Overview

overview

10

Static

static

70fa0e970a...in.exe

windows7_x64

10

70fa0e970a...in.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin

  • Size

    51KB

  • Sample

    211223-1v3enscdhr

  • MD5

    82f5dbbe1726bb9005072690b201aaac

  • SHA1

    7aef263a300c999b2a3d7d459308db6fb1906790

  • SHA256

    70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d

  • SHA512

    3cf95d7960fc2385041c1f51efe2180c1576ba191cd2699d36161d6740ffcb316f5db08d014404da426018341c0c60e14e22e1cb9bfed6d540ce657aaba85dcb

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���04 55 84 DD 9F 0F ED BE 0B 94 B2 83 1D 3E FE B0 A1 05 E5 A5 35 67 8F 0F 17 61 49 5A 4D 44 50 64 6C BD 07 6D E4 8D 98 32 FE 9F 6E 16 59 4F 00 9D BC AC 08 3F 7C 39 BE 4E 85 00 AF 88 C2 A7 74 CC 98 AB 65 44 FB 74 4E E2 0F E4 53 32 53 33 09 40 4B 20 5A F2 B3 42 4E 21 B6 F0 EB 9E E6 E4 A4 2C 2E 9B 83 03 4D 63 42 8D 88 82 1A C0 35 02 C6 DD 25 B8 0C 55 F2 2D 3D 5A 7E 84 D4 8E 7E 42 2C 09 4F D6 82 BA 14 F7 C4 50 A8 7C DB D8 6B F0 D7 59 66 F6 15 C0 D7 0A 56 FC A0 C2 6F BD 8C 49 46 8C 76 0F 79 88 92 CB 98 B3 8D 44 56 4B C7 4A 11 7D 5D 8D BC 3F EE B8 E2 EF 5C 23 31 43 1F 23 53 0E 1A 6B 82 C7 70 7E EA DA 3D CF 3E A4 90 E1 C6 F9 FC DE 3C 64 7A 76 F6 1A 9A A4 F4 86 EF 1C 1B 8D A4 5D 7A 4F BC D7 9B 5D 2A 37 AC 37 11 EB DC 7D 65 F8 24 06 CB DD 79 62 FA 28 C8 0A C0 CE A1 40
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���42 79 55 6C 9E C3 4A 74 B7 AA C5 56 34 15 48 44 82 2D 55 EB A0 DF 6B 63 6D 5E 9A 73 A2 CF 52 57 94 7B 12 37 B8 4B C6 42 AC 2C F4 26 85 DA 0A A1 B7 75 20 DC 69 07 26 11 7D C4 F3 59 BE 7C B6 EB 27 70 14 EE 0F 5F 7D 68 3D DD 68 38 18 AD BA B4 54 E0 86 C8 1C 63 C3 ED 8D C1 8C C9 F2 22 8A 4F D9 10 D9 76 94 9D 46 86 B6 92 80 52 3C 3B B3 ED 68 89 61 1E 75 F1 43 34 58 BC 5F 4D A5 97 76 5C F7 81 07 E7 7A 3C B0 7E A7 8F A8 33 45 FC 47 92 F8 9B FF 36 09 4D C3 B8 0D 7B 7C C0 BC CE 92 5C CF D8 DB DE 4D B6 07 75 CD 85 75 6D 09 94 47 B6 BF A7 8A 76 12 13 C1 96 57 F6 47 C5 8A 49 C8 4E 73 79 58 88 EC B5 C7 FF 0E 37 2A F2 8B CA FF 95 CC 80 73 5E 62 54 66 BE 08 DD C4 30 17 8F B6 E1 01 83 85 D2 E6 B2 C5 39 05 35 F8 3F 15 01 C2 4E 12 50 01 82 80 10 51 DB 67 40 CA 7B C2 AC 5C 9F
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.bin

    • Size

      51KB

    • MD5

      82f5dbbe1726bb9005072690b201aaac

    • SHA1

      7aef263a300c999b2a3d7d459308db6fb1906790

    • SHA256

      70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d

    • SHA512

      3cf95d7960fc2385041c1f51efe2180c1576ba191cd2699d36161d6740ffcb316f5db08d014404da426018341c0c60e14e22e1cb9bfed6d540ce657aaba85dcb

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks