Overview

overview

10

Static

static

39f5b60188...de.exe

windows7_x64

10

39f5b60188...de.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c511c1a1978858cbd3383cdf4dcad8444fa5552d9204a635ace5905aa7227f3c

  • Size

    51KB

  • Sample

    220211-ha293adecj

  • MD5

    0ddb168889eec2f95ef141a667a3849f

  • SHA1

    31939eb87bce9b2cc98534f2792e784601cb6019

  • SHA256

    c511c1a1978858cbd3383cdf4dcad8444fa5552d9204a635ace5905aa7227f3c

  • SHA512

    ac3e0e742aa8846e0179abe6f8659fc070c1e4b41aa55cffa8b2dc1c5da81135882c2a41bc0eaf7490ae7bcae685eb910e9a75f13ba916e33e5582a057834e8f

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���AB 56 71 61 63 C8 F5 FF D7 62 3A 2F 56 0A 29 E6 C9 3E 9A 2E C6 63 2E CE 54 8D E8 C5 32 8C 39 3A D4 CC 96 5C 83 F9 D3 D2 36 D3 9B 94 DA 97 7F B5 BA 0C D0 A1 35 FE E7 B7 6A BE 9C B2 FE 39 84 07 1A D9 22 D9 62 0A C7 EF B7 47 F1 A7 46 C6 95 7B 27 B9 9F F0 58 27 F1 CD 25 C9 22 C6 2B D8 C7 9B 70 84 1D F2 B6 18 F2 91 5A 5E 74 0D 3B BC 70 9B F2 07 E3 41 A6 32 BC E2 7E FA AA 83 8C 90 EA 8D A0 70 15 7F EB 1F BA 1A DE E7 DE 54 E5 B2 76 C0 56 05 22 D7 88 05 8F 57 7B BF 31 E5 05 7A 29 0C D2 CA 2E 19 94 3C 9C 2D 07 EB E0 1D 16 52 35 96 A2 1F A6 22 80 A1 3F 19 16 8A 8E E6 48 D6 CF BD 1A 2D B1 42 78 0B 73 28 CD 57 D5 CD 7D 3B 67 B9 3C 1A BD A9 24 1F 0A 51 7C 15 1F 01 FB B2 68 65 1C EA BE BB AB 4B 1F 2A 2E C3 22 D5 43 5A 3D 91 3A 7C E7 D1 48 AE D0 85 ED 81 64 57 77 B0 EC 8B
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���47 7B D4 C3 69 48 13 D7 65 3D 63 15 44 8D 5E 0E 96 75 B3 0B 64 C5 1D 47 36 BA FC 09 61 B8 90 6A 66 B0 75 C7 CC A7 FA 84 16 E8 0B 0E E0 E7 2D 15 55 2C 34 74 8D AE C5 93 C7 E2 00 30 AB 28 52 C5 4C 80 50 24 BE 25 1B BC 32 F1 89 C7 05 19 08 39 23 DC 3F 2F A2 DA AF 0D A3 CD 66 84 A8 A2 C1 2C 0E 40 96 6F 86 C8 BD 20 90 1C BB D8 23 79 D7 85 EC 9A A1 A5 FF 6D BD AD 06 9A 55 F4 19 E0 07 EA 9C E9 12 02 05 9E 99 55 23 31 91 0F 01 8E 5E 31 D5 00 6F 52 47 2E C4 A4 23 B5 57 05 88 DB 57 39 4C 62 1F 9E AB 5B 9E 2A B6 58 E5 CC 60 A5 CD 44 BC AA 82 30 D1 91 5F 85 D0 A2 2D 4D 89 B1 00 91 E7 E4 27 F4 43 E3 A3 9C 7A 6E F1 79 80 62 59 CD 84 AD 1E 1B 15 AC F5 09 DD 2A 21 43 93 00 90 ED B7 2A 29 AA 7D 10 C1 6B 58 30 E0 DD 5B 5A 50 C1 44 DA 92 E6 9F BF 8E 0B C3 7C 7A AB D0 46 6C 09
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe

    • Size

      51KB

    • MD5

      e4e439fc5ade188ba2c69367ba6731b6

    • SHA1

      d4b3b403b95d50a2feefa046441600e488b941f4

    • SHA256

      39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde

    • SHA512

      068d7ba1563bf528520a5106a99245896578ac88b0a3263383cdae8657403deba659c06f429dd83710d1f5afa324a49254dd68911382db71810f98a498e901e7

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks