cerber

General

Target

1f824766e7bbd6a8ea293d4fc0f8b4b09d541bd0c1bc54fcdcf3e67fcc38133b
Size

292KB
Sample

250111-ly893avrc1
MD5

8e9080262723020463638de9db275baa
SHA1

488b4efe98d351989c8171e3021e502640f7812e
SHA256

1f824766e7bbd6a8ea293d4fc0f8b4b09d541bd0c1bc54fcdcf3e67fcc38133b
SHA512

f22d6d87867e0973740c7e95f3e25281f45c8aadd1512e6cb4fba155f7174690252a5796132d02ed0ca8be9a9691a4fecaf8ef69e562ed7551d723486709bb90
SSDEEP

6144:znrYwBVSU8vKzlf9k6Fn/SnfyjB/stR2vvpzC/gs6Apz9:TrlBwUmKzV9ZFnhkmxzgD37

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___04RADM_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/5A26-8F75-BE62-0098-9637 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1t2jhk.top/5A26-8F75-BE62-0098-9637 2. http://xpcx6erilkjced3j.1e6ly3.top/5A26-8F75-BE62-0098-9637 3. http://xpcx6erilkjced3j.1ewuh5.top/5A26-8F75-BE62-0098-9637 4. http://xpcx6erilkjced3j.15ezkm.top/5A26-8F75-BE62-0098-9637 5. http://xpcx6erilkjced3j.16umxg.top/5A26-8F75-BE62-0098-9637 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/5A26-8F75-BE62-0098-9637

http://xpcx6erilkjced3j.1t2jhk.top/5A26-8F75-BE62-0098-9637

http://xpcx6erilkjced3j.1e6ly3.top/5A26-8F75-BE62-0098-9637

http://xpcx6erilkjced3j.1ewuh5.top/5A26-8F75-BE62-0098-9637

http://xpcx6erilkjced3j.15ezkm.top/5A26-8F75-BE62-0098-9637

http://xpcx6erilkjced3j.16umxg.top/5A26-8F75-BE62-0098-9637

Targets

- Target
  
  1f824766e7bbd6a8ea293d4fc0f8b4b09d541bd0c1bc54fcdcf3e67fcc38133b
- Size
  
  292KB
- MD5
  
  8e9080262723020463638de9db275baa
- SHA1
  
  488b4efe98d351989c8171e3021e502640f7812e
- SHA256
  
  1f824766e7bbd6a8ea293d4fc0f8b4b09d541bd0c1bc54fcdcf3e67fcc38133b
- SHA512
  
  f22d6d87867e0973740c7e95f3e25281f45c8aadd1512e6cb4fba155f7174690252a5796132d02ed0ca8be9a9691a4fecaf8ef69e562ed7551d723486709bb90
- SSDEEP
  
  6144:znrYwBVSU8vKzlf9k6Fn/SnfyjB/stR2vvpzC/gs6Apz9:TrlBwUmKzV9ZFnhkmxzgD37
Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Cerber family
  cerber
- Blocklisted process makes network request
- Contacts a large (1097) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  evasion
- Deletes itself
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2