cerber

General

Target

2025-03-01_9c147f1538813cbab04262be1ae54670_cerber
Size

461KB
Sample

250301-1r2c7stwbw
MD5

9c147f1538813cbab04262be1ae54670
SHA1

91da5db894dbabc3afbfdf3c26b8750cefed5937
SHA256

d6ebf45107c772166eb422e5f2a821f2c0726bbbf6d298f47aa1ad33b518ac8b
SHA512

4e9582f40c4c0b3ab349ad80f62a786c462dcc8c84e3448ac939e2507e4cb4770484f5f0add95e039a14118b1c23052fd7909e1a782fb6f8c7bb9076b2d90f8f
SSDEEP

6144:mdacLxjXfqySXDE7DbZ+gBTv3Ud7q9hyqOWyrXN5Vo/hghtj1LnfkL/Ow:GtVSTE7DbpBfO9X/VXtjti

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_!!!_README_!!!_002YU5G_.txt

Ransom Note

----- "CERBER RANSOMWARE" ----- YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://hjhqmbxyinislkkt.onion/4D81-F73A-8352-05C3-C642 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://hjhqmbxyinislkkt.1fygsg.top/4D81-F73A-8352-05C3-C642 2. http://hjhqmbxyinislkkt.1j43kf.top/4D81-F73A-8352-05C3-C642 3. http://hjhqmbxyinislkkt.1fnjrj.top/4D81-F73A-8352-05C3-C642 4. http://hjhqmbxyinislkkt.1c1ajf.top/4D81-F73A-8352-05C3-C642 5. http://hjhqmbxyinislkkt.1mee2x.top/4D81-F73A-8352-05C3-C642 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://hjhqmbxyinislkkt.onion/4D81-F73A-8352-05C3-C642

http://hjhqmbxyinislkkt.1fygsg.top/4D81-F73A-8352-05C3-C642

http://hjhqmbxyinislkkt.1j43kf.top/4D81-F73A-8352-05C3-C642

http://hjhqmbxyinislkkt.1fnjrj.top/4D81-F73A-8352-05C3-C642

http://hjhqmbxyinislkkt.1c1ajf.top/4D81-F73A-8352-05C3-C642

http://hjhqmbxyinislkkt.1mee2x.top/4D81-F73A-8352-05C3-C642

Targets

- Target
  
  2025-03-01_9c147f1538813cbab04262be1ae54670_cerber
- Size
  
  461KB
- MD5
  
  9c147f1538813cbab04262be1ae54670
- SHA1
  
  91da5db894dbabc3afbfdf3c26b8750cefed5937
- SHA256
  
  d6ebf45107c772166eb422e5f2a821f2c0726bbbf6d298f47aa1ad33b518ac8b
- SHA512
  
  4e9582f40c4c0b3ab349ad80f62a786c462dcc8c84e3448ac939e2507e4cb4770484f5f0add95e039a14118b1c23052fd7909e1a782fb6f8c7bb9076b2d90f8f
- SSDEEP
  
  6144:mdacLxjXfqySXDE7DbZ+gBTv3Ud7q9hyqOWyrXN5Vo/hghtj1LnfkL/Ow:GtVSTE7DbpBfO9X/VXtjti
Score

10^/10

cerber defense_evasion discovery persistence privilege_escalation ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Cerber family
  cerber
- Blocklisted process makes network request
- Contacts a large (1090) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  defense_evasion
- Deletes itself
- Drops startup file
- Drops file in System32 directory
behavioral1 behavioral2