globeimposter

General

Target

e3f6878bcafe2463f6028956f44a6e74
Size

1.2MB
Sample

211215-j15csahaa7
MD5

e3f6878bcafe2463f6028956f44a6e74
SHA1

99373d51d3975bbdea8664cdd8ab48240cfe3e44
SHA256

37ff5b1492fe4e1083bdc87df3524d4ac7b5b604e71dfca3730a6527d3bb7d2a
SHA512

2dca531b8f9dd52d1fa29c910bde579d397bae65355544d9c7eeeb88f533fcc0713fa298fc52a2e44c839a332f38f5a712bf8453bd46b84fd17ed648816431b7

Score

10^/10

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��A1 23 1A A0 DA 6A 4E 3C BB 53 2A B6 30 DA A5 AE 05 D9 DE 56 93 2A 7E 28 3C 32 1B CF EF 9D DA 4F F0 79 7E 87 8C 85 C4 2B DA 11 AE 4A 69 AC B7 3F 2E 98 2D 76 08 95 42 2E 6F 42 9B CD 38 47 2E 25 83 EF 89 7D 60 06 35 E6 93 5F 32 A6 2D 32 15 84 CF 98 31 B4 B6 73 1F CF E4 ED 37 70 7D 41 B0 3B 14 8C C4 13 E7 F6 E2 C8 8B 9B D3 AB 9E 66 A5 F0 A3 EB 9D C2 C6 E0 A9 69 4E E1 72 06 08 95 52 E8 DB 1D 85 EB 33 74 F7 F3 9A EE AF 98 90 B4 62 E0 FF DE 6D 77 17 3B 16 4B 1C 6F 0A B5 62 4D C9 61 FF 0D A0 19 E3 DB 38 AE 04 0D 3B 8B 31 4B B4 96 15 F5 CE B1 E3 E8 13 D6 B1 45 8A 8D 23 06 5C 3D D3 E9 12 AB 88 6C CD 4C F2 A2 25 E3 97 78 A3 39 EB 34 9F D2 6A C6 FB DD DB CA FF 23 4C E9 C4 09 6C 42 47 F2 94 09 9E EF 8F 7C 4B AA 35 3C E5 2D AA 27 0A 3B CB 99 4F 9C 4F CB AF CC CB 5A 23 4A

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��52 71 C4 B4 5D 5B 9E 43 00 A6 3B 20 C7 4D 56 E4 B7 33 9B 87 EA 0D 7E A8 43 45 F3 B8 18 FF 31 BB B8 CC FC A8 F8 CD 9F 2A 9A 6F F1 15 55 87 27 6C D0 EE AD BC B0 05 C0 B2 40 00 58 4E 6A 73 DA 02 B1 3C 53 5D B7 24 BA F3 C9 EF 8C B0 11 3A 3C 84 5F C7 6E A4 B0 48 01 69 18 35 CD A8 44 74 29 65 F8 CA 72 18 6A D5 79 B4 9F 3A C8 3E 16 91 1E 64 45 AB 7C 20 3D E3 97 0B 21 04 4E 31 8A CE A2 25 FB B5 6F 91 AC 72 28 A7 87 EE CF A8 DE C4 2C 6C 34 32 1B A4 0F E5 8E CB B7 FA 5C 77 F0 D8 D7 19 0A 40 EB EB 8B A4 ED C0 F2 81 E9 09 09 F0 A4 72 AE DC BB 09 76 0A 95 EE 20 DB 27 79 F8 D5 AD A0 8A 9F 98 43 7F DF 8D 9B 14 D7 65 E6 98 74 E9 09 13 2E 04 AD AF 1B C5 9E E3 48 9E 23 1C 2E 5E B4 8C 9B 07 12 60 13 71 CA 0C 25 CF 19 E2 0E CD 37 4E 22 12 E3 13 A4 E8 19 D5 E4 A7 D9 67 FE A0 E7

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

- Target
  
  e3f6878bcafe2463f6028956f44a6e74
- Size
  
  1.2MB
- MD5
  
  e3f6878bcafe2463f6028956f44a6e74
- SHA1
  
  99373d51d3975bbdea8664cdd8ab48240cfe3e44
- SHA256
  
  37ff5b1492fe4e1083bdc87df3524d4ac7b5b604e71dfca3730a6527d3bb7d2a
- SHA512
  
  2dca531b8f9dd52d1fa29c910bde579d397bae65355544d9c7eeeb88f533fcc0713fa298fc52a2e44c839a332f38f5a712bf8453bd46b84fd17ed648816431b7
Score

10^/10

globeimposter persistence ransomware
- GlobeImposter
  GlobeImposter is a ransomware first seen in 2017.
  ransomware globeimposter
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Modifies extensions of user files

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2