cerber

Sharing

Copy URL

Twitter E-mail

General

Target

freeSpoofer.rar
Size

13.8MB
Sample

250111-tgwxeasqgy
MD5

4de784dcf73d6a71b45f090e999a591b
SHA1

a0dbb8326e1d122c8ef4f8a2bdfb3ec406ad8ebf
SHA256

94985615c3a4143304e8f85e41d9f1bd2281d073d47ade04dcac1f63d31305c2
SHA512

83e92a5bea27d2ea801296bee5e249f971e2501d7fb7ebb406d6ff43a75ab2c899b74864e317be4e89a4979787d5a3e600a64dece18dffa1145a991edf11d39d
SSDEEP

196608:P4t4b2VYuO9EjW+gZ9Lu7XD2jbgMleIJS9tGbDkkxmTsmYm0HKdbFrQzTV2bN9VW:P4tVH2ExgZA7XaQMl1JSabQAKdbF9JK

Score

10^/10

Malware Config

Targets

- Target
  
  freeSpoofer/freeSpoofer.exe
- Size
  
  1.4MB
- MD5
  
  57749553c159683cf8c646bea1fa7e21
- SHA1
  
  414bdd48c6fd752f6d6100ad1c38fdecda8ffece
- SHA256
  
  5f1287749ae0d7025a05ab21ab24a6ccce54618f0890e51e85c12f76b0559d13
- SHA512
  
  6f3138fe1628880e30e7c451f285f8090ec41463c19aaabe2f42395f366d9f29dfe86a07a9086b0da1e1c52f71746fdb82f16a86c472a209996eb94098c19c41
- SSDEEP
  
  24576:wUNxvqF6FGYJf6yjNQpNONZNlTX5PlGPgquLEIWxUc7N11QaSYx7Gq6n9uX5:wUNxvC6FGYJf6yjNQpNONZnTX5PlGPgQ
Score

10^/10

cerber discovery evasion ransomware themida
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Cerber family
  cerber
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  freeSpoofer/tools/AFUWINx64.EXE
- Size
  
  1015KB
- MD5
  
  59a47fc8e9b4396dddb52907a8a54177
- SHA1
  
  d16c0825ea1ce721b00df160d826475fda2bae44
- SHA256
  
  03e11400f15251c9bf2d764b1020f32904f9569a426adfbe26b21e04898c8800
- SHA512
  
  e857e9627b811d48510e14f0b8e65a12eb4153d0e05ad322cc8b95f6ee5c52cc018a1073acecbed43148de26e5c252ae9a2a6d5fdda1b585dfc41f030bb2f6e3
- SSDEEP
  
  24576:xplWGl3HtCFYAQaYe9pwD+yweJUCHHWDa:8Ye9K+5L
Score

1^/10
behavioral3 behavioral4
- Target
  
  freeSpoofer/tools/AMIDEWINx64.EXE
- Size
  
  377KB
- MD5
  
  8690997c90d94b5a10f2fe39caa0d7a6
- SHA1
  
  ad05c719b046da3946e370409b342e3c67946a87
- SHA256
  
  157f846e4865f27898917304ba4480f6d67a327cbb25a790f885a78b8fba6db1
- SHA512
  
  39d2ff1aa49cdb302fd88f6903d71d0008e89ff9113eab8a3ca2b7dbc0e5604a059f8c6f798c97971149f80a379a73ea6900ad46cce5203effe5c226bcd080e0
- SSDEEP
  
  6144:u0lLNvLmP/LgoYG5HViOlHH7qKPUcky2FpwhPa24UW3Pl+MnUURgr:lzmP/Lgk5HViOlHH7qKPfky2FpwhyV38
Score

1^/10
behavioral5 behavioral6
- Target
  
  freeSpoofer/tools/LeCrud64.sys
- Size
  
  46KB
- MD5
  
  3e5c48ee4bdd6229f6bef52e940af600
- SHA1
  
  f8dc06c1fda53ee0f64306ad76c070ab2f5b2350
- SHA256
  
  f3046cf53ef29e9882918978310680497a1a329076c046697b4a1312f590fc09
- SHA512
  
  b9c289c6f301a32bc719cecb8aba99bf32539467f1e3762dacbd529339e0c9d5946235f98dfb9c3d5f9f07a7e4c4714236fe570d71aeb33c091c894576d6b0f8
- SSDEEP
  
  768:m1aGDGmA4cTr5efxS4EyRuaCjeLmNGUooNzYieNdVPxWEGg5x9z4cOo:GqeEfeLKo2z7enVPxP5jzgo
Score

1^/10
behavioral7
- Target
  
  freeSpoofer/tools/Volumeid64.exe
- Size
  
  165KB
- MD5
  
  81a45f1a91448313b76d2e6d5308aa7a
- SHA1
  
  0d615343d5de03da03bce52e11b233093b404083
- SHA256
  
  fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
- SHA512
  
  675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d
- SSDEEP
  
  3072:PngbfXWm18pX82lOl7NuT7DLM5Weo5UFs5QM8JwDmtFk1glurXEa:/gbfXWVoRNuT7DkbFsKM1glI
Score

1^/10
behavioral8 behavioral9
- Target
  
  freeSpoofer/tools/amigendrv64.sys
- Size
  
  36KB
- MD5
  
  9accebd928a8926fecf317f53cd1c44e
- SHA1
  
  d7d71135cc3cf7320f8e63cefb6298dd44e5b1d4
- SHA256
  
  811e5d65df60dfb8c6e1713da708be16d9a13ef8dfcd1022d8d1dda52ed057b2
- SHA512
  
  2563402cc8e1402d9ac3a76a72b7dab0baa4ecd03629cc350e7199c7e1e1da4000e665bd02ac3a75fd9883fa678b924c8b73d88d8c50bf9d2ae59254a057911e
- SSDEEP
  
  768:cBOmh786zi+NqkO8Ouwn3uivOyiRZSFInq1os29zjTUD:cXi+NXwnecOyiaFInq1lCz+
Score

1^/10
behavioral10
- Target
  
  freeSpoofer/tools/applecleaner_2.exe
- Size
  
  3.6MB
- MD5
  
  f96eb2236970fb3ea97101b923af4228
- SHA1
  
  e0eed80f1054acbf5389a7b8860a4503dd3e184a
- SHA256
  
  46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172
- SHA512
  
  2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7
- SSDEEP
  
  98304:z7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6Ko:e+y4ihkl/Wo/afHPb
Score

9^/10

discovery evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral11 behavioral12
- Target
  
  freeSpoofer/tools/lvafudrv64.sys
- Size
  
  35KB
- MD5
  
  8d533ae1500f743a177b27c88a241163
- SHA1
  
  52c25cf4c903714fa52870a16d143fb6aeb0fa99
- SHA256
  
  b9e8de155fb9aabb4760034a65855130eb85aadc88963e40e2be87b049c025bf
- SHA512
  
  546c9309b9b078ce4c49a3b56ec8d77b0fd4c0bd583f4bce53705f854fe2addba5c8029ed8b8da9e944b2c212d2ee0508095bf20c12632b760a5c271d19940de
- SSDEEP
  
  384:mrzqfCQlZluZfnktrQsHGh1jEiI4IHith5kCN88ZGmGovy8ZpHcS8FRJvIsWAR9k:+dCluVG0zuiv1yiR89PL9zIf
Score

1^/10
behavioral13
- Target
  
  freeSpoofer/tools/tmac/Installer.exe
- Size
  
  189KB
- MD5
  
  34636047a124a3bdb21ff9c2b9402250
- SHA1
  
  49ecf948cfd6e85f38007b4267792d75031da015
- SHA256
  
  0d3390d29cde2d1f4b147d70fc7008abe2107c5cfdc0d1bfa746a180b70e03fe
- SHA512
  
  607d9a123c9b0a3fb74503e78255ac2033177f36903272660f9f650639496662d16177f47e61204e699172ba4233cda23442be538e6a07a2e39632eb709c0e9d
- SSDEEP
  
  3072:68dMhw/SymvBpLYDhU6Fh/S1PcU8MsGlUbLB:6I/tmvBpLYDhU6q1PcUnsGubl
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral14 behavioral15
- Target
  
  freeSpoofer/tools/tmac/TMAC.exe
- Size
  
  712KB
- MD5
  
  230b4c45774e95dd75241068c68aeb0d
- SHA1
  
  ef46dd76a8c6d4a7d6882469015a07a9bf660a50
- SHA256
  
  6c3d76c9a4d1652ce25ae8c2ba1907167cfaa0054b8e1325f370c52eafa74c97
- SHA512
  
  fc08d219e1023d7929250ecab81f640e4114f51b184d9004da0887c93b24a6026931a71da4ef0e95caa2a416d858496b5e174bcd0dd3bd3a76bca6582283e90c
- SSDEEP
  
  12288:A3fO0HyZz3H3PrpYMP/KyBAQ+KFBSmbrz6C4QXwmfW/sfH6s7zQcKDsVv/JLSF69:+On5pYyKyBAiFBSmb6CrXwmfW/sfH6sn
Score

3^/10

discovery
behavioral16 behavioral17
- Target
  
  freeSpoofer/tools/tmac/help.html
- Size
  
  22KB
- MD5
  
  8a707156b8ac8760e9de9f2d62c2050e
- SHA1
  
  8bd91f7606a7d456bccca513a14ef6583a1815e7
- SHA256
  
  c37d369d1f1ee945da67587b530d433b7fa0d16ba09a9ef13d468141a403c09d
- SHA512
  
  a092f62a5646150fc5a3891186c297c12488e509d59c73f5095d5ada0fc4b9356406f332e4e5cfc846b909e599bb6f7be6481c471c7d0b7b796974655e66b266
- SSDEEP
  
  192:5jU+nCqyZ5picOcYgWeCsKsbVRDEogq0ZWHaDfPhgA+2/eF5stchmai:5FcZzlrZKsbVRDEBq03gZMeFu
Score

3^/10

discovery
behavioral18 behavioral19

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Cerber family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19