cerber | be95be6a9f532476175b14dead7591028f0c48d589f253434418074188c8e67d | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

Ghost_Free.7z

windows11-21h2-x64

Sharing

General

Target

Ghost_Free.7z
Size

3.9MB
Sample

250228-m3b1ssysfz
MD5

b2f7e7a1fdb28a52a36955991b1998bf
SHA1

cde47e14410d20157b96242bd4f15a510efcb6e9
SHA256

be95be6a9f532476175b14dead7591028f0c48d589f253434418074188c8e67d
SHA512

05ff8ea00c5ab87f960019b40af14230adaee5d5ee65940830a97ba7bccc672f82a974769e6796408a87e93dbd9000594089773c06aa41dbbea868d749cb5573
SSDEEP

98304:Ue/t5JorCD69Hu1xgidyL0DBCwKy7o2iAo+q8Odr2:PZor06Z6gLQX7RUFr2

Score

10^/10

cerber defense_evasion discovery persistence privilege_escalation ransomware themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

Ghost_Free.7z

Resource

win11-20250217-en

cerber defense_evasion discovery persistence privilege_escalation ransomware themida trojan

windows11-21h2-x64

32 signatures

150 seconds

Malware Config

Targets

- Target
  
  Ghost_Free.7z
- Size
  
  3.9MB
- MD5
  
  b2f7e7a1fdb28a52a36955991b1998bf
- SHA1
  
  cde47e14410d20157b96242bd4f15a510efcb6e9
- SHA256
  
  be95be6a9f532476175b14dead7591028f0c48d589f253434418074188c8e67d
- SHA512
  
  05ff8ea00c5ab87f960019b40af14230adaee5d5ee65940830a97ba7bccc672f82a974769e6796408a87e93dbd9000594089773c06aa41dbbea868d749cb5573
- SSDEEP
  
  98304:Ue/t5JorCD69Hu1xgidyL0DBCwKy7o2iAo+q8Odr2:PZor06Z6gLQX7RUFr2
Score

10^/10

cerber defense_evasion discovery persistence privilege_escalation ransomware themida trojan
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Cerber family
  cerber
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Modifies Windows Firewall
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  defense_evasion trojan
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

Network Service Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

cerberdefense_evasiondiscoverypersistenceprivilege_escalationransomwarethemidatrojan

© 2018-2025

Terms | Privacy