Win32/Cerber

Forum for analysis and discussion about malware.
syntx
Posts: 5
Joined: Tue Dec 01, 2015 7:30 pm

Re: Win32/Cerber

Post by syntx » Mon Dec 26, 2016 11:11 pm

Have anyone speculated how the ranges are picked to where it sends stats? The early versions was kind of easy to follow as it was only acquire a server in the IP-range, the past few months have however showed ranges without hosting providers which points to that the author uses hacked servers as relays(?).
xors wrote: Edit: If I am not mistaken,they also changed the way that they decrypt the config. It looks like they use 'CryptEncrypt' WINAPI
Wasn't this something they did in earlier versions as well? (Know I've seen CryptEncrypt for decryption in a "recent" sample)

ikolor
Posts: 319
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Thu Dec 29, 2016 1:09 pm

You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 251
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Thu Dec 29, 2016 1:26 pm

Check the comment, Locky encoded...

BR,

Antelox

ikolor
Posts: 319
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Thu Dec 29, 2016 1:29 pm

check contents.It is something else ?

benkow_
Posts: 85
Joined: Sat Jan 24, 2015 12:14 pm

Re: Malware collection

Post by benkow_ » Thu Dec 29, 2016 1:48 pm

ikolor wrote:check contents.It is something else ?
Nop, it's Locky Xored, Unxored: https://www.virustotal.com/fr/file/610e ... /analysis/

ikolor
Posts: 319
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Wed Jan 11, 2017 1:43 pm

You do not have the required permissions to view the files attached to this post.

User avatar
maddog4012
Posts: 75
Joined: Mon Aug 04, 2014 6:53 pm

Re: Malware collection

Post by maddog4012 » Wed Jan 11, 2017 6:20 pm

Code: Select all

1001.exe  CERBER
Event Type	Details	Parent PID	PID
Detection	
Threat characteristic: Attempts to connect to malicious host
Host: 208.83.223.34
Threat Name: CALLBACK_CRYPTOLOCK.WRS
		
Detection	
Threat characteristic: Rare executable file
Global Detections: 0
		
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\userenv.dll, 74790000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\setupapi.dll, 75a30000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\apphelp.dll, 71760000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\propsys.dll, 73f80000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\dwmapi.dll, 73c10000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\cryptbase.dll, 75030000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\oleacc.dll, 723b0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\clbcatq.dll, 75480000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\version.dll, 74630000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 195fe4, 0, %windir%\system32\shfolder.dll, 6b260000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, cryptbase.dll, 75030000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1dda6c, 0, %windir%\system32\uxtheme.dll, 73f40000 ) Return: 0		2784
Call Window API	API Name: CreateWindowExW Args: ( 0, c03b, OleMainThreadWndName, 88000000, 80000000, 80000000, 80000000, 80000000, fffffffd, 0, 758d0000, 0 ) Return: 201d4		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, ole32.dll, 758d0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, ole32.dll, 758d0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, comctl32.dll, 740c0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, comctl32.dll, 740c0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, oleaut32.dll, 756a0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, clbcatq.dll, 75480000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 1e24a4, 0, %windir%\system32\propsys.dll, 73f80000 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local\Microsoft\Windows\Caches, 0 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, ntmarta.dll, 71e90000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, shell32.dll, 75bf0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, api-ms-win-security-sddl-l1-1-0.dll, 75bd0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, profapi.dll, 750e0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, setupapi.dll, 75a30000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, apphelp.dll, 71760000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 200f14, 0, %windir%\system32\shdocvw.dll, 71210000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 200f14, 0, %windir%\system32\shell32.dll, 75bf0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, propsys.dll, 73f80000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, oleaut32.dll, 756a0000 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %TEMP%\, 0 ) Return: 0		2784
Add File	Path: %TEMP%\nsl9D47.tmp Type: VSDT_EMPTY		2784
Delete File	Path: %TEMP%\nsl9D47.tmp Type: VSDT_EMPTY		2784
Detection	
Threat characteristic: Deletes file to compromise the system or to remove traces of the infection
Process ID: 2784
File: %TEMP%\nsl9D47.tmp
Type: VSDT_EMPTY
		
Call Filesystem API	API Name: DeleteFileW Args: ( %TEMP%\nsl9D47.tmp ) Return: 1		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: NtReadFile Args: ( 24c, , , , , , 200, , ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( C:\Users, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( C:\Users\ADMINI~1, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %TEMP%, 0 ) Return: 0		2784
Call Filesystem API	API Name: SetFileTime Args: ( 8, 2017-00-11/11:13:50, NULL, 2017-00-11/11:13:50 ) Return: 1		2784
Add File	Path: %TEMP%\ie7.css Type: VSDT_ASCII		2784
Write File	Path: %TEMP%\ie7.css Type: VSDT_ASCII		2784
Call Filesystem API	API Name: SetFileTime Args: ( 8, 2017-00-11/11:33:40, NULL, 2017-00-11/11:33:40 ) Return: 1		2784
Add File	Path: %TEMP%\home Type: VSDT_TEXT_HTML		2784
Write File	Path: %TEMP%\home Type: VSDT_TEXT_HTML		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/11:53:28, NULL, 2017-00-11/11:53:28 ) Return: 1		2784
Add File	Path: %TEMP%\xspSF.css Type: VSDT_ASCII		2784
Write File	Path: %TEMP%\xspSF.css Type: VSDT_ASCII		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/11:32:16, NULL, 2017-00-11/11:32:16 ) Return: 1		2784
Add File	Path: %TEMP%\favicon.ico959834085.x-icon Type: VSDT_COM_DOS		2784
Write File	Path: %TEMP%\favicon.ico959834085.x-icon Type: VSDT_COM_DOS		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/12:05:26, NULL, 2017-00-11/12:05:26 ) Return: 1		2784
Add File	Path: %TEMP%\facebook.png Type: VSDT_PNG		2784
Write File	Path: %TEMP%\facebook.png Type: VSDT_PNG		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/11:13:40, NULL, 2017-00-11/11:13:40 ) Return: 1		2784
Add File	Path: %TEMP%\feed Type: VSDT_TEXT_HTML		2784
Write File	Path: %TEMP%\feed Type: VSDT_TEXT_HTML		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/12:05:30, NULL, 2017-00-11/12:05:30 ) Return: 1		2784
Add File	Path: %TEMP%\print1777536650.css Type: VSDT_ASCII		2784
Write File	Path: %TEMP%\print1777536650.css Type: VSDT_ASCII		2784
Call Filesystem API	API Name: SetFileTime Args: ( 248, 2017-00-11/12:25:22, NULL, 2017-00-11/12:25:22 ) Return: 1		2784
Add File	Path: %TEMP%\defense.7Bt Type: VSDT_COM_DOS		2784
Write File	Path: %TEMP%\defense.7Bt Type: VSDT_COM_DOS		2784
Add File	Path: %TEMP%\nsg9EFD.tmp Type: VSDT_EMPTY		2784
Delete File	Path: %TEMP%\nsg9EFD.tmp Type: VSDT_EMPTY		2784
Detection	
Threat characteristic: Deletes file to compromise the system or to remove traces of the infection
Process ID: 2784
File: %TEMP%\nsg9EFD.tmp
Type: VSDT_EMPTY
		
Call Filesystem API	API Name: DeleteFileW Args: ( %TEMP%\nsg9EFD.tmp ) Return: 1		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( C:\Users, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( C:\Users\ADMINI~1, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %USERPROFILE%\AppData\Local, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %TEMP%, 0 ) Return: 0		2784
Call Filesystem API	API Name: CreateDirectoryW Args: ( %TEMP%\nsg9EFD.tmp, 12f6b4 ) Return: 1		2784
Add File	Path: %TEMP%\nsg9EFD.tmp\System.dll Type: VSDT_DLL_W32		2784
Detection	
Threat characteristic: Drops executable during installation
Dropping Process ID: 2784
File: %TEMP%\nsg9EFD.tmp\System.dll
Type: VSDT_DLL_W32
		
Write File	Path: %TEMP%\nsg9EFD.tmp\System.dll Type: VSDT_DLL_W32		2784
Detection	
Threat characteristic: Modifies file that can be used to infect systems
%TEMP%\nsg9EFD.tmp\System.dll
		
Call System API	API Name: LdrLoadDll Args: ( 20e97c, 0, %TEMP%\nsg9efd.tmp\system.dll, 10000000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, advapi32.dll, 76be0000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, cryptsp.dll, 74b90000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, %windir%\system32\rsaenh.dll, 74930000 ) Return: 0		2784
Call System API	API Name: LdrLoadDll Args: ( 16ef14, 0, cryptbase.dll, 75030000 ) Return: 0		2784
Call System API	API Name: CryptDeriveKey Args: ( 1fbb20, 6609, 1a9af8, 1, 12f4b8 ) Return: 1		2784
Call System API	API Name: CryptDecrypt Args: ( 1a9f38, 0, 1, 0, 3240000, c73e3 ) Return: 1		2784
Call Process API	API Name: CreateProcessW Args: ( %WorkingDir%\1001.exe, "%WorkingDir%\1001.exe", , , , CREATE_SUSPENDED, , , , Process:2844:%WorkingDir%\1001.exe ) Return: 1		2784
Call Thread API	API Name: NtGetContextThread Args: ( 580, 12f094 ) Return: 0		2784
Call Thread API	API Name: SetThreadContext Args: ( Process Name:2844:%WorkingDir%\1001.exe ) Return: 1		2784
Detection	
Threat characteristic: Resides in memory to evade detection
Injecting Process ID: 2784
Injected API: SetThreadContext
Target Process ID: 2844
Target Image Path: %WorkingDir%\1001.exe
		
Call Filesystem API	API Name: NtReadFile Args: ( 254, , , , , , 200, , ) Return: 0		2784
Add Registry Key	Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\ Value: None	2784	2844
Add Registry Key	Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration\ Value: None	2784	2844
Write Registry Key	Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration\xi Value: 956D951EDA13BC116996	2784	2844
Add File	Path: %ALLUSERSPROFILE%\Windows\csrss.exe Type: VSDT_EXE_W32	2784	2844
Detection	
Threat characteristic: Drops fake system file
%ALLUSERSPROFILE%\Windows\csrss.exe
		
Detection	
Threat characteristic: Drops executable during installation
Dropping Process ID: 2844
File: %ALLUSERSPROFILE%\Windows\csrss.exe
Type: VSDT_EXE_W32
		
Detection	
Threat characteristic: Creates multiple copies of a file
%ALLUSERSPROFILE%\Windows\csrss.exe
		
Detection	
Threat characteristic: Copies self
File is copied from %WorkingDir%\1001.exe to %ALLUSERSPROFILE%\Windows\csrss.exe
		
Write File	Path: %ALLUSERSPROFILE%\Windows\csrss.exe Type: VSDT_EXE_W32	2784	2844
Detection	
Threat characteristic: Modifies file that can be used to infect systems
%ALLUSERSPROFILE%\Windows\csrss.exe
		
Write Registry Key	Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem Value: "%ALLUSERSPROFILE%\Windows\csrss.exe"	2784	2844
Detection	
Threat characteristic: Adds Autorun in registry
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem
Value: "%ALLUSERSPROFILE%\Windows\csrss.exe"
Type: REG_SZ
		
Write Registry Key	Key: HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration\xVersion Value: 4.0.0.1	2784	2844
Add File	Path: %TEMP%\6893A5D897\state.tmp Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\state.tmp Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\state Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\unverified-microdesc-consensus.tmp Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\unverified-microdesc-consensus.tmp Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\unverified-microdesc-consensus Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\cached-certs.tmp Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-certs.tmp Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\cached-certs Type: VSDT_ASCII	2784	2844
Delete File	Path: %TEMP%\6893A5D897\unverified-microdesc-consensus Type: VSDT_ASCII	2784	2844
Detection	
Threat characteristic: Deletes file to compromise the system or to remove traces of the infection
Process ID: 2844
File: %TEMP%\6893A5D897\unverified-microdesc-consensus
Type: VSDT_ASCII
		
Add File	Path: %TEMP%\6893A5D897\cached-microdesc-consensus.tmp Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdesc-consensus.tmp Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\cached-microdesc-consensus Type: VSDT_ASCII	2784	2844
Add File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Write File	Path: %TEMP%\6893A5D897\cached-microdescs.new Type: VSDT_ASCII	2784	2844
Last edited by EP_X0FF on Fri Jan 13, 2017 3:45 am, edited 1 time in total.
Reason: text wall removed

tWiCe
Posts: 49
Joined: Sat Jul 18, 2015 8:56 am

Re: Malware collection

Post by tWiCe » Thu Jan 12, 2017 5:39 pm

maddog4012, Could you please use "code" tags for such long logs next time?

heart888
Posts: 18
Joined: Tue Mar 01, 2016 11:04 pm

Re: Win32/Cerber

Post by heart888 » Thu Jan 19, 2017 12:43 am

cerber
You do not have the required permissions to view the files attached to this post.

User avatar
EX!
Posts: 35
Joined: Wed Jun 29, 2011 8:24 pm
Contact:

Re: Win32/Cerber

Post by EX! » Thu Jan 26, 2017 3:45 pm

#Cerber.

https://www.virustotal.com/es/file/f4de ... 485445458/


SHA256: f4dee521502a89bcb0dbce3d894692ca9a37a3578759589d31e6fb5f154f2e7b
Nombre: 1
Detecciones: 9 / 56

Downloader -> hxxp://finestololoki.top/search.php
You do not have the required permissions to view the files attached to this post.

Post Reply