General
-
Target
c143dcacfbbbe05195b967c6249e4a00df4b39a4978b7fff4221e0ca3c9131b7
-
Size
53KB
-
Sample
220211-hbj5wabha3
-
MD5
80c7f9579143285c77209721e8f5fef7
-
SHA1
308ef73486d3b281a0b2ed21c91193a0bd23ae29
-
SHA256
c143dcacfbbbe05195b967c6249e4a00df4b39a4978b7fff4221e0ca3c9131b7
-
SHA512
e34884f540ccefce264c22208b0362024bc4db6e2a0b59fc5788c88d9bcc70ec73828df59e6c334bf0f3eecfc64034858a57b5e28418a7171fcaf0ab8eca23ea
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #f2f3f4;
}
.tabs1 .identi {
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #f2f3f4;
color: #000000;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<div>��6E 8A E5 FB FD B0 84 58 A6 1C 84 D7 16 6C 1D C9
E2 C3 77 B2 9D 4E CF A9 CA 64 59 5C 98 56 A0 29
3D 07 25 14 CF 6D 7F 4C A5 7E F1 BD 2D 70 86 43
86 BE 86 07 8A D1 C6 5B A3 1E 94 E0 9F 8C 1B 15
2C 3C DE DC 7E A1 50 17 EF 7F D9 0D B9 87 1D 55
CD 7A 29 A2 9F 66 06 39 1E 43 0E D8 2A A0 BC 39
CB 24 29 47 EA 75 0C 26 B8 85 58 5B 0C EA 62 50
F5 E6 6D 9F 30 CE E5 1B 63 54 47 5A 66 22 01 37
B7 28 5C 54 15 17 93 E3 2D 3D 22 84 28 19 97 AD
9E 13 25 26 6E A7 0F 45 12 1D 76 09 73 89 88 5B
15 AE 69 DE 1A 79 55 3D 2F 98 E0 5C 96 58 19 3E
02 5F 75 79 51 0D 00 CA D3 4E 19 39 67 20 58 7C
A6 59 5B 8E 74 DE 21 98 56 CD 2F 1B 08 4F 6C D6
EE 1B BD 94 05 00 11 3E 25 12 8E 52 75 FB F5 8F
5F 9F CC B8 EF 4F AC 35 91 3B 20 9D 3E 59 A5 72
79 F3 46 BD 6C C1 70 17 30 6C 40 5B D5 18 60 03
</div><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab2" />
<label for="tab2">ENGLISH</label>
<div id="tab-content2" class="content">
<h1>Hello.</h1>
<hr/>
<br/>
<div class="text">
<!--text data -->
Your files, documents, photo, databases and all the rest aren't <strong>REMOVED.</strong> </br>
They are ciphered by the most reliable enciphering.</br>
It is impossible to restore files without our help.</br>
You will try to restore files independent you will lose files</br>
<strong>FOREVER.</strong></br>
**********************************************************</br>
You will be able to restore files so:</br>
<ol>
<li>to contact us by e-mail: [email protected] </br>
- you send your ID identifier and 2 files, up to 1 MB in size everyone.</br>
We decipher them, as proof of a possibility of interpretation.</br>
also you receive the instruction where and how many it is necessary to pay.
</li>
<li>you pay and confirm payment.</li>
<li>after payment you receive the <strong>DECODER</strong> program. which you restore <strong>ALL YOUR FILES.</strong></li>
</ol></br>
************************* P.S. **********************</br>
If it is impossible to communicate through mail</br>
* Be registered on the website http://bitmsg.me (service online of sending Bitmessage)</br>
* Write the letter to the address BM-2cUctB6SgQN95BLSDsD9rop4mPfV4BZ3Gh with the indication of your mail and</br>
the personal identifier and we will communicate.</br>
</br>
If you have no bitcoins</br>
* buy bitcoin can here - http://localbitcoins.com </br>
******************************************************************</br></br>
<!--text data -->
</div>
</div>
</div>
</div>
</body>
</html>
Emails
URLs
http://bitmsg.me
http://localbitcoins.com
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #f2f3f4;
}
.tabs1 .identi {
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #f2f3f4;
color: #000000;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<div>��A5 3D 8A BD A8 EB 7C D0 8E F8 C3 BD 58 3F E2 0B
5B A6 C8 38 56 DF 04 13 B5 A3 7B 65 88 27 BA CA
91 B9 D0 5A E7 79 78 2C CA 54 00 F9 D8 86 4A 98
A7 CB F4 08 E4 2D D9 34 D8 7A 8C B9 EC 51 F3 1E
70 4C C5 5C 9E DA BA 47 28 45 1F B6 E3 EC B6 8D
99 50 B0 A0 38 19 F4 8B 47 D8 3E 89 FF 22 A1 0C
72 20 F1 FC 91 6A EF 62 88 EE C9 93 97 94 A9 3D
AB E4 E3 14 FA D0 EA 6B DF C9 13 45 B0 9B 11 74
68 1C 4F 3B 71 63 17 E1 E4 E5 6F FB 10 A7 46 B3
FF DE 99 AB 8A DC B5 E9 A8 19 66 C1 71 1C 61 3B
AC 0C DE 2C 9B 49 A6 16 68 1E 66 5E 94 65 95 40
27 CD F1 FB 9E 11 BC 8D 64 B0 58 D1 47 75 23 D2
C4 E4 DC 2B D3 A9 CE 66 3E 92 DC 6D 3F 51 84 AC
C1 8E FE 57 8C 11 89 5B A9 C7 D2 E1 14 39 4D E7
69 22 C4 19 7B AE 42 78 9D D9 36 1B A5 FE 11 02
C5 21 86 E8 9E FD 6E 1C F6 9D 64 E6 91 EF 0D 27
</div><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab2" />
<label for="tab2">ENGLISH</label>
<div id="tab-content2" class="content">
<h1>Hello.</h1>
<hr/>
<br/>
<div class="text">
<!--text data -->
Your files, documents, photo, databases and all the rest aren't <strong>REMOVED.</strong> </br>
They are ciphered by the most reliable enciphering.</br>
It is impossible to restore files without our help.</br>
You will try to restore files independent you will lose files</br>
<strong>FOREVER.</strong></br>
**********************************************************</br>
You will be able to restore files so:</br>
<ol>
<li>to contact us by e-mail: [email protected] </br>
- you send your ID identifier and 2 files, up to 1 MB in size everyone.</br>
We decipher them, as proof of a possibility of interpretation.</br>
also you receive the instruction where and how many it is necessary to pay.
</li>
<li>you pay and confirm payment.</li>
<li>after payment you receive the <strong>DECODER</strong> program. which you restore <strong>ALL YOUR FILES.</strong></li>
</ol></br>
************************* P.S. **********************</br>
If it is impossible to communicate through mail</br>
* Be registered on the website http://bitmsg.me (service online of sending Bitmessage)</br>
* Write the letter to the address BM-2cUctB6SgQN95BLSDsD9rop4mPfV4BZ3Gh with the indication of your mail and</br>
the personal identifier and we will communicate.</br>
</br>
If you have no bitcoins</br>
* buy bitcoin can here - http://localbitcoins.com </br>
******************************************************************</br></br>
<!--text data -->
</div>
</div>
</div>
</div>
</body>
</html>
Emails
URLs
http://bitmsg.me
http://localbitcoins.com
Targets
-
-
Target
c143dcacfbbbe05195b967c6249e4a00df4b39a4978b7fff4221e0ca3c9131b7
-
Size
53KB
-
MD5
80c7f9579143285c77209721e8f5fef7
-
SHA1
308ef73486d3b281a0b2ed21c91193a0bd23ae29
-
SHA256
c143dcacfbbbe05195b967c6249e4a00df4b39a4978b7fff4221e0ca3c9131b7
-
SHA512
e34884f540ccefce264c22208b0362024bc4db6e2a0b59fc5788c88d9bcc70ec73828df59e6c334bf0f3eecfc64034858a57b5e28418a7171fcaf0ab8eca23ea
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-