General
-
Target
a4539f0a3745030f91e97d59b937f8bfcd1f9430cabf65f08e280291b6d64f55
-
Size
53KB
-
Sample
220211-he7qcadegn
-
MD5
0371b969f310c5dfbdd79c7cf9658cb3
-
SHA1
70cbd69f69ce164dae29febfca371ea30f2fbd62
-
SHA256
a4539f0a3745030f91e97d59b937f8bfcd1f9430cabf65f08e280291b6d64f55
-
SHA512
39ae060fd0d0eeffc3f1df2e872a8bf31d5e80553197523e56629178a5b7fbf56e8654f7b55cb2f9d540d22d326f109d2abeec837f1c66582a6297c8b5dbadd3
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>C5 0A 0E 87 E4 84 39 23 D2 D8 87 78 EC F0 06 8C
DB 72 E0 A4 23 2C AE 68 3D 43 7B 1B 5E 1D 94 FF
49 D1 77 16 82 83 83 50 BE 4E 62 62 63 C6 47 2B
01 A8 A2 8B C9 73 C7 9E 1F 65 F9 25 8F 84 10 7F
D6 7C AF 71 BD 03 E1 37 57 CC 93 03 CA 3A E2 26
7C 9B 7C 03 85 8D BA 3E 0F 95 84 C8 49 0D BE 39
43 11 E4 0B 63 85 F2 73 F7 04 7A 9F 62 00 2A 42
38 90 68 95 21 34 98 56 23 90 37 50 B3 39 22 AC
8F 60 8C 89 C9 66 34 B5 A1 47 EE E9 80 C9 F4 A3
BA DB 85 08 2F DB 0D E7 67 E2 B8 54 2E 37 4D 89
2F 5E E4 BE FD 78 70 EA E2 BE 72 4A B7 E9 8D DE
A8 9C FF 7F 55 B7 B4 AB 92 F2 1A 76 01 40 99 6E
94 99 98 89 95 DE ED 82 58 08 CB 1C 5B F2 4B F3
99 8D A1 9C CA D5 FA 95 FC C4 F7 EF 4A BF BA F9
50 03 7E 4E DC 78 9F A8 22 C4 AF 7B D5 45 C6 8E
E7 2B 83 C0 CD 1B 40 8F 1F AD E2 3A 16 03 75 0B
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only decoder_master proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>55 89 4A 78 0A B0 19 B7 0B 01 FD B2 F1 F1 0A 6F
F7 1A DC 36 55 B6 24 54 E9 E6 92 67 C9 94 14 CB
11 55 14 2B 10 89 09 63 69 98 8C 8E 63 E6 AE 28
DF 7C 01 E4 66 0D 0E 31 F4 47 BE DE 26 E6 3E 00
46 A3 AF 24 86 04 13 27 7B 98 E1 B7 95 5C 53 54
4E F9 85 1A 01 B9 CB 36 31 AC F0 FC 83 6A 04 7E
59 8C 3C 96 61 EC DA 80 1C 52 2A C8 07 45 E2 57
4B C9 3B BD 88 B8 2E 48 F0 1E 4A 34 9C 12 08 A6
05 92 2C 00 B2 F2 88 2D 07 08 D3 E4 D4 66 F3 88
06 63 01 AF 1B 96 3F 0F 07 8E 05 C7 1D 2E 75 30
D4 46 5E 75 DB 70 38 9A 6F DB 3D 43 5E 22 98 7E
CD FF 01 1D 5D 3D D1 5C B1 5C 7E 07 5B B2 BC 5E
29 76 F9 F5 04 E5 0F 90 D7 83 1F 98 E4 BE A3 06
B7 58 24 AD A4 CB 7C C0 68 E2 E6 10 1C 9B C3 BB
9A B8 12 DE 2D 8B 32 76 7E 74 93 E2 82 8A EE 8E
44 CD 9C 24 FE BE FA E8 56 A9 69 5D 49 15 20 62
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only decoder_master proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Targets
-
-
Target
a4539f0a3745030f91e97d59b937f8bfcd1f9430cabf65f08e280291b6d64f55
-
Size
53KB
-
MD5
0371b969f310c5dfbdd79c7cf9658cb3
-
SHA1
70cbd69f69ce164dae29febfca371ea30f2fbd62
-
SHA256
a4539f0a3745030f91e97d59b937f8bfcd1f9430cabf65f08e280291b6d64f55
-
SHA512
39ae060fd0d0eeffc3f1df2e872a8bf31d5e80553197523e56629178a5b7fbf56e8654f7b55cb2f9d540d22d326f109d2abeec837f1c66582a6297c8b5dbadd3
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-