General
-
Target
bee85c5f61d309da7233e27c7f015ced560ac4edf077aa6a50d06449aa80b3da
-
Size
53KB
-
Sample
220211-hbvxdabha4
-
MD5
f283fabf3798df9e624869ac18976b12
-
SHA1
d937c2e7f6edd6d386ca1afc71ace3ecb3b3de63
-
SHA256
bee85c5f61d309da7233e27c7f015ced560ac4edf077aa6a50d06449aa80b3da
-
SHA512
cab9c619dd294a91c8de9f6796344684a6ca828fd8334d49a3a85cfa65dbb3f996e2ec5631727e06c57c681794977052daaac2dd004997c04be748a273629682
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������3D 72 7C CF 4B 37 91 81 D0 1E EF BE 63 EF 09 4C
56 7D 6F D4 42 F7 88 5B 8A C7 BE 78 6D D5 7C 10
BA D2 A2 44 A7 7E 91 E0 0F 70 89 94 4A CF 41 28
E2 B0 00 2E 11 FC 96 A8 6C 70 90 8A 39 3C B9 75
87 D7 FE A2 ED B3 68 09 5A 9D DD 00 A1 DA 1F 36
B9 C5 91 82 31 19 8A 7F 8D 2A 27 9E 0E 8E D6 BE
99 2F D9 52 06 5B 82 3E 1F CD E3 F0 39 BB DA 3E
85 29 37 39 10 39 0A 4C 32 03 13 4D 53 8F C6 53
1D DD 9D A6 25 6B 61 FE 50 8E 45 99 CC 9F 15 2E
C2 86 FC 42 17 88 D3 D7 84 A9 15 38 DD 61 D6 61
27 9C ED 99 9B 58 0F BD CB 63 23 BB 68 1B EB 41
69 79 7A 8A 5F 4E 99 87 B8 46 4A 85 06 9B 19 28
17 98 CB 0E 72 72 EF 50 B7 A4 16 86 02 BB C8 80
AB AC 90 B6 9E EA 49 76 CF A2 1D B5 76 C9 47 61
AB 56 49 CE 2D AB A8 09 DD 66 13 A2 BA B9 12 DD
E8 37 C7 3F 42 CA 86 1D F4 19 13 71 D3 68 55 61
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a>
<br><a href="[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������������
Emails
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������26 EA A0 83 0D 0F 3D DD 86 65 7D 7D 14 24 E3 62
A2 1B DF DF F0 8D 14 51 54 D3 E7 14 85 F9 7A 72
69 A9 DF 34 F6 91 69 6B 13 69 52 62 80 61 65 36
3E 18 F4 54 EA 5F 2C 67 58 AF F3 9F F9 48 AE 06
9E BB 91 7D C8 1F 60 38 99 76 37 C4 83 6F 24 3F
98 E9 FD A0 39 89 65 AA DC E8 77 97 9E 24 87 39
BC C2 67 EC 60 2C CB 81 19 37 3A F7 AE 34 73 CF
74 E0 69 11 AF 8C 13 29 B9 B1 72 BB 1F F4 0F DC
93 77 31 DA 96 2E 07 97 E6 75 78 DF DE C4 4F B3
67 B6 53 D8 05 EC B2 44 8A 1E 57 74 19 D0 C6 3C
64 E8 78 32 AD 8F 1E 37 E8 01 B9 D1 F8 7F 12 AA
EE 5D 59 C9 C6 54 9B 46 23 2D B7 32 84 71 E0 F3
6A C7 BB D7 27 04 CA 97 9B 30 78 0D 1A 36 72 43
8E B1 C1 95 52 78 09 C6 44 D6 DB 07 BF 13 B8 B3
A6 E7 81 B8 AD F0 14 02 AA 0C 4D FD A6 FA 40 1B
29 BD AE FA DE A6 E6 0D DD AE 62 34 6A 90 3F 40
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a>
<br><a href="[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������������
Emails
Targets
-
-
Target
bee85c5f61d309da7233e27c7f015ced560ac4edf077aa6a50d06449aa80b3da
-
Size
53KB
-
MD5
f283fabf3798df9e624869ac18976b12
-
SHA1
d937c2e7f6edd6d386ca1afc71ace3ecb3b3de63
-
SHA256
bee85c5f61d309da7233e27c7f015ced560ac4edf077aa6a50d06449aa80b3da
-
SHA512
cab9c619dd294a91c8de9f6796344684a6ca828fd8334d49a3a85cfa65dbb3f996e2ec5631727e06c57c681794977052daaac2dd004997c04be748a273629682
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-