cerber

General

Target

2025-02-06_2aaf48622a9038cafd1b24a67edffe6b_cerber
Size

461KB
Sample

250206-w8rg4ssqg1
MD5

2aaf48622a9038cafd1b24a67edffe6b
SHA1

caa4bfee28c14cf3ee04546299d71352f314fac2
SHA256

f05fbdaada861682585ad99f18216c6d94092fcf759b1b17728e406a05365f07
SHA512

79f109d5fca63efd8e9a0c793917c9f19a361075e540f12f907e1525bf959182b66527bdc0db28bd11a5a2ac6247660a6fb29c39992f3311a9f3e7a32c53c7d2
SSDEEP

6144:PdacLxjXfqySXDE7DbZ+gBTv3Ud7q9hyqOWyrXN5Vo/hghtj1/nfkL/Ow:jtVSTE7DbpBfO9X/VXtjti

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_!!!_README_!!!_GYFSKUDN_.txt

Ransom Note

----- "CERBER RANSOMWARE" ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://hjhqmbxyinislkkt.onion/8E4C-CEF0-42AC-05C4-14C8 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://hjhqmbxyinislkkt.1mwvgh.top/8E4C-CEF0-42AC-05C4-14C8 2. http://hjhqmbxyinislkkt.1fygsg.top/8E4C-CEF0-42AC-05C4-14C8 3. http://hjhqmbxyinislkkt.1j43kf.top/8E4C-CEF0-42AC-05C4-14C8 4. http://hjhqmbxyinislkkt.1fnjrj.top/8E4C-CEF0-42AC-05C4-14C8 5. http://hjhqmbxyinislkkt.1c1ajf.top/8E4C-CEF0-42AC-05C4-14C8 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://hjhqmbxyinislkkt.onion/8E4C-CEF0-42AC-05C4-14C8

http://hjhqmbxyinislkkt.1mwvgh.top/8E4C-CEF0-42AC-05C4-14C8

http://hjhqmbxyinislkkt.1fygsg.top/8E4C-CEF0-42AC-05C4-14C8

http://hjhqmbxyinislkkt.1j43kf.top/8E4C-CEF0-42AC-05C4-14C8

http://hjhqmbxyinislkkt.1fnjrj.top/8E4C-CEF0-42AC-05C4-14C8

http://hjhqmbxyinislkkt.1c1ajf.top/8E4C-CEF0-42AC-05C4-14C8

Targets

- Target
  
  2025-02-06_2aaf48622a9038cafd1b24a67edffe6b_cerber
- Size
  
  461KB
- MD5
  
  2aaf48622a9038cafd1b24a67edffe6b
- SHA1
  
  caa4bfee28c14cf3ee04546299d71352f314fac2
- SHA256
  
  f05fbdaada861682585ad99f18216c6d94092fcf759b1b17728e406a05365f07
- SHA512
  
  79f109d5fca63efd8e9a0c793917c9f19a361075e540f12f907e1525bf959182b66527bdc0db28bd11a5a2ac6247660a6fb29c39992f3311a9f3e7a32c53c7d2
- SSDEEP
  
  6144:PdacLxjXfqySXDE7DbZ+gBTv3Ud7q9hyqOWyrXN5Vo/hghtj1/nfkL/Ow:jtVSTE7DbpBfO9X/VXtjti
Score

10^/10

cerber defense_evasion discovery persistence privilege_escalation ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Cerber family
  cerber
- Blocklisted process makes network request
- Contacts a large (1090) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  defense_evasion
- Deletes itself
- Drops startup file
- Drops file in System32 directory
behavioral1 behavioral2