General
-
Target
e233c24ece52724acc3c380a1855774a5231fc2079460b6fb584db612b25bc75
-
Size
53KB
-
Sample
220211-g7rn6addgn
-
MD5
8b80e3917bd743d33b08e923fb505402
-
SHA1
57d144ff9d0c7a248d8777c56ba1814cfd1e67d4
-
SHA256
e233c24ece52724acc3c380a1855774a5231fc2079460b6fb584db612b25bc75
-
SHA512
7595921f92703cf7ef5a73096a76f07e78f85fffee493214fc0aa71cd363dcfb4aff3b1f3feb4416ba5c0487274f57053d3ec158c56aa28a58cbe740dcef1fec
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������74 42 F4 7D E1 3C 3D D6 15 CB E7 6B EA 93 37 D9
53 F6 1B 88 BA 1C 93 C1 E2 01 D5 05 28 41 34 56
07 37 6C DE FF A3 84 5B 9B 32 1D A3 5F FA 02 9B
9D 14 DB 2C 49 CF 3C EB 17 88 92 85 18 08 46 73
2D 1C 61 91 CA EE B9 3B B7 99 6D 13 3E A5 CF 65
D9 DB 11 6F 95 BF 88 D8 38 25 F4 01 D6 A3 93 DA
E8 0F 27 C0 33 31 E8 B8 05 20 13 0D 89 7C AE AD
D0 53 50 96 66 62 E5 13 7A FF 98 F4 E4 38 02 1F
29 CB 1D 48 29 BA D0 0D F3 0F 37 45 1F FE 7B 7F
9A 7A 69 BC 7D 74 45 21 1B 39 C9 2F E4 71 61 39
C7 CD 79 63 D1 46 1E E6 BA 35 85 3B A7 99 B9 9C
07 4B 8B E8 C8 52 A7 0F 2B 83 69 56 EB C3 98 26
B5 93 74 87 37 89 AC AF D1 80 2E 53 C3 DA 3B 85
61 82 F0 26 F4 11 AE 67 3B C9 AC 40 E0 95 05 EA
94 98 FD 72 7E 55 1D 14 92 D9 83 65 64 AB 1B 86
5C F3 C9 65 8B B6 A2 BA 51 DA A3 5D 15 F2 86 99
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected]">[email protected] </a>
<br><a href="[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
������������
Emails
href="[email protected]">[email protected]</a>
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������07 28 75 A7 16 AC 4C 0D 4F CE 40 6B 3E 1C AF BB
85 DA 02 99 B1 3C E7 42 76 25 B7 3E 6E 00 03 85
94 DB ED B4 11 EC 81 16 2C A4 F1 F6 A2 91 21 97
FB B9 18 78 96 81 1B 81 03 20 95 D2 8C 6D 36 A5
DC BA 65 CE DC D5 39 4F EC 0A 1C 0A 3B 48 BA CC
F4 B0 B4 FA B8 22 59 74 23 CC 1E 98 95 CF 4C EA
1C 02 88 1F C4 2C A8 06 06 77 6F C2 C4 4D 8D 47
C2 D1 10 6C 43 26 07 40 0A EC D4 36 AC AE D4 37
8C 79 BD 75 A1 F3 AF A7 54 8B 00 D2 DF 91 07 90
68 C2 67 BD 50 30 41 0B 02 8B 2C D3 48 7F C1 7C
B6 8B F8 8B B3 CA 1F C0 D0 22 38 90 23 7F 36 D6
03 01 61 18 C7 E9 3A BF 2E FE C5 2C 24 33 56 07
96 4F E6 7D 52 D6 A7 74 89 0D 1F 7A F1 39 C0 2D
6A DE 41 A7 A0 8C FA F8 8F 41 8D 4E EF 30 2F 4A
73 08 3A 32 FE BF 55 E8 27 AA A4 29 61 E6 16 7B
26 4A 6C 0E C2 F6 0E 17 5F 10 FC B6 8F BC 07 2D
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected]">[email protected] </a>
<br><a href="[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
������������
Emails
href="[email protected]">[email protected]</a>
Targets
-
-
Target
e233c24ece52724acc3c380a1855774a5231fc2079460b6fb584db612b25bc75
-
Size
53KB
-
MD5
8b80e3917bd743d33b08e923fb505402
-
SHA1
57d144ff9d0c7a248d8777c56ba1814cfd1e67d4
-
SHA256
e233c24ece52724acc3c380a1855774a5231fc2079460b6fb584db612b25bc75
-
SHA512
7595921f92703cf7ef5a73096a76f07e78f85fffee493214fc0aa71cd363dcfb4aff3b1f3feb4416ba5c0487274f57053d3ec158c56aa28a58cbe740dcef1fec
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-