General
-
Target
e383f4f77e63c29c1f029de11548832ba03479040a1f52b050f54b8d65f60d62
-
Size
53KB
-
Sample
220211-g7hq9addgl
-
MD5
93bbb021a0078acee8b79da51377d2ed
-
SHA1
829b217f4be64299ed13f43c620f0fcdd25c83a3
-
SHA256
e383f4f77e63c29c1f029de11548832ba03479040a1f52b050f54b8d65f60d62
-
SHA512
4ac4728d502f5816bda11297a0426092dd9c9a9623783c4c21a98315929eb090b27ee060298e600d42118130bd070cfb7858eb629fec41de7109b2e6dad648a1
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������60 44 40 62 16 7F B4 06 92 1F 13 7E CC C4 EF AE
84 73 B7 17 DC 2F 25 78 AD 33 84 3B 9E 86 3E C3
D3 C5 CB 83 46 D2 23 34 0C 91 D2 46 7E 09 94 8E
FB 01 58 27 64 2C 24 F2 05 2F 68 26 39 DE A6 16
1A 44 B8 C3 33 12 69 8C 18 24 DC 47 C8 14 BA E2
FD DE FE 48 20 9D 3A B0 B3 3D B2 B2 3C CE E3 3B
36 FB 0A 8C 17 B4 B3 18 C5 19 6F 44 08 3F FD 45
52 26 2E 2A 3F 9C 4F A3 F6 43 A0 A5 2F 0B F9 F2
A0 58 72 7D 47 8D D2 24 81 52 2F 81 3C 25 B4 F5
0E 84 A0 D6 60 40 BA 4A 22 D3 9A 62 E5 36 2B 6F
38 72 DE 69 D8 40 48 00 58 0A 07 A1 F8 A3 93 E5
FA 5C E0 E3 4A 99 CC 61 C8 89 50 87 20 B6 B1 20
ED 9B D8 21 3F A6 E7 54 CE 4A F6 BD FF B6 67 86
5F 05 6D 6D 84 8D 66 83 DD 09 7E E6 ED 9D 13 E8
F1 B4 F9 ED FA B2 03 EA 8B E5 F2 A9 56 8A F3 88
79 9A 7F A8 F7 9B B5 34 AB 74 67 8E 0B 6C 72 7B
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
��
Emails
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������7E 08 AD F2 6A BE DE E2 0B 8F 12 D5 EB 31 56 4E
27 0B AA 9A E7 07 A5 A5 CD 3C AF CC AB 7F BA 48
18 AD 56 D1 38 18 73 71 52 D4 89 EE 09 C5 04 2A
8E 8A D5 4E 0E A2 3A AC 8D F8 AF 2C 04 96 A0 AF
2C 30 9A 67 E7 C2 83 EA D4 DF 8B 51 D0 B7 BF 0B
A9 5C B4 63 0E A7 83 0D 99 BB 71 EF 53 3A 7F 16
6B 89 AE FD D7 45 E1 89 39 65 9D D5 A5 8E DB AE
B5 4B F6 EE 28 E1 F6 0B 39 E7 3D 8F 6F 2C 83 84
91 7C 59 78 31 8E 26 D6 EB AB F2 BD CD 21 60 6B
47 E9 6E 07 8A 58 20 BB A3 3A E0 08 02 FD 05 AD
C5 8C 52 19 EC 31 C3 D6 64 49 CB 15 BF B4 40 7F
C5 F0 11 5C 58 E2 46 80 05 81 D0 FB DB 54 14 2E
BC A3 FC 28 B3 73 85 29 33 E2 47 07 EB 95 17 62
E5 28 52 4A C3 89 30 B8 A3 90 31 E6 85 57 CE 2F
81 52 8B 2A 88 99 11 EF 75 89 BE 07 19 B2 29 BC
EE 0F 50 B0 70 7F 08 16 7C 22 68 0B 60 F5 7F E5
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
��
Emails
Targets
-
-
Target
e383f4f77e63c29c1f029de11548832ba03479040a1f52b050f54b8d65f60d62
-
Size
53KB
-
MD5
93bbb021a0078acee8b79da51377d2ed
-
SHA1
829b217f4be64299ed13f43c620f0fcdd25c83a3
-
SHA256
e383f4f77e63c29c1f029de11548832ba03479040a1f52b050f54b8d65f60d62
-
SHA512
4ac4728d502f5816bda11297a0426092dd9c9a9623783c4c21a98315929eb090b27ee060298e600d42118130bd070cfb7858eb629fec41de7109b2e6dad648a1
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-