Win32/Cerber - Page 7 - KernelMode.info

Re: Win32/Cerber

#29790 by syntx
Mon Dec 26, 2016 11:11 pm

Have anyone speculated how the ranges are picked to where it sends stats? The early versions was kind of easy to follow as it was only acquire a server in the IP-range, the past few months have however showed ranges without hosting providers which points to that the author uses hacked servers as relays(?).

xors wrote: Edit: If I am not mistaken,they also changed the way that they decrypt the config. It looks like they use 'CryptEncrypt' WINAPI

Wasn't this something they did in earlier versions as well? (Know I've seen CryptEncrypt for decryption in a "recent" sample)

Username

syntx

Posts

5

Joined

Tue Dec 01, 2015 7:30 pm

Re: Malware collection

#29802 by ikolor
Thu Dec 29, 2016 1:09 pm

next...

https://www.virustotal.com/en/file/1025 ... 483016714/

Attachments

Ds.rar

(394.05 KiB) Downloaded 95 times

Username

ikolor

Posts

342

Joined

Thu Jun 05, 2014 2:20 pm

Location

Poland

Re: Malware collection

#29803 by Antelox
Thu Dec 29, 2016 1:26 pm

Check the comment, Locky encoded...

BR,

Antelox

ikolor wrote:next...

https://www.virustotal.com/en/file/1025 ... 483016714/

@Antelox

Username

Antelox

Posts

298

Joined

Sun Mar 21, 2010 10:38 pm

Contact

Re: Malware collection

#29804 by ikolor
Thu Dec 29, 2016 1:29 pm

check contents.It is something else ?

Username

ikolor

Posts

342

Joined

Thu Jun 05, 2014 2:20 pm

Location

Poland

Re: Malware collection

#29805 by benkow_
Thu Dec 29, 2016 1:48 pm

ikolor wrote:check contents.It is something else ?

Nop, it's Locky Xored, Unxored: https://www.virustotal.com/fr/file/610e ... /analysis/

Username

benkow_

Posts

85

Joined

Sat Jan 24, 2015 12:14 pm

Re: Malware collection

#29846 by ikolor
Wed Jan 11, 2017 1:43 pm

next..

https://www.virustotal.com/en/file/4484 ... 484142116/

Attachments

1001.rar

(880.64 KiB) Downloaded 69 times

Username

ikolor

Posts

342

Joined

Thu Jun 05, 2014 2:20 pm

Location

Poland

Re: Malware collection

#29847 by maddog4012
Wed Jan 11, 2017 6:20 pm

Code: Select all

1001.exe  CERBER
Event Type	Details	Parent PID	PID
Detection	
Threat characteristic: Attempts to connect to malicious host
Host: 208.83.223.34
Threat Name: CALLBACK_CRYPTOLOCK.WRS
		
Detection	
Threat characteristic: Rare executable file
Global Detections: 0
		
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\userenv.dll, 74790000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\setupapi.dll, 75a30000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\apphelp.dll, 71760000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\propsys.dll, 73f80000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\dwmapi.dll, 73c10000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\cryptbase.dll, 75030000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\oleacc.dll, 723b0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\clbcatq.dll, 75480000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\version.dll, 74630000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\shfolder.dll, 6b260000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, cryptbase.dll, 75030000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call Window API	API Name: CreateWindowExW Args: ( 0, c03b, OleMainThreadWndName, 88000000, 80000000, 80000000, 80000000, 80000000, fffffffd, 0, 758d0000, 0 ) Return: 201d4		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, ole32.dll, 758d0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, ole32.dll, 758d0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, comctl32.dll, 740c0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, comctl32.dll, 740c0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, oleaut32.dll, 756a0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, clbcatq.dll, 75480000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1e24a4, 0, %windir%\system32\propsys.dll, 73f80000 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local\Microsoft\Windows\Caches, 0 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, ntmarta.dll, 71e90000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, shell32.dll, 75bf0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, api-ms-win-security-sddl-l1-1-0.dll, 75bd0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, profapi.dll, 750e0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, setupapi.dll, 75a30000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, apphelp.dll, 71760000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 200f14, 0, %windir%\system32\shdocvw.dll, 71210000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 200f14, 0, %windir%\system32\shell32.dll, 75bf0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, propsys.dll, 73f80000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, oleaut32.dll, 756a0000 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %TEMP%\, 0 ) Return: 0		2784
Add File	Path: %TEMP%\nsl9D47.tmp Type: VSDT_EMPTY		2784
Delete File	Path: %TEMP%\nsl9D47.tmp Type: VSDT_EMPTY		2784
Detection	
Threat characteristic: Deletes file to compromise the system or to remove traces of the infection
Process ID: 2784
File: %TEMP%\nsl9D47.tmp
Type: VSDT_EMPTY
		
Call Filesystem API	API Name: DeleteFileW Args: ( %TEMP%\nsl9D47.tmp ) Return: 1		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( C:\Users, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( C:\Users\ADMINI~1, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %TEMP%, 0 ) Return: 0		2784
Call Filesystem API	API Name: SetFileTime Args: ( 8, 2017-00-11/11:13:50, NULL, 2017-00-11/11:13:50 ) Return: 1		2784
Add File	Path: %TEMP%\ie7.css Type: VSDT_ASCII		2784
Write File	Path: %TEMP%\ie7.css Type: VSDT_ASCII		2784
Call Filesystem API	API Name: SetFileTime Args: ( 8, 2017-00-11/11:33:40, NULL, 2017-00-11/11:33:40 ) Return: 1		2784
Add File	Path: %TEMP%\home Type: VSDT_TEXT_HTML		2784
Write File	Path: %TEMP%\home Type: VSDT_TEXT_HTML		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/11:53:28, NULL, 2017-00-11/11:53:28 ) Return: 1		2784
Add File	Path: %TEMP%\xspSF.css Type: VSDT_ASCII		2784
Write File	Path: %TEMP%\xspSF.css Type: VSDT_ASCII		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/11:32:16, NULL, 2017-00-11/11:32:16 ) Return: 1		2784
Add File	Path: %TEMP%\favicon.ico959834085.x-icon Type: VSDT_COM_DOS		2784
Write File	Path: %TEMP%\favicon.ico959834085.x-icon Type: VSDT_COM_DOS		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/12:05:26, NULL, 2017-00-11/12:05:26 ) Return: 1		2784
Add File	Path: %TEMP%\facebook.png Type: VSDT_PNG		2784
Write File	Path: %TEMP%\facebook.png Type: VSDT_PNG		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/11:13:40, NULL, 2017-00-11/11:13:40 ) Return: 1		2784
Add File	Path: %TEMP%\feed Type: VSDT_TEXT_HTML		2784
Write File	Path: %TEMP%\feed Type: VSDT_TEXT_HTML		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/12:05:30, NULL, 2017-00-11/12:05:30 ) Return: 1		2784
Add File	Path: %TEMP%\print1777536650.css Type: VSDT_ASCII		2784
Write File	Path: %TEMP%\print1777536650.css Type: VSDT_ASCII		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/12:25:22, NULL, 2017-00-11/12:25:22 ) Return: 1		2784
Add File	Path: %TEMP%\defense.7Bt Type: VSDT_COM_DOS		2784
Write File	Path: %TEMP%\defense.7Bt Type: VSDT_COM_DOS		2784
Add File	Path: %TEMP%\nsg9EFD.tmp Type: VSDT_EMPTY		2784
Delete File	Path: %TEMP%\nsg9EFD.tmp Type: VSDT_EMPTY		2784
Detection	
Threat characteristic: Deletes file to compromise the system or to remove traces of the infection
Process ID: 2784
File: %TEMP%\nsg9EFD.tmp
Type: VSDT_EMPTY
		
Call Filesystem API	API Name: DeleteFileW Args: ( %TEMP%\nsg9EFD.tmp ) Return: 1		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( C:\Users, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( C:\Users\ADMINI~1, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %TEMP%, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %TEMP%\nsg9EFD.tmp, 12f6b4 ) Return: 1		2784
Add File	Path: %TEMP%\nsg9EFD.tmp\System.dll Type: VSDT_DLL_W32		2784
Detection	
Threat characteristic: Drops executable during installation
Dropping Process ID: 2784
File: %TEMP%\nsg9EFD.tmp\System.dll
Type: VSDT_DLL_W32
		
Write File	Path: %TEMP%\nsg9EFD.tmp\System.dll Type: VSDT_DLL_W32		2784
Detection	
Threat characteristic: Modifies file that can be used to infect systems
%TEMP%\nsg9EFD.tmp\System.dll
		
Call System API	API Name: LdrLoadDll Args: ( 20e97c, 0, %TEMP%\nsg9efd.tmp\system.dll, 10000000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, cryptsp.dll, 74b90000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, %windir%\system32\rsaenh.dll, 74930000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, cryptbase.dll, 75030000 ) Return: 0		2784
Call System API	API Name: CryptDeriveKey Args: ( 1fbb20, 6609, 1a9af8, 1, 12f4b8 ) Return: 1		2784
Call System API	API Name: CryptDecrypt Args: ( 1a9f38, 0, 1, 0, 3240000, c73e3 ) Return: 1		2784
Call Process API	API Name: CreateProcessW Args: ( %WorkingDir%\1001.exe, "%WorkingDir%\1001.exe", , , , CREATE_SUSPENDED, , , , Process:2844:%WorkingDir%\1001.exe ) Return: 1		2784
Call Thread API	API Name: NtGetContextThread Args: ( 580, 12f094 ) Return: 0		2784
Call Thread API	API Name: SetThreadContext Args: ( Process Name:2844:%WorkingDir%\1001.exe ) Return: 1		2784
Detection	
Threat characteristic: Resides in memory to evade detection
Injecting Process ID: 2784
Injected API: SetThreadContext
Target Process ID: 2844
Target Image Path: %WorkingDir%\1001.exe
		
Call Filesystem API	API Name: NtReadFile Args: ( 254, , , , , , 200, , ) Return: 0		2784
Add Registry Key	Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\ Value: None	2784	2844
Add Registry Key	Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration\ Value: None	2784	2844
Write Registry Key	Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration\xi Value: 956D951EDA13BC116996	2784	2844
Add File	Path: %ALLUSERSPROFILE%\Windows\csrss.exe Type: VSDT_EXE_W32	2784	2844
Detection	
Threat characteristic: Drops fake system file
%ALLUSERSPROFILE%\Windows\csrss.exe
		
Detection	
Threat characteristic: Drops executable during installation
Dropping Process ID: 2844
File: %ALLUSERSPROFILE%\Windows\csrss.exe
Type: VSDT_EXE_W32
		
Detection	
Threat characteristic: Creates multiple copies of a file
%ALLUSERSPROFILE%\Windows\csrss.exe
		
Detection	
Threat characteristic: Copies self
File is copied from %WorkingDir%\1001.exe to %ALLUSERSPROFILE%\Windows\csrss.exe
		
Write File	Path: %ALLUSERSPROFILE%\Windows\csrss.exe Type: VSDT_EXE_W32	2784	2844
Detection	
Threat characteristic: Modifies file that can be used to infect systems
%ALLUSERSPROFILE%\Windows\csrss.exe
		
Write Registry Key	Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem Value: "%ALLUSERSPROFILE%\Windows\csrss.exe"	2784	2844
Detection	
Threat characteristic: Adds Autorun in registry
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem
Value: "%ALLUSERSPROFILE%\Windows\csrss.exe"
Type: REG_SZ
		
Write Registry Key	Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration\xVersion Value: 4.0.0.1	2784	2844
Add File	Path: %TEMP%\6893A5D897\state.tmp Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\state.tmp Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\state Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\unverified-microdesc-consensus.tmp Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\unverified-microdesc-consensus.tmp Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\unverified-microdesc-consensus Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\cached-certs.tmp Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-certs.tmp Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\cached-certs Type: VSDT_ASCII	2784	2844
Delete File	Path: %TEMP%\6893A5D897\unverified-microdesc-consensus Type: VSDT_ASCII	2784	2844
Detection	
Threat characteristic: Deletes file to compromise the system or to remove traces of the infection
Process ID: 2844
File: %TEMP%\6893A5D897\unverified-microdesc-consensus
Type: VSDT_ASCII
		
Add File	Path: %TEMP%\6893A5D897\cached-microdesc-consensus.tmp Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdesc-consensus.tmp Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\cached-microdesc-consensus Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844

Last edited by EP_X0FF on Fri Jan 13, 2017 3:45 am, edited 1 time in total. Reason: text wall removed

Username

maddog4012

Posts

82

Joined

Mon Aug 04, 2014 6:53 pm

Re: Malware collection

#29851 by tWiCe
Thu Jan 12, 2017 5:39 pm

maddog4012, Could you please use "code" tags for such long logs next time?

Username

tWiCe

Posts

49

Joined

Sat Jul 18, 2015 8:56 am

Re: Win32/Cerber

#29872 by heart888
Thu Jan 19, 2017 12:43 am

cerber

Attachments

3.rar

(232.08 KiB) Downloaded 89 times

Username

heart888

Posts

19

Joined

Tue Mar 01, 2016 11:04 pm

Re: Win32/Cerber

#29884 by EX!
Thu Jan 26, 2017 3:45 pm

#Cerber.

https://www.virustotal.com/es/file/f4de ... 485445458/

SHA256: f4dee521502a89bcb0dbce3d894692ca9a37a3578759589d31e6fb5f154f2e7b
Nombre: 1
Detecciones: 9 / 56

Downloader -> hxxp://finestololoki.top/search.php

Attachments

1.zip

pwd: infected
(194.97 KiB) Downloaded 95 times

Username

EX!

Posts

35

Joined

Wed Jun 29, 2011 8:24 pm

Contact