globeimposter

General

Target

d24c1c9f8c5abd584f6e120c9c2e4cca
Size

320KB
Sample

211211-bq8y8aadg3
MD5

d24c1c9f8c5abd584f6e120c9c2e4cca
SHA1

77c65eff3bdbb9c3b42cc0fc3285577cd999167a
SHA256

38df9f7ee6504ebae134f8f446caaa0cf9f7c2c258f51023bc7eddd68e5aad12
SHA512

57370b7970c9bd4fa713f95a1799c8cdcb4857a4962357f1004a18b85ba8856af1273b0f9ef9aaffe54b7cb6cb8e71d60aebcd460caf789de5f9a3607e46eaea

Score

10^/10

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��61 5A 3E 9B 33 62 11 C6 04 F2 E6 8F 01 ED AA 5A 13 D1 50 23 24 11 0B 31 10 48 D7 1C 05 FE E5 E4 26 49 17 59 8B 30 75 6C 49 53 22 5D 0D DD 80 DA D6 29 07 05 D0 A9 87 A9 35 E6 9D 9C F7 DA 7D 34 B3 63 4C D7 33 22 16 89 28 5E 8B 67 C3 B7 21 8D C2 EC 00 84 EB 5F 77 04 87 8D 02 9F 87 D0 36 14 FC 42 1D 1B AD 0C EC F5 D7 A2 A9 75 38 B5 C9 AB 5D BA 30 23 1F B7 56 D2 2E AC 13 99 65 9A F1 B2 66 37 06 85 3F D1 43 82 5A 68 44 86 B8 17 9D 72 60 6D 8F 5F E2 64 76 22 F0 B0 0F 62 CD 21 B0 E5 C9 47 7B 5C 82 27 E5 26 83 17 D9 72 F4 D5 79 54 D8 1D F9 79 11 11 EA 70 0A 2A AC 65 D7 75 C0 F2 54 D7 4E 0C AF 3C E5 17 E5 F4 1A 80 70 21 D1 AA 81 49 6E FC 31 88 97 54 B7 62 96 15 70 B9 18 3B 65 66 6F 30 EF 1E B4 65 C3 78 C5 B3 5D 06 7A 2B AA 96 17 FD AA 93 59 64 AE F6 0F B2 EE 9B D8 F1

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��41 FB 81 20 8E 54 E3 84 36 EA AB 04 A5 8C 95 0C 9B FD E6 55 5A 66 29 8A 1C FE 78 45 46 CD 13 41 14 AF 41 26 6E 5E DF D2 7C B1 17 C9 ED FB F1 69 36 B4 82 6F A0 D2 7C 93 D0 E6 2D 6C 03 80 61 DD 43 B0 4F 2F DC 06 F4 17 88 E4 0C CF C5 68 9D 7D 9B 40 EF 78 7B 8B B4 E0 BA E6 B4 9D 55 DB 7B D3 A8 FA AF 23 00 03 5A F9 16 F6 51 C4 32 4D 50 23 27 A2 4A 70 8F 86 80 F3 BB 51 9D B5 BF F4 A4 86 C2 9B E3 F3 A5 FE 19 83 E6 A8 48 10 F2 07 29 97 A9 E5 D2 63 8E 8D 86 1E 5E 61 52 47 7D 1B 5D 0A 14 71 AC 9B 58 26 2B AF C5 96 14 B8 A4 47 83 82 AE 84 84 F3 13 E2 1D D3 67 17 5E BD 68 C9 3E 93 54 4B 76 45 D3 EC 3D 48 90 39 E4 FB E3 90 89 37 4A 03 F8 8C BB 98 33 4A FA CA 9A 99 40 B4 A5 53 C3 93 89 42 AA 57 1F B5 C7 38 C4 3B 06 5A 38 64 F9 99 CE 8C AE DF 0C 8D 39 C3 A1 7B A2 BD F7 AE

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

- Target
  
  d24c1c9f8c5abd584f6e120c9c2e4cca
- Size
  
  320KB
- MD5
  
  d24c1c9f8c5abd584f6e120c9c2e4cca
- SHA1
  
  77c65eff3bdbb9c3b42cc0fc3285577cd999167a
- SHA256
  
  38df9f7ee6504ebae134f8f446caaa0cf9f7c2c258f51023bc7eddd68e5aad12
- SHA512
  
  57370b7970c9bd4fa713f95a1799c8cdcb4857a4962357f1004a18b85ba8856af1273b0f9ef9aaffe54b7cb6cb8e71d60aebcd460caf789de5f9a3607e46eaea
Score

10^/10

globeimposter persistence ransomware
- GlobeImposter
  GlobeImposter is a ransomware first seen in 2017.
  ransomware globeimposter
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Modifies extensions of user files

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2