General
-
Target
f1120dd5877608ba10b3dd109545192db6f2f61903756cbc9ca0b6c51cd0785c
-
Size
53KB
-
Sample
220211-g53cwadden
-
MD5
d28db79b4269e2ffe418cb4fbb691e32
-
SHA1
8e2eb6471e92de8e58a0007bf362bf5f8794b09f
-
SHA256
f1120dd5877608ba10b3dd109545192db6f2f61903756cbc9ca0b6c51cd0785c
-
SHA512
473e920185308b2a7e3cd9e88fa003a592ea1d53037729d9ef72c0118f7099732f08c3a6220c56dc591d37b3104075fe218c7db8e977d90f2f03771db5878af8
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #ff0000;
}
.tabs1 .identi {
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
/*height: 30px;*/
background: red;
}
.tabs .tab{
/*float: left;*/
display: inline-block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 15px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #ff0000;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 100%;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
outline: 1px solid red;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="on" id="tab1" />
<div id="tab-content1" class="content">
<h1>Your files are encrypted! </h1>
<hr/>
<div class="text">
<!--text data -->
<center>Don't worry, you can return all your files!<br>
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.<br>
The only method of recovering files is to purchase decrypt tool and unique key for you.<br>
This software will decrypt all your encrypted files.</center>
<br>
<center>----------------------------------------------------------</center>
To start the recovery process:
<ul><li>Register email box to protonmail.com or cock.li (do not waste time sending letters from your standard email address, they will all be blocked).
<li>Send a email from your new email address to: <strong>
[email protected]
</strong> with your personal ID.</li>
<li>In response, we will send you further instructions on decrypting your files.</li></ul>
<center>---------------------------------------------------------</center>
<strong>Your personal ID:</strong>
<pre>�����88 0C AC 3A A3 5A A5 DD 6F CA 67 9D 76 C2 B5 D3
C5 77 14 A3 E4 C9 98 BA F7 E6 14 D9 4F 88 2A 55
DC 1D EF 37 BD FC C6 9C 69 44 A0 0B CD 60 58 6E
22 42 DA 4F 07 46 F2 15 AB 02 80 1D 8F 86 E3 CC
9C 83 A5 36 27 36 66 00 DB 6A 6E AF F9 E4 70 F1
AF B6 2E 0C 59 E4 85 EB AC 5C E2 86 0F 29 3E B8
E0 12 D7 6A 53 AA 1C DD 19 DD 1C 1F 37 F0 1D 98
D6 2B 25 06 47 8F A7 E6 13 89 0B 0D 3A 96 A9 CE
A7 4A 8F D9 58 8E DB 60 D8 61 2D 02 E5 7E 5C B6
48 C9 32 1C 20 21 C8 29 04 EA A5 43 22 D2 04 99
73 5E 56 92 42 90 0D E8 45 1F E7 62 01 2E 01 74
E4 5A 06 7E 9B 60 4C 0E 3C 49 24 6E 54 86 68 07
3F 9B 91 49 FE 8E 5B 6B B4 15 0F 58 A0 99 89 F0
F9 98 74 26 71 AA 24 DC E3 45 A7 FA D4 32 90 A2
01 45 2B 08 67 FE BA 06 A0 38 06 3E 85 12 EA 31
04 1B 15 6C 84 88 23 8E EF B8 74 FD 11 74 13 16
</pre>
<center>----------------------------- P.S. ----------------------------------</center>
<ul><li>It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time.</li>
<li>Check the folder "Spam" when waiting for an email from us.</li>
<li>If we do not respond to your message for more than 48 hours, write to the backup email : <strong>
[email protected] and [email protected]
</strong></li>
<li>-----------</li>
<li>Q: Did not receive an answer?</li>
<li>A: Check the SPAM folder.</li>
<li>Q: My spam folder is empty, what should I do?</li>
<li>A: Register email box to protonmail.com or cock.li and do the steps above.</li></ul>
<!--text data -->
</div>
</div>
</div>
</body>
</html>���������
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #ff0000;
}
.tabs1 .identi {
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
/*height: 30px;*/
background: red;
}
.tabs .tab{
/*float: left;*/
display: inline-block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 15px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #ff0000;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 100%;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
outline: 1px solid red;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="on" id="tab1" />
<div id="tab-content1" class="content">
<h1>Your files are encrypted! </h1>
<hr/>
<div class="text">
<!--text data -->
<center>Don't worry, you can return all your files!<br>
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.<br>
The only method of recovering files is to purchase decrypt tool and unique key for you.<br>
This software will decrypt all your encrypted files.</center>
<br>
<center>----------------------------------------------------------</center>
To start the recovery process:
<ul><li>Register email box to protonmail.com or cock.li (do not waste time sending letters from your standard email address, they will all be blocked).
<li>Send a email from your new email address to: <strong>
[email protected]
</strong> with your personal ID.</li>
<li>In response, we will send you further instructions on decrypting your files.</li></ul>
<center>---------------------------------------------------------</center>
<strong>Your personal ID:</strong>
<pre>�����7C FC 1D 2D 48 4F 44 9A 69 13 09 33 18 E3 DE 99
D8 24 B0 A8 6E 98 62 D2 E2 E7 A3 BA 53 36 F1 DD
FF 50 0F 1C 15 D9 75 5B AB 1B 4E 68 57 06 26 E7
63 86 8E 44 D9 7A B3 53 16 B5 DD 6E 8C EB 23 A0
B5 45 AF 1F 77 98 59 84 A1 32 68 F9 4E AC C8 12
FC 4C DC 8D 7A 77 C0 66 41 E3 42 3B 47 53 E9 76
D2 F1 F1 DD DC D3 63 54 4F 14 99 D7 EF 74 63 00
05 F7 EC 49 6E 43 1F 60 E6 AE BF 46 A8 12 02 2F
4A 15 6A 8C 07 E6 FE 24 63 A9 47 06 DD 24 7B C2
40 B4 2A C2 18 36 5B 7A D7 E8 23 A5 1E AE 69 EB
83 AF 5F BD 9A 67 18 77 0C FC 60 86 A8 61 4C 06
1B A4 3A 5E 63 19 5B 91 F0 95 9A 3F C7 2F D0 79
05 EE BA A8 7D 03 98 69 EA CB 5D E8 EC 03 50 86
59 CF 1F 57 C1 F5 52 E7 A0 7D FD CC 34 B4 9E B3
B2 42 F0 4C 77 B5 14 BB A0 DF 6C D9 7F 0B 36 1F
62 24 C0 FC E1 EE 7D 90 70 26 D0 FC A2 BD 73 91
</pre>
<center>----------------------------- P.S. ----------------------------------</center>
<ul><li>It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time.</li>
<li>Check the folder "Spam" when waiting for an email from us.</li>
<li>If we do not respond to your message for more than 48 hours, write to the backup email : <strong>
[email protected] and [email protected]
</strong></li>
<li>-----------</li>
<li>Q: Did not receive an answer?</li>
<li>A: Check the SPAM folder.</li>
<li>Q: My spam folder is empty, what should I do?</li>
<li>A: Register email box to protonmail.com or cock.li and do the steps above.</li></ul>
<!--text data -->
</div>
</div>
</div>
</body>
</html>���������
Targets
-
-
Target
f1120dd5877608ba10b3dd109545192db6f2f61903756cbc9ca0b6c51cd0785c
-
Size
53KB
-
MD5
d28db79b4269e2ffe418cb4fbb691e32
-
SHA1
8e2eb6471e92de8e58a0007bf362bf5f8794b09f
-
SHA256
f1120dd5877608ba10b3dd109545192db6f2f61903756cbc9ca0b6c51cd0785c
-
SHA512
473e920185308b2a7e3cd9e88fa003a592ea1d53037729d9ef72c0118f7099732f08c3a6220c56dc591d37b3104075fe218c7db8e977d90f2f03771db5878af8
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-