General
-
Target
e9a32550c234ccdc771d0c30f51236bac3dfe0b0d718820f5ee9c4200e833c0f
-
Size
53KB
-
Sample
220211-g6w79addfn
-
MD5
0f71ed4048c8256c3a2afa79fc79129c
-
SHA1
223335c46025efaf91384f7c981098c9795468c5
-
SHA256
e9a32550c234ccdc771d0c30f51236bac3dfe0b0d718820f5ee9c4200e833c0f
-
SHA512
9a3d4c2cea1ca144328812d2f017a151a66004f4db962ae1ea5f3d627f106488056094ea45e2fc01ff86ff31421994035694879e173551d431f9ff88302ad384
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>21 EB FA 67 E7 7D 26 3E E0 2F FB 7F 40 02 D6 09
9C 7F F1 5D 0C 14 C7 57 CF 94 56 96 B6 F5 63 A2
B2 FF 20 EA 8C 67 05 AD BC 4F AA DC F1 37 2E 08
95 DF 1D A0 47 79 E7 3D 11 BE BC 68 9D 04 C1 50
0A 3B 52 A3 AE 95 31 5F F2 AD 48 08 42 D2 01 72
62 4D 4F 84 53 33 77 66 04 B5 C3 F3 D6 ED 10 87
C1 44 B8 93 C5 C9 E2 51 3A 6F 66 A9 07 3B 7C D2
C1 0D 23 AD 19 45 B3 EE 50 72 13 32 DE 11 BB B6
71 CC EF 9A 2A 48 28 B5 B1 F4 2A E6 7D 89 6E 9B
60 33 41 A3 B8 2E 35 8C 29 60 61 33 F4 C9 16 40
DF D2 5A 6F A3 56 C5 4B D6 D8 A9 48 31 9D 1C A0
44 F1 3F 0C 35 96 B6 C4 28 4B 13 4D E2 4A A5 94
AB 1E 2B EB 8E B1 D1 82 8E 89 37 EF EF B4 43 00
C5 9A 99 F4 24 2C 2C F6 EB 9D BE AD A4 F3 5C B6
D7 0F 46 69 0F 7B 57 79 73 56 0B CE 88 45 F5 DC
8C E2 77 4F EB D4 76 B7 A9 2D B3 F1 07 54 82 EE
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder..<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only decoder_master proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>95 26 28 38 73 C8 72 0E 0D 8F BC EF 1B 37 8B 92
A2 7B BE E9 9D CA 26 85 E6 B6 AE A4 83 69 40 28
36 4A 13 E1 D4 00 12 34 96 A9 44 88 2A 55 94 AB
CB F6 C1 AE 20 54 68 8A 41 93 31 6B 83 95 86 77
FB 86 4F 60 03 D0 8B DF 6F 48 15 A1 B2 E2 3A B5
87 33 8A 90 7B 89 BD F6 E7 AF 0A C9 C3 23 74 23
FA 01 E1 A7 5B 1E 3D C5 08 05 B7 3D 91 89 BD 86
F7 A2 8E D3 6E 79 C0 23 15 3B D1 52 A9 12 2C 6C
51 93 56 1C 2C 25 5A C8 1C E5 3B 0D 81 15 3F F4
94 3C F7 6E E4 B2 F2 A1 0B 43 BF E1 94 2F 86 E2
F3 F2 B2 43 08 1A 7C 20 A7 A6 A1 49 96 D7 66 99
21 7D 53 9B 67 20 CB CE BE 7C AE AD 15 A8 4C BD
62 29 40 74 64 3F E3 2F 04 7B 46 47 D4 92 62 36
58 E6 35 D5 24 AB 79 E6 13 90 B2 C7 DC 00 4D 48
13 E2 6A 19 1F FC FC 1B 71 79 32 EF 8D 1F 9F CE
0B C6 DA D8 A7 7A 4C B5 4A F0 F4 BB 9D 58 7A 48
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder..<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only decoder_master proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Targets
-
-
Target
e9a32550c234ccdc771d0c30f51236bac3dfe0b0d718820f5ee9c4200e833c0f
-
Size
53KB
-
MD5
0f71ed4048c8256c3a2afa79fc79129c
-
SHA1
223335c46025efaf91384f7c981098c9795468c5
-
SHA256
e9a32550c234ccdc771d0c30f51236bac3dfe0b0d718820f5ee9c4200e833c0f
-
SHA512
9a3d4c2cea1ca144328812d2f017a151a66004f4db962ae1ea5f3d627f106488056094ea45e2fc01ff86ff31421994035694879e173551d431f9ff88302ad384
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-