General
-
Target
dd5eca1c0a35472d4cd1d40fe133a02250a4d544eb0c27bc69c5a1a940ba6d57
-
Size
53KB
-
Sample
220211-g79vqsddhj
-
MD5
599e7ece6c2232fb535831b55dccb36a
-
SHA1
af013ba3809a79151d63133824356398f19f7ede
-
SHA256
dd5eca1c0a35472d4cd1d40fe133a02250a4d544eb0c27bc69c5a1a940ba6d57
-
SHA512
77aed87a2857847b3edf6c1483c19e15fa88a08a17769ec19c78b533da2913f38cc3647bd3ffaa4bb90550fa8eb66f4289296d844aaa0e1146b621a0987387a7
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #ff0000;
}
.tabs1 .identi {
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
/*height: 30px;*/
background: red;
}
.tabs .tab{
/*float: left;*/
display: inline-block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 15px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #ff0000;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 100%;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
outline: 1px solid red;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="on" id="tab1" />
<div id="tab-content1" class="content">
<h1>Your files are encrypted! </h1>
<hr/>
<div class="text">
<!--text data -->
<center>Your documents, photos, databases and all the rest files encrypted cryptographically strong algoritm.<br>
Without a secret key stored with us, the restoration of your files is impossible</center>
<br>
<center>----------------------------------------------------------</center>
You will be able to restore files so:
<ul><li>To contact us by e-mail: <strong>
[email protected]
</strong> & send your personal ID and 3 crypted files, up to 3 MB in size everyone.</li>
<li>We will decipher them, as proof that we can do this. Also you receive the instruction where and how many it is necessary to pay.</li>
<li>You pay and confirm payment.</li>
<li> after payment you receive the DECRYPTOR program, which restored ALL YOUR FILES.</li></ul>
<center>---------------------------------------------------------</center>
<strong>Your personal ID:</strong>
<pre>�������02 78 2E D2 29 19 DB A0 E1 EF 2D 65 15 07 96 E1
5E 2D 7E B4 56 0F 6F FB 20 0A AD 9C C7 C5 A8 23
A6 08 38 6E 2A FA 47 50 14 22 00 8A 9B 41 F0 46
C8 86 45 69 6B 25 99 85 B2 0A FA AB 0D 87 8D A0
80 43 BC 65 7E 69 8F ED B8 EF 4B 89 54 51 CE EF
6F 51 57 22 CB C6 21 A3 26 5E CC 45 20 58 5A 9F
DC F6 22 02 3E 09 BC 8D 57 E7 48 17 CC 4B C9 A5
72 90 71 D5 EF 36 8B 13 D7 4D 9A 29 5E E1 4A 75
6F 33 99 18 10 68 9F 72 A7 0A F3 B9 0C CA 42 F8
2B 75 0E 3A DF 96 80 01 E9 6D 47 47 AB 6F 4C 62
A8 16 AE 0E DD 77 50 E1 FA 36 70 13 AA 76 05 27
4A 3F 18 6E A3 B3 1D 9F A6 66 9C 9B AD 8D AD 3E
8E F8 94 25 F3 D1 87 89 67 82 B3 27 94 D8 10 7F
9C 41 14 18 7C 69 AB 9C DE 20 57 C3 62 C9 15 64
55 AA 6A 9A 5B 64 41 98 23 31 DA D4 BF 4C 10 80
7A 94 51 D6 7E 70 68 D0 99 5E 52 95 08 11 DD 7E
</pre>
<center>----------------------------- P.S. ----------------------------------</center>
<ul><li>It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time.</li>
<li>Be sure to add our email addresses to the trusted list, in your email client's settings. And also check the folder "Spam" when waiting for an email from us.</li>
<li>If we do not respond to your message for more than 48 hours, write to the backup email : <strong>
[email protected]
</strong></li></ul>
<!--text data -->
</div>
</div>
</div>
</body>
</html>������
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #ff0000;
}
.tabs1 .identi {
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
/*height: 30px;*/
background: red;
}
.tabs .tab{
/*float: left;*/
display: inline-block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 15px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #ff0000;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 100%;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
outline: 1px solid red;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="on" id="tab1" />
<div id="tab-content1" class="content">
<h1>Your files are encrypted! </h1>
<hr/>
<div class="text">
<!--text data -->
<center>Your documents, photos, databases and all the rest files encrypted cryptographically strong algoritm.<br>
Without a secret key stored with us, the restoration of your files is impossible</center>
<br>
<center>----------------------------------------------------------</center>
You will be able to restore files so:
<ul><li>To contact us by e-mail: <strong>
[email protected]
</strong> & send your personal ID and 3 crypted files, up to 3 MB in size everyone.</li>
<li>We will decipher them, as proof that we can do this. Also you receive the instruction where and how many it is necessary to pay.</li>
<li>You pay and confirm payment.</li>
<li> after payment you receive the DECRYPTOR program, which restored ALL YOUR FILES.</li></ul>
<center>---------------------------------------------------------</center>
<strong>Your personal ID:</strong>
<pre>�������7D F9 3C B6 54 80 09 86 E7 86 FC 0F 15 25 28 AA
7C D2 C7 17 00 14 24 49 33 0B CF 07 44 F7 05 A3
A5 C6 1F 30 EC 81 94 56 AA 32 27 DE EF AD 42 D3
C0 D7 04 C5 46 41 6C 69 9E C1 88 42 C2 71 F7 EB
A0 FD 24 F2 93 27 4A 7F EA BA 82 21 EA 90 54 DC
B1 BF DF 1A 0F D4 0A 94 36 EF C8 0C DB 2B F3 42
C8 A7 4E 00 0F 77 FB 4A F8 C8 7D 47 63 B7 AE 3E
8B 9D 89 22 C8 08 95 F3 B2 A6 D8 45 63 79 24 3C
CD 4E 85 26 8D 33 5F D4 72 61 28 2F F3 2F AD 99
D7 D0 81 B6 31 94 B8 E9 57 C3 AC 5B DD 6F 45 A8
24 CF 98 A0 42 FB 66 5F 1B BD 50 23 43 CC 60 91
5A F3 F8 50 1D 28 77 E7 3E E4 5F 90 C0 37 EA 76
AF A7 34 52 46 86 46 9D 10 B8 5B A3 B3 1A 31 F0
F8 D3 DA CE 92 3A FE B4 32 95 A9 1B 90 59 53 65
B0 48 64 73 03 FB ED A0 C7 90 9F 8A A2 38 E1 18
D8 AC 37 DD BC DB F7 36 B9 49 9C 8B EE FA 17 CC
</pre>
<center>----------------------------- P.S. ----------------------------------</center>
<ul><li>It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time.</li>
<li>Be sure to add our email addresses to the trusted list, in your email client's settings. And also check the folder "Spam" when waiting for an email from us.</li>
<li>If we do not respond to your message for more than 48 hours, write to the backup email : <strong>
[email protected]
</strong></li></ul>
<!--text data -->
</div>
</div>
</div>
</body>
</html>������
Targets
-
-
Target
dd5eca1c0a35472d4cd1d40fe133a02250a4d544eb0c27bc69c5a1a940ba6d57
-
Size
53KB
-
MD5
599e7ece6c2232fb535831b55dccb36a
-
SHA1
af013ba3809a79151d63133824356398f19f7ede
-
SHA256
dd5eca1c0a35472d4cd1d40fe133a02250a4d544eb0c27bc69c5a1a940ba6d57
-
SHA512
77aed87a2857847b3edf6c1483c19e15fa88a08a17769ec19c78b533da2913f38cc3647bd3ffaa4bb90550fa8eb66f4289296d844aaa0e1146b621a0987387a7
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-