5kkVWMH</b></font><br> (Buy Bitcoins can be here <a href="https://localbitcoins.com/buy_bitcoins">https://localbitcoins.com/buy_bitcoins/</a> or <a href="https://blockchain.info/">https://blockchain.info/</a> - Visa/MasterCard, QIWI Visa Wallet..) <hr> <div> <b><font color="#FF0000">After the payment</font></b>, send a letter to the email address <b>[email protected]</b>.<br>In the letter include your personal identifier and<br> Bitcoin wallet: 18prjukrWtNRdKXtZLwL7bUgk6J5kkVWMH <br><br> In a response letter you will receive a program to decrypt. <br> After start decryptor program, all your files will be restored. </div> </div> </center> </body> </html>

Emails

<b>[email protected]</b>.<br>In

Wallets

18prjukrWtNRdKXtZLwL7bUgk6J5kkVWMH

Targets

- Target
  
  RNSM00276.7z
- Size
  
  4.1MB
- MD5
  
  39fb6bc4ba8a5113f3c9ef47e229e92b
- SHA1
  
  aaaa278089a53fd91d9ec5fd3e4baec2e9a57c28
- SHA256
  
  e135b3e7b476bb122662a05c539f79fe49d827871232835c708952a4df95ce4b
- SHA512
  
  016db01d77520c9fa21a696cb03c6239da6a458499e0f2db217e9f41305150b2eff4b98366e5c58793db85453da2b8593d37e3ba4ff6e3595ee96181fd64eef8
- SSDEEP
  
  98304:qVOn1PxwzMhM512CUclkyBcYDpdQysDyKu3xXN7zX:qVjzMWLrUclkkk6fBJL
Score

10^/10

cerber gozi troldesh banker defense_evasion discovery evasion isfb persistence privilege_escalation ransomware trojan upx
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Cerber family
  cerber
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Troldesh family
  troldesh
- Troldesh, Shade, Encoder.858
  Troldesh is a ransomware spread by malspam.
  ransomware trojan troldesh
- Contacts a large (592) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1