cerber

General

Target

1c26f6728257bc8e752f14917630e5b5670c3cb42e234ef323ee43fbd4cdc98c.exe
Size

477KB
Sample

250309-bxa1rswwfv
MD5

d58455a0d565b2702cea14cf0c3d467b
SHA1

ba6e1dfa1edbfd333959e5fe77d23cffe7afaac0
SHA256

1c26f6728257bc8e752f14917630e5b5670c3cb42e234ef323ee43fbd4cdc98c
SHA512

1b61343a6360af7f08e6277661f05da05fd3a05838a09459fa04a1b25026a4b52de690875e74df4319c7ead112a9dc3c96096005a3fdca1181c591f432149c68
SSDEEP

6144:Xyuf9iH1joy/I/f/22/4DWJLlu8Menul9XL//3/Pn//3/vnv/3/v//X/vf/n/3/6:XyY9LVluunuU1/2/Rm

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___36W6B24Z_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMP0RTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://qfjhpgbefuhenjp7.onion/D1AF-3CEB-F776-063A-F338 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://qfjhpgbefuhenjp7.16g9ub.top/D1AF-3CEB-F776-063A-F338 2. http://qfjhpgbefuhenjp7.13iuvw.top/D1AF-3CEB-F776-063A-F338 3. http://qfjhpgbefuhenjp7.158ugp.top/D1AF-3CEB-F776-063A-F338 4. http://qfjhpgbefuhenjp7.1fcfjn.top/D1AF-3CEB-F776-063A-F338 5. http://qfjhpgbefuhenjp7.1225wj.top/D1AF-3CEB-F776-063A-F338 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://qfjhpgbefuhenjp7.onion/D1AF-3CEB-F776-063A-F338

http://qfjhpgbefuhenjp7.16g9ub.top/D1AF-3CEB-F776-063A-F338

http://qfjhpgbefuhenjp7.13iuvw.top/D1AF-3CEB-F776-063A-F338

http://qfjhpgbefuhenjp7.158ugp.top/D1AF-3CEB-F776-063A-F338

http://qfjhpgbefuhenjp7.1fcfjn.top/D1AF-3CEB-F776-063A-F338

http://qfjhpgbefuhenjp7.1225wj.top/D1AF-3CEB-F776-063A-F338

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___TRX1XI1_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMP0RTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://qfjhpgbefuhenjp7.onion/093D-E090-9C7C-063A-FD73 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://qfjhpgbefuhenjp7.16g9ub.top/093D-E090-9C7C-063A-FD73 2. http://qfjhpgbefuhenjp7.13iuvw.top/093D-E090-9C7C-063A-FD73 3. http://qfjhpgbefuhenjp7.158ugp.top/093D-E090-9C7C-063A-FD73 4. http://qfjhpgbefuhenjp7.1fcfjn.top/093D-E090-9C7C-063A-FD73 5. http://qfjhpgbefuhenjp7.1225wj.top/093D-E090-9C7C-063A-FD73 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://qfjhpgbefuhenjp7.onion/093D-E090-9C7C-063A-FD73

http://qfjhpgbefuhenjp7.16g9ub.top/093D-E090-9C7C-063A-FD73

http://qfjhpgbefuhenjp7.13iuvw.top/093D-E090-9C7C-063A-FD73

http://qfjhpgbefuhenjp7.158ugp.top/093D-E090-9C7C-063A-FD73

http://qfjhpgbefuhenjp7.1fcfjn.top/093D-E090-9C7C-063A-FD73

http://qfjhpgbefuhenjp7.1225wj.top/093D-E090-9C7C-063A-FD73

Targets

- Target
  
  1c26f6728257bc8e752f14917630e5b5670c3cb42e234ef323ee43fbd4cdc98c.exe
- Size
  
  477KB
- MD5
  
  d58455a0d565b2702cea14cf0c3d467b
- SHA1
  
  ba6e1dfa1edbfd333959e5fe77d23cffe7afaac0
- SHA256
  
  1c26f6728257bc8e752f14917630e5b5670c3cb42e234ef323ee43fbd4cdc98c
- SHA512
  
  1b61343a6360af7f08e6277661f05da05fd3a05838a09459fa04a1b25026a4b52de690875e74df4319c7ead112a9dc3c96096005a3fdca1181c591f432149c68
- SSDEEP
  
  6144:Xyuf9iH1joy/I/f/22/4DWJLlu8Menul9XL//3/Pn//3/vnv/3/v//X/vf/n/3/6:XyY9LVluunuU1/2/Rm
Score

10^/10

cerber defense_evasion discovery persistence privilege_escalation ransomware
- Cerber
  Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
  ransomware cerber
- Cerber family
  cerber
- Blocklisted process makes network request
- Contacts a large (1090) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2