General
-
Target
60b28ad78be40bbc9d08b91b21c5d4e07c6952f5be5e32eacee6d055e0279b12
-
Size
53KB
-
Sample
220201-gw1spahhbj
-
MD5
a0e495354a1e55ace1c808bf7b9539a2
-
SHA1
72bbef2b0f97567844c33ec22b1b3470057e2546
-
SHA256
60b28ad78be40bbc9d08b91b21c5d4e07c6952f5be5e32eacee6d055e0279b12
-
SHA512
d5beb7baaa34249c2f6b6ce87263b9008616241de05fac6626ca275488a3c0e239f9f1c74144d3199a9ade02a15bb9103ebbb3ba741ac1ad09177302b3fec308
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
<style type="text/css">
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background-color: #C1AB8F;
}
.bold {
font-weight: bold;
}
.xx {
border: 1px dashed #000;
background: #E3D5F1;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
font-size: 30px;
height: 50px;
line-height: 50px;
font-weight: bold;
border-bottom: 10px solid #D0D0E8;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
</style>
</head>
<body>
<div class="header">Your files are encrypted!</div>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>������������4B 6E 59 A1 08 CA C9 AD 81 33 0E 70 F3 C0 26 3B
C7 33 E2 33 80 12 30 04 CF 07 CE 67 8B D7 F9 B1
0C 6F 4D D7 20 1D FD DE F2 5A CF 5B 9D 9F 91 2D
32 D0 68 35 91 EA 47 8D C2 C7 F1 B0 55 F4 39 6B
E8 43 47 C0 BF 0B 64 41 5A 11 A2 BB EA 66 09 1F
C4 19 11 16 1F 69 70 6A E4 57 AE 77 A2 8D 2A FB
35 94 19 58 10 E2 5D CA 15 D4 54 79 43 F9 14 1A
C5 B4 BB 4C 1F 01 DB 22 2D 68 B8 00 A3 1E 94 A0
B4 6D C6 C4 DE 6C FF D4 7C 94 FF BC 76 C0 69 39
1D 2B BD AA 2D 94 1D 01 57 B3 FF 73 B6 92 EB 6D
FA 98 79 32 29 1D 8B C1 23 12 F9 23 54 BC 2B BB
63 B4 0C 34 7A E4 E8 21 39 FF 9A CE 2C 9B B4 44
75 1E B8 BF C4 0A 04 28 62 DA C9 FB 53 D0 71 37
9F A3 3D A7 26 08 12 51 07 0B 6E FD E5 D6 17 58
FC C9 FA 51 FE F0 01 7D 27 6E 2C 97 EC A8 FC FD
76 03 B1 1B 67 5F 7D 4F C3 E1 85 DF 10 9E 26 52
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div class="bold">
<div align="left">Your important documents, databases, programs, saving games, documents,
network folders are encrypted for your network security problems.</div>
</div>
<div class="bold">No data from your computer was not stolen or removed.</div>
<div class="bold">To restore your files, follow the instructions.</div>
<div>
<h2 align="left">How to get the automatic decryptor:</h2>
<div class="bold" align="left">1) Create a Wallet and buy Bitcoins </div>
<div class="note xx">
<div align="left">
</div>
<div align="left"> <strong>Create Bitcoin Wallet of these sites:</strong> </div>
<li><strong>https://blockchain.info/wallet</strong></li>
<div align="left"> <strong>Buy BTC on one of these sites:</strong> </div>
<div align="left">
<ol>
<li><strong>https://localbitcoins.com</strong></li>
<li><strong>https://www.coinbase.com</strong></li>
<li><strong>https://www.bestchange.com</strong></li>
</ol>
</div>
<div align="left">
</div>
</div>
</div>
<div>
</div>
<div class="bold"><p>2) Contact us by email : <span class="mark">[email protected]</span>.
and <span class="mark">[email protected]</span>
In the letter include your personal ID (look at the beginning of this document)</p>
</div>
<div class="bold">
<p>3) After answering your inquiry, our operator will give you further instructions, which will be shown what to do next (the answer you get as soon as possible)</p>
<div class="bold">
</div>
<div><p>* To be sure in getting the decryption you can send 1-2 encrypted files to <span class="mark">[email protected]</span> In the letter include your personal ID (look at the beginning of this document).</p>
</div>
<div><p>** Write here on the mail for a faster response [email protected]
<div class="note alert">
<div class="title">Attention!</div>
<ul><li>Do not attempt to remove the program or run the anti-virus tools.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders are not compatible with other users of your data, because each user's unique encryption key.</li>
<li>We are not liars or cheaters. You pay - we help.</li>
</ul>
</div>
</body>
</html>������
Emails
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
<style type="text/css">
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background-color: #C1AB8F;
}
.bold {
font-weight: bold;
}
.xx {
border: 1px dashed #000;
background: #E3D5F1;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
font-size: 30px;
height: 50px;
line-height: 50px;
font-weight: bold;
border-bottom: 10px solid #D0D0E8;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
</style>
</head>
<body>
<div class="header">Your files are encrypted!</div>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>������������12 53 B7 1A 58 53 DE 05 26 AC 33 22 BA 63 E5 33
58 74 9A 1A 80 A5 67 CE 52 B8 F8 BA 1D 27 D8 25
A9 57 7C 55 A6 ED 7A 20 F3 C9 A7 08 3C D0 76 98
C0 63 27 3E 38 18 61 55 F1 CE C9 37 DB CF 2F FB
66 69 2C 7A 8F A2 42 CA 5D 14 36 48 63 71 25 7B
C4 46 AF BE A5 A8 11 18 BA 9C 02 87 EA 41 DE B9
84 14 11 A6 70 7B B2 37 8C 50 C7 DD AB 42 9F 5E
B8 2E F0 F1 6B 06 59 AA 3C 36 E4 12 60 47 A9 D2
E8 25 D8 DA 8D 50 A4 13 E2 26 5B D1 A3 2F 3C 41
35 6C A1 1F 9B 15 23 22 5C 5B EE 66 70 A4 BA 2F
B2 3C A2 E3 1C 13 FB F2 77 B4 7B 46 76 61 8A D1
6A 4A 67 2E E5 78 DC 02 F0 E8 F1 94 DD F1 79 0B
73 09 68 79 F7 C0 A8 FE 82 79 0E 8E 9C 7B 9A 60
6E 75 AF 4B F1 D4 98 4B 2A C6 3E 83 7B 09 81 C2
74 36 9B E3 5B D6 A8 71 FA 7C 33 9D 4A 96 E4 E3
E2 D7 2D 3F 1F CC BE E1 78 51 0D 54 3D 80 87 72
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div class="bold">
<div align="left">Your important documents, databases, programs, saving games, documents,
network folders are encrypted for your network security problems.</div>
</div>
<div class="bold">No data from your computer was not stolen or removed.</div>
<div class="bold">To restore your files, follow the instructions.</div>
<div>
<h2 align="left">How to get the automatic decryptor:</h2>
<div class="bold" align="left">1) Create a Wallet and buy Bitcoins </div>
<div class="note xx">
<div align="left">
</div>
<div align="left"> <strong>Create Bitcoin Wallet of these sites:</strong> </div>
<li><strong>https://blockchain.info/wallet</strong></li>
<div align="left"> <strong>Buy BTC on one of these sites:</strong> </div>
<div align="left">
<ol>
<li><strong>https://localbitcoins.com</strong></li>
<li><strong>https://www.coinbase.com</strong></li>
<li><strong>https://www.bestchange.com</strong></li>
</ol>
</div>
<div align="left">
</div>
</div>
</div>
<div>
</div>
<div class="bold"><p>2) Contact us by email : <span class="mark">[email protected]</span>.
and <span class="mark">[email protected]</span>
In the letter include your personal ID (look at the beginning of this document)</p>
</div>
<div class="bold">
<p>3) After answering your inquiry, our operator will give you further instructions, which will be shown what to do next (the answer you get as soon as possible)</p>
<div class="bold">
</div>
<div><p>* To be sure in getting the decryption you can send 1-2 encrypted files to <span class="mark">[email protected]</span> In the letter include your personal ID (look at the beginning of this document).</p>
</div>
<div><p>** Write here on the mail for a faster response [email protected]
<div class="note alert">
<div class="title">Attention!</div>
<ul><li>Do not attempt to remove the program or run the anti-virus tools.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders are not compatible with other users of your data, because each user's unique encryption key.</li>
<li>We are not liars or cheaters. You pay - we help.</li>
</ul>
</div>
</body>
</html>������
Emails
Targets
-
-
Target
60b28ad78be40bbc9d08b91b21c5d4e07c6952f5be5e32eacee6d055e0279b12
-
Size
53KB
-
MD5
a0e495354a1e55ace1c808bf7b9539a2
-
SHA1
72bbef2b0f97567844c33ec22b1b3470057e2546
-
SHA256
60b28ad78be40bbc9d08b91b21c5d4e07c6952f5be5e32eacee6d055e0279b12
-
SHA512
d5beb7baaa34249c2f6b6ce87263b9008616241de05fac6626ca275488a3c0e239f9f1c74144d3199a9ade02a15bb9103ebbb3ba741ac1ad09177302b3fec308
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Sets service image path in registry
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-