General
-
Target
05f357f42b776477b27cc8be9cfa307bf900d3da94017271867df2e849b29489
-
Size
31KB
-
Sample
220211-h2r86sdhfp
-
MD5
31e13dbdb26f7dfabcb3087a27c08153
-
SHA1
c6b85fb180f6cdd0b95088327292ebce7f7f0c29
-
SHA256
05f357f42b776477b27cc8be9cfa307bf900d3da94017271867df2e849b29489
-
SHA512
1ec1bd8c469376f2c073d9d0bfa5bec5a7095293f4d6a0960b0e8af46144480ae7f845468b563cbcfc1d12581d74ae22f046c46c5955ed56b5c3cb16fffccc1d
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>47 C0 82 D6 B6 13 56 24 0C 64 5A EF DF 35 7E 0E
35 72 36 3C B8 C4 D7 19 15 05 3F E5 20 C6 6F E0
13 D9 33 24 C3 E6 2A 66 53 87 45 C8 A0 07 FA C8
54 5E F0 30 C1 0E 9D 7A 4B 67 6E 2B 8A D8 87 B9
6D AC CD 36 10 BB F2 11 D4 15 46 94 2A 2F 26 C7
A7 69 8F EB 98 D0 63 82 10 89 48 C8 3C 66 E3 FF
B2 80 DF 6C 0C FA 5F BC 7F C1 3B CE 7B 20 6F BA
32 6A 59 F9 CC 8D EF 9A AF B9 F1 AF 75 EB 96 80
32 07 EF 69 9A 58 33 F5 F5 3B A0 85 74 C6 53 93
72 C9 23 CC 9C 9C 88 31 09 05 AA DA A2 CD 65 E2
88 66 FF EB 18 81 94 C3 7D F5 70 94 55 2B D5 9F
58 BD CF 90 00 A5 AC 39 4F AC 5F 81 FC 0E 06 B3
03 43 B4 75 EB F5 E7 63 4E 7A 54 BE B5 7B 92 7E
75 56 80 F8 D6 7E EA B9 45 0E F9 92 F2 56 A9 CE
94 61 B0 97 2D 64 A7 19 BB 35 DF 12 FD 5A 30 8C
C5 0C B0 CE 45 19 B6 0E CA 3B 51 FA 66 2A 87 F4
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder..<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only decoder_master proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>2B 2C F5 6E 30 F2 FF 47 D4 3D 8F 25 CC 0D 2B FA
38 4E 91 30 79 2E 99 CC 5D EF 8C 9F 9D D3 03 79
54 63 33 F8 67 95 5C A6 A1 C9 76 8A 39 70 A1 0F
26 35 82 5D 38 44 F3 65 75 D4 B7 D7 64 FA EA FB
E6 72 AC 79 3B C1 95 07 51 A1 74 53 E9 F1 12 66
41 EF 4C 46 2D B8 1A DF CD 28 2D 07 54 47 4E EE
A5 D6 A6 A7 56 F9 D8 41 33 1F 2F 5F D8 E2 D4 30
0F F9 BC 34 A2 2F CF 27 98 9D 41 BD B2 E9 7F 4B
D7 F4 78 F6 C1 BD 20 F3 4B 30 0D ED 6C 8D 75 16
63 B3 A2 BF C8 DF FF 2F B2 EA 5F 29 57 22 32 58
0F 06 59 6D 1D D7 BB 56 38 BD 3D 21 6C 6F 1B AD
38 65 1E 92 99 F7 64 AE B0 19 9D FD BC 13 42 E7
EE 04 1E B9 C9 4F 5F CB 2A FE 17 AD 86 B2 9A 49
47 7B 25 4B 2F FB BD 8F 67 ED FB 42 52 E8 E4 F7
2D 75 E2 6D 16 26 06 28 A6 2B 9A 49 9A 2D 05 61
01 E7 0C 53 B0 BB 85 59 46 8E 06 DA 26 6A E3 F7
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder..<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only decoder_master proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Targets
-
-
Target
05f357f42b776477b27cc8be9cfa307bf900d3da94017271867df2e849b29489
-
Size
31KB
-
MD5
31e13dbdb26f7dfabcb3087a27c08153
-
SHA1
c6b85fb180f6cdd0b95088327292ebce7f7f0c29
-
SHA256
05f357f42b776477b27cc8be9cfa307bf900d3da94017271867df2e849b29489
-
SHA512
1ec1bd8c469376f2c073d9d0bfa5bec5a7095293f4d6a0960b0e8af46144480ae7f845468b563cbcfc1d12581d74ae22f046c46c5955ed56b5c3cb16fffccc1d
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-