General
-
Target
b9fa8aec976af38d2a8a92a994aed5c2ef2771b1ef9030351cccef354dbe4b4d
-
Size
55KB
-
Sample
220211-hce8babhb2
-
MD5
f35aef4680d54776183a63f5f453a13c
-
SHA1
d742f7d9ae9f6531b6232192d027a22a3c61e3ed
-
SHA256
b9fa8aec976af38d2a8a92a994aed5c2ef2771b1ef9030351cccef354dbe4b4d
-
SHA512
a0ddfb66f2635ff018b7e99538bae71609308b16a7527bde372c5a83f0573e37fef3f6377c884c61e8a3b0c6f83a28dd36b443c2df20b0e44fd993f5270e4aaf
Score
10/10
Malware Config
Extracted
Path
C:\instructions.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<div>6A 49 8F 8F BF BF 10 8B FC 02 BF D9 7E 76 EA 9F
62 80 AB AF F2 FB FF 82 75 A7 12 46 4D 63 E4 AC
C1 F6 B2 F1 CB 13 EC B1 4B C8 B9 F4 F1 8A 4F D4
2B 60 59 AA 55 60 3B F6 E3 24 F9 EA E2 67 73 A2
A6 CF 85 A6 92 72 06 A9 FB 84 57 97 48 4A 17 62
0D 12 53 C9 CF 14 56 7A D7 5B B5 BC E6 53 66 CC
4F 97 AE DD C9 28 06 1B CF B9 43 DD C0 0F E6 DC
43 F9 68 EA 86 65 C6 0D CC 8C 96 E7 0F 84 AE C6
3E 7D FA C5 3A 31 87 89 49 93 42 0F FA 39 36 22
58 BC 89 F8 93 64 CF 0D 8F D1 53 F7 BF 29 27 DD
B1 E3 6B 28 33 55 FE BA C6 50 4B 52 B3 9D E7 3C
45 A8 6D A7 87 6D B7 1E 09 6B E8 B6 05 3A C6 D2
56 54 5D B3 85 D3 5F 29 9D 07 94 1B BD 98 E9 35
F3 1C F0 D5 14 D8 D5 5D 09 DC A5 8C DF 3B E1 F8
A0 3D 76 95 76 E4 8B E3 57 38 FA 70 C2 E4 DC 16
DA 22 85 CD 2C E8 5D 44 A2 42 40 AB F2 C1 EB 92
</div><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>Your files are encrypted! </h1>
<hr/>
<h3>All your important data has been encrypted.</h3>
<br/>
<div class="text">
<!--text data -->
<center><h1>Hello</center></br></h1>
<br><center>Your files, documents, photo, databases and all the rest aren't REMOVED. </br>
It is impossible to restore files without our help.</br>
You will try to restore files independent you will lose files</br>
FOREVER.</h1></center>
<br><center>---------------------------------------------------------- </br></center>
You will be able to restore files so:
<li> to contact us by e-mail: <strong>[email protected]</strong></li>
you send your ID identifier and 2 files, up to 1 MB in size everyone.
We decipher them, as proof of a possibility of interpretation.
also you receive the instruction where and how many it is necessary to pay.
<li> you pay and confirm payment.</li>
<li> after payment you receive the DECODER program. which you restore ALL YOUR FILES.</li>
<center>----------------------------------------------------------</center>
You have 72 hours on payment.
If you don't manage to pay in 72 hours, then the price of interpretation increases twice.</br>
<li> If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour. </li>
<li> If you try to decipher - you can FOREVER lose your files. </li>
<li> Decoders of other users are incompatible with your data as at each user </li>
unique key of enciphering
<center>----------------------------- P.S. ----------------------------------</center>
If you have no bitcoins
<li> Create Bitcoin purse: https://blockchain.info/ru/wallet/new</li>
<li> Buy Bitcoin in the convenient way:</li>
<center><strong>https://localbitcoins.com/ru/buy_bitcoins (Visa/MasterCard, QIWI Visa Wallet, etc.)</strong></center>
<center><strong>https://ru.bitcoin.it/wiki/Priobreteniye_bitkoynov (the instruction for beginners)</strong></center>
- It doesn't make sense to complain of us and to arrange a hysterics. </br>
- Complaints having blocked e-mail, you deprive a possibility of the others, to decipher the computers.</br>
Other people at whom computers are also ciphered you deprive of the ONLY hope to decipher. FOREVER.</br>
- Just contact with us, we will stipulate conditions of interpretation of files and available payment, </br>
in a friendly situation.</br>
<center>---------------------------------------------------------</center>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</body>
</html>
Emails
<strong>[email protected]</strong></li>
Extracted
Path
C:\instructions.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<div>6A D8 E3 22 2E A7 02 EC A1 91 A7 7E B2 52 9B 48
F2 0C 14 82 BF 22 A3 54 CC D2 9D F1 3C 7D AC 93
00 66 62 26 02 6A 12 DE AF 0D 49 CE 28 21 64 53
F0 DB 54 3D 95 56 37 68 D2 AF 72 27 60 E0 C9 0A
DD 03 6D E5 F6 2B 7D 76 C1 E3 82 C0 6D F5 83 9E
7D 20 A2 3E 7E 61 83 E7 35 53 29 65 2A 4A B9 8E
7F 33 42 DB 0E 5F 2B CB A2 EF 15 11 35 69 F1 B6
4E 7C D0 D4 F7 61 72 47 C2 6E F7 95 60 17 8E 6E
AE C6 40 48 9F 5C 52 90 44 E6 F6 8F 58 78 07 8A
27 74 F0 BE 83 35 2A E0 EB 07 D5 7D 29 82 7F 43
46 3E DD 44 E8 BD C9 67 10 A2 2E 55 EE 3B BC 97
49 9E A7 EC A7 62 D4 03 27 49 4B 91 71 15 09 82
CD 50 B8 92 C1 92 EB BE B6 B2 3D FC CA 8B 2F 35
3A 3A 18 90 83 73 AF D7 EC 99 A1 BE 31 46 42 A3
7E 45 BD 23 06 85 1E C0 75 F6 0F 4D 11 82 39 97
7B BE 57 BB 96 82 51 FB 25 66 FC 52 A0 F8 F4 97
</div><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>Your files are encrypted! </h1>
<hr/>
<h3>All your important data has been encrypted.</h3>
<br/>
<div class="text">
<!--text data -->
<center><h1>Hello</center></br></h1>
<br><center>Your files, documents, photo, databases and all the rest aren't REMOVED. </br>
It is impossible to restore files without our help.</br>
You will try to restore files independent you will lose files</br>
FOREVER.</h1></center>
<br><center>---------------------------------------------------------- </br></center>
You will be able to restore files so:
<li> to contact us by e-mail: <strong>[email protected]</strong></li>
you send your ID identifier and 2 files, up to 1 MB in size everyone.
We decipher them, as proof of a possibility of interpretation.
also you receive the instruction where and how many it is necessary to pay.
<li> you pay and confirm payment.</li>
<li> after payment you receive the DECODER program. which you restore ALL YOUR FILES.</li>
<center>----------------------------------------------------------</center>
You have 72 hours on payment.
If you don't manage to pay in 72 hours, then the price of interpretation increases twice.</br>
<li> If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour. </li>
<li> If you try to decipher - you can FOREVER lose your files. </li>
<li> Decoders of other users are incompatible with your data as at each user </li>
unique key of enciphering
<center>----------------------------- P.S. ----------------------------------</center>
If you have no bitcoins
<li> Create Bitcoin purse: https://blockchain.info/ru/wallet/new</li>
<li> Buy Bitcoin in the convenient way:</li>
<center><strong>https://localbitcoins.com/ru/buy_bitcoins (Visa/MasterCard, QIWI Visa Wallet, etc.)</strong></center>
<center><strong>https://ru.bitcoin.it/wiki/Priobreteniye_bitkoynov (the instruction for beginners)</strong></center>
- It doesn't make sense to complain of us and to arrange a hysterics. </br>
- Complaints having blocked e-mail, you deprive a possibility of the others, to decipher the computers.</br>
Other people at whom computers are also ciphered you deprive of the ONLY hope to decipher. FOREVER.</br>
- Just contact with us, we will stipulate conditions of interpretation of files and available payment, </br>
in a friendly situation.</br>
<center>---------------------------------------------------------</center>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</body>
</html>
Emails
<strong>[email protected]</strong></li>
Targets
-
-
Target
b9fa8aec976af38d2a8a92a994aed5c2ef2771b1ef9030351cccef354dbe4b4d
-
Size
55KB
-
MD5
f35aef4680d54776183a63f5f453a13c
-
SHA1
d742f7d9ae9f6531b6232192d027a22a3c61e3ed
-
SHA256
b9fa8aec976af38d2a8a92a994aed5c2ef2771b1ef9030351cccef354dbe4b4d
-
SHA512
a0ddfb66f2635ff018b7e99538bae71609308b16a7527bde372c5a83f0573e37fef3f6377c884c61e8a3b0c6f83a28dd36b443c2df20b0e44fd993f5270e4aaf
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-