General
-
Target
f973d9e1e4be678056cc402a8e72e474fcfca0799938fc89e0f6cdcf9203c0a2
-
Size
53KB
-
Sample
220211-g5g2yabgc4
-
MD5
d0422977806bae4cfe7d440920a0b00c
-
SHA1
3c92b7949783dd84ff86319b7780506cfc4e2853
-
SHA256
f973d9e1e4be678056cc402a8e72e474fcfca0799938fc89e0f6cdcf9203c0a2
-
SHA512
7bb49a62890d82006ab8fb99019aed1da6c611c52ec8f2aa885fdff67352ce47c9b2c748592e3673882a7733fe396f202d13a46e006fa3d32ccdbd27920119ad
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������19 8B ED BE DB D3 E8 D2 3D 41 E9 9A 3B 1A 10 67
7E 11 D6 97 14 29 D3 17 BE 91 80 0A 82 14 7E 5F
56 2A F9 0D 21 DA 82 02 57 85 65 A0 9E 7D F3 9E
61 7F CE D2 09 52 E2 99 BE D4 15 71 0F 12 AD BA
85 97 76 45 61 D4 25 1F DE 96 AA F9 76 A8 EF C2
99 15 6F 90 E4 A7 20 5D 5B 1C 9A CE 43 76 A1 BF
85 EC 14 05 64 F7 09 67 1F 50 B4 BD EF 02 E2 5D
F8 B1 A5 99 A4 7F 7A 66 63 BC 94 24 6F C4 86 27
31 81 0D EE D2 72 D9 5F FD 69 65 69 85 A8 DF E3
A2 D7 FF C4 C8 77 C6 9B 74 D7 E3 2D CB 8D 24 A1
BF 71 77 7D C9 F7 BD 15 88 E0 E2 74 6C 7B EE DA
40 23 2E 3C F9 AE EE 37 28 38 59 76 02 73 61 C9
B8 A9 E5 4E D8 E3 05 20 E7 EF FC 36 56 42 05 32
B3 09 3E 02 3F 9B 2E 46 39 62 88 5A 3C B0 65 0D
A2 F7 49 17 1D 60 6C 8F F2 C3 37 2D 90 66 98 8C
99 26 02 4A 70 EB E7 7D D6 3C A1 40 50 65 C7 B9
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������26 48 E5 AC BF 1B 14 5D 98 74 54 35 01 1F 88 13
7E 20 B6 0A C7 A5 BC 36 F6 E2 A0 A9 D8 B4 CD CA
DC DA 2F 1A F3 E8 B2 13 5E A3 22 FE 6A C6 51 83
12 6B 37 E6 5A 49 E9 7C 64 A7 1A 31 63 75 0B A3
5B 07 95 4E 6C BF 93 51 B5 92 6C 8F 24 4A 15 1C
B5 53 3F 7B DD FF 7C EB 82 98 80 D7 BC FA D3 44
B9 12 E5 53 95 08 E7 BA F3 47 EC B4 AC 49 FD 48
C2 65 F0 7A F1 59 28 0A 02 BF 18 63 21 81 96 67
E8 D3 81 1C 22 7C 15 5C 11 AC 30 1E 4B F5 9B E9
DF 22 60 07 AC DF B4 A0 07 3B CF 25 20 3C 8E E8
B3 D4 22 96 97 C0 92 40 04 20 77 E0 CA 23 CA FD
FB AA B3 26 DF 94 59 78 98 9B 39 09 60 FD 45 97
2E B4 9C 47 8F C4 15 60 C9 40 75 93 C4 CB 70 7F
67 CA 0B 9B 01 26 6B 42 3B AA 9E 53 7E 43 CE F6
BF AC 6A FF 5B F6 8E F2 82 1E 0E D1 6B DD 5E 9D
B1 BE E7 81 65 8A 0A C9 87 00 B5 8A 88 CC EB EC
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Targets
-
-
Target
f973d9e1e4be678056cc402a8e72e474fcfca0799938fc89e0f6cdcf9203c0a2
-
Size
53KB
-
MD5
d0422977806bae4cfe7d440920a0b00c
-
SHA1
3c92b7949783dd84ff86319b7780506cfc4e2853
-
SHA256
f973d9e1e4be678056cc402a8e72e474fcfca0799938fc89e0f6cdcf9203c0a2
-
SHA512
7bb49a62890d82006ab8fb99019aed1da6c611c52ec8f2aa885fdff67352ce47c9b2c748592e3673882a7733fe396f202d13a46e006fa3d32ccdbd27920119ad
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-