× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16
File name: cerber_payload.exe
Detection ratio: 14 / 55
Analysis date: 2016-03-03 19:07:00 UTC ( 1 year, 8 months ago ) View latest
Antivirus Result Update
Ad-Aware Gen:Heur.Zygug.2 20160303
Arcabit Trojan.Zygug.2 20160303
AVware Trojan.Win32.Agent.wbc (v) 20160303
BitDefender Gen:Heur.Zygug.2 20160303
DrWeb DLOADER.Trojan 20160303
Emsisoft Gen:Heur.Zygug.2 (B) 20160229
F-Secure Gen:Heur.Zygug.2 20160303
GData Gen:Heur.Zygug.2 20160303
Ikarus Trojan-Ransom.Win32.Blocker 20160303
McAfee-GW-Edition BehavesLike.Win32.Virut.ch 20160303
Microsoft Trojan:Win32/Toga!rfn 20160303
eScan Gen:Heur.Zygug.2 20160303
Qihoo-360 QVM20.1.Malware.Gen 20160303
VIPRE Trojan.Win32.Agent.wbc (v) 20160303
AegisLab 20160303
Yandex 20160302
AhnLab-V3 20160303
Alibaba 20160303
ALYac 20160303
Antiy-AVL 20160303
Avast 20160303
AVG 20160303
Avira (no cloud) 20160303
Baidu-International 20160303
Bkav 20160303
ByteHero 20160303
CAT-QuickHeal 20160303
ClamAV 20160302
CMC 20160303
Comodo 20160303
Cyren 20160303
ESET-NOD32 20160303
F-Prot 20160303
Fortinet 20160303
Jiangmin 20160303
K7AntiVirus 20160303
K7GW 20160303
Kaspersky 20160303
Malwarebytes 20160303
McAfee 20160303
NANO-Antivirus 20160303
nProtect 20160303
Panda 20160303
Rising 20160302
Sophos AV 20160303
SUPERAntiSpyware 20160303
Symantec 20160303
Tencent 20160303
TheHacker 20160302
TrendMicro 20160303
TrendMicro-HouseCall 20160303
VBA32 20160303
ViRobot 20160303
Zillya 20160303
Zoner 20160303
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-02-23 08:07:31
Entry Point 0x00006BED
Number of sections 5
PE sections
PE imports
RegCreateKeyExW
CryptDestroyKey
RegCloseKey
ConvertSidToStringSidW
SetEntriesInAclW
OpenServiceW
AdjustTokenPrivileges
ControlService
CryptEncrypt
LookupPrivilegeValueW
RegOpenKeyExW
RegDeleteKeyW
DeleteService
RegSetValueW
CheckTokenMembership
RegQueryValueExW
CloseServiceHandle
RegFlushKey
ConvertStringSecurityDescriptorToSecurityDescriptorW
CreateWellKnownSid
OpenProcessToken
DuplicateToken
RegEnumKeyW
RegOpenKeyW
CreateServiceW
GetTokenInformation
SetServiceStatus
RegisterServiceCtrlHandlerW
RegEnumKeyExW
CryptAcquireContextW
GetLengthSid
CryptGetKeyParam
CreateProcessAsUserW
RegDeleteValueW
RegSetValueExW
EnumDependentServicesW
OpenSCManagerW
RegEnumValueW
AllocateAndInitializeSid
InitiateSystemShutdownExW
QueryServiceStatusEx
StartServiceCtrlDispatcherW
FreeSid
SetKernelObjectSecurity
SetNamedSecurityInfoW
CryptStringToBinaryA
CertFreeCertificateContext
CryptBinaryToStringA
CryptQueryObject
CertFindCertificateInStore
CryptDecodeObjectEx
CryptMsgGetParam
CryptImportPublicKeyInfo
CertGetNameStringW
GetDriveTypeW
FileTimeToSystemTime
WaitForSingleObject
GetHandleInformation
GetFileAttributesW
GetProcessHeaps
GetExitCodeProcess
DeleteCriticalSection
GetCurrentProcess
SetErrorMode
GetLogicalDrives
lstrcatW
GetFileTime
WideCharToMultiByte
lstrcmpiA
WriteFile
HeapReAlloc
SetEvent
LocalFree
FormatMessageW
ResumeThread
InitializeCriticalSection
OutputDebugStringW
FindClose
QueryDosDeviceW
MoveFileW
SetFileAttributesW
OutputDebugStringA
GetEnvironmentVariableW
SetLastError
CopyFileW
WriteProcessMemory
LoadResource
GetModuleFileNameW
ExitProcess
GetModuleFileNameA
HeapSetInformation
SetThreadPriority
GetVolumeInformationW
LoadLibraryExW
MultiByteToWideChar
SetFilePointerEx
FlushInstructionCache
GetModuleHandleA
CreateThread
MoveFileExW
GetSystemDirectoryW
CreateMutexW
SetPriorityClass
TerminateProcess
SearchPathW
SetCurrentDirectoryW
GetCurrentThreadId
HeapCreate
CreateToolhelp32Snapshot
GetSystemWow64DirectoryW
HeapFree
EnterCriticalSection
LoadLibraryW
GetVersionExW
FreeLibrary
GetTickCount
IsBadWritePtr
TlsAlloc
VirtualProtect
FlushFileBuffers
lstrcmpiW
RtlUnwind
GetWindowsDirectoryW
GetFileSize
OpenProcess
GetDateFormatW
ReadProcessMemory
CreateDirectoryW
DeleteFileW
WaitForMultipleObjects
GetProcessHeap
GetTempFileNameW
CreateFileMappingW
GetTimeFormatW
lstrcpyW
GetFileSizeEx
ExpandEnvironmentStringsW
FindNextFileW
WTSGetActiveConsoleSessionId
lstrcpyA
HeapValidate
GetComputerNameA
FindFirstFileW
GetProcAddress
CreateEventW
CreateFileW
HeapAlloc
LeaveCriticalSection
GetNativeSystemInfo
GetLastError
VirtualAllocEx
GetSystemInfo
lstrlenA
FindResourceW
GetSystemWindowsDirectoryW
SetProcessShutdownParameters
lstrlenW
WinExec
Process32NextW
VirtualFree
FileTimeToLocalFileTime
SizeofResource
GetCurrentProcessId
LockResource
SetFileTime
GetCommandLineW
Process32FirstW
GetCurrentThread
lstrcpynW
MapViewOfFile
SetFilePointer
ReadFile
CloseHandle
OpenMutexW
lstrcpynA
GetModuleHandleW
FreeResource
IsBadStringPtrW
UnmapViewOfFile
GetTempPathW
CreateProcessW
Sleep
IsBadReadPtr
IsBadStringPtrA
IsBadCodePtr
VirtualAlloc
WNetEnumResourceW
WNetCloseEnum
WNetOpenEnumW
NetUserEnum
NetUserGetInfo
NetApiBufferFree
SysFreeString
VariantClear
SysAllocString
GetModuleFileNameExW
SHChangeNotify
SHGetFolderPathW
ShellExecuteW
ShellExecuteExW
CommandLineToArgvW
StrCmpNIW
StrSpnW
StrSpnA
StrCmpNIA
StrChrW
StrChrIW
StrChrA
StrCmpIW
StrChrIA
PathCombineW
PathRemoveExtensionW
StrStrIA
PathMatchSpecW
StrToInt64ExA
StrStrIW
StrToIntW
StrCmpNW
PathUnquoteSpacesW
PathFindFileNameW
StrPBrkA
StrCpyNW
PathSkipRootW
StrPBrkW
GetUserObjectInformationW
GetForegroundWindow
GetPropW
DefWindowProcW
FindWindowW
EnumWindowStationsW
GetShellWindow
OpenInputDesktop
SetPropW
GetWindowThreadProcessId
GetSystemMetrics
MessageBoxW
PeekMessageW
RegisterClassExW
OpenWindowStationW
SetProcessWindowStation
TranslateMessage
GetProcessWindowStation
DispatchMessageW
RegisterClassW
UnregisterClassW
GetKeyboardLayoutList
CharLowerBuffA
GetLastInputInfo
CloseWindowStation
wsprintfA
CreateWindowExW
wsprintfW
ExitWindowsEx
CreateEnvironmentBlock
DestroyEnvironmentBlock
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCloseHandle
InternetOpenA
InternetConnectA
InternetCrackUrlA
htonl
socket
inet_addr
WSAStartup
gethostbyname
shutdown
sendto
inet_ntoa
htons
closesocket
WTSQueryUserToken
CheckSumMappedFile
ZwOpenProcess
_alldiv
ZwOpenSection
_chkstk
RtlDosPathNameToNtPathName_U
memmove
_allmul
ZwOpenDirectoryObject
memset
isspace
NtDeleteFile
ZwSuspendProcess
_aulldvrm
RtlFreeUnicodeString
ZwQueryInformationProcess
ZwClose
memcpy
NtQueryVirtualMemory
CoInitializeEx
CoUninitialize
CoInitialize
CoCreateInstance
CoInitializeSecurity
CoSetProxyBlanket
Number of PE resources by type
RT_RCDATA 1
Number of PE resources by language
NEUTRAL 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2016:02:23 09:07:31+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
81408

LinkerVersion
10.0

FileTypeExtension
exe

InitializedDataSize
32256

SubsystemVersion
5.1

EntryPoint
0x6bed

OSVersion
5.1

ImageVersion
0.0

UninitializedDataSize
0

Compressed bundles
File identification
MD5 9a7f87c91bf7e602055a5503e80e2313
SHA1 193f407a2f0c7e1eaa65c54cd9115c418881de42
SHA256 e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16
ssdeep
3072:yGdtoUTLVtbfcgYMIAN06WJBmc+sFqxF5QIPxdt:yGdtoUTDbfZRgJBmce+Ift

authentihash 141198b97d5dedcf4afcef50cb70fa374084d08870fe90d1060e9c202a77df12
imphash e58257679a7b694b926252a661453ab3
File size 112.0 KB ( 114688 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe suspicious-udp

VirusTotal metadata
First submission 2016-03-03 19:07:00 UTC ( 1 year, 8 months ago )
Last submission 2017-02-23 12:07:29 UTC ( 9 months ago )
File names _003C0000.mem
cmdkey.exe
e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16.bin.exe
1.exe
2016-0-neutrino.mem.exe
icardagt.exe
localfile~
ReAgentc.exe
cerber_payload.exe
e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16.bin
Advanced heuristic and reputation engines
TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: TROJ_GEN.R047C0DC716.

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
HTTP requests
DNS requests
TCP connections
UDP communications