General
-
Target
a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a
-
Size
53KB
-
Sample
220211-hfhslsdehk
-
MD5
6f76f956cd44ed86f462c2a4c17a640e
-
SHA1
25b34ea3cdcc5b6e3f94f27dc250c2f3d8cbd43b
-
SHA256
a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a
-
SHA512
b95bc1a7a4c57a0849e8b0adb24996750bdb676208057d4a4b5c682662ab4903210bbf968b7aa37e8d8d2be2535495c75f2a28347b0b50ace1d695747f59df8a
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������18 20 ED 25 6F D7 63 05 5E D3 06 08 1B 91 BF 05
F1 A1 EE 53 82 0B 8F 28 3E 4D 56 40 09 4D FC 5C
4F 08 89 1C 5B 87 52 EE 85 71 EC 9F 22 00 7A BC
67 1F 42 32 04 C2 AE 12 A9 8B 9C 1F FD 13 92 CC
3B 4B EA 38 18 BA 00 9D A2 CD C9 0C E1 28 9D E8
E8 54 74 B3 DC 2D CB 11 78 4A 48 A1 0C D0 1C EB
65 F5 4C B2 65 97 0A E1 83 76 59 9C DD 02 20 70
D3 C1 F7 64 A0 53 B6 D1 30 86 4F 77 D8 CC 45 1D
97 E1 89 19 56 B9 6B 04 49 FB 75 26 D4 60 0B 69
AA B4 8E 0C 95 04 3C 37 23 9F B0 D8 72 42 71 74
3B 5F C7 7C 66 C0 81 0D 37 0C 78 1E 7A 79 37 70
85 64 57 5B 9E 35 1B 11 44 44 13 D8 94 5B 1E 8D
55 EB 24 C7 D2 5E 9F 6A 19 8E BF 54 2E 52 D2 4A
C9 90 0C 9F 1C B4 9F 7D 54 0B 11 18 66 37 2C 73
4C 5B 2A 60 00 5A 58 41 1F 59 29 85 F0 D8 2B DE
AC EF DF B8 A2 7F 08 9B 58 2A 41 05 5B 4A D3 CC
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="mailto:[email protected] ">[email protected] </a>
<br><a href="mailto:[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�
Emails
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������00 9F 81 09 D7 C2 AD D7 EA 7C 71 A1 E2 CC 83 CF
26 26 4F 23 F8 A4 06 0F 24 0D BF DD E5 CD E9 9D
2C 6B 21 A3 3B 79 F8 B6 CD 37 64 26 77 3E FB B2
E6 35 42 DD F8 77 52 93 73 22 54 0C ED D8 9D 27
95 20 70 6E 02 EE 9C 36 60 17 82 9E E9 56 67 61
AC DF 61 0C 37 A7 7F F1 A6 EF 3B AF DB 39 7F E6
91 F0 FF CA F2 8B 50 9B 5C 9B 2E 4C D1 DF B5 A9
1E 8E E3 2E BE A1 74 97 24 97 1A 80 09 D3 E6 8A
34 3F 79 A4 B2 51 BF 74 96 E5 A9 A4 F6 6E F3 D2
73 F6 47 0C 30 FF DF 5A 34 4C 92 DC 3D 9C C3 CB
FC BD 26 CE C1 32 3E D3 9A 89 96 B5 0E AB 53 E8
E6 1D AC C1 D2 08 BE F0 E2 2E 3E 24 9B 04 2A 12
CE 98 AF 5E 41 55 0A 16 01 1A 9A 36 9A C8 9B 70
EA A9 8A C3 75 CA D3 FC 43 7E 00 3C 09 AE 2F B6
36 66 3B 50 66 8F B9 F4 DE F0 20 2A E3 80 AE 37
4C 4F 33 43 53 99 62 28 F7 2D 27 D7 BC 9D 5A 9D
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="mailto:[email protected] ">[email protected] </a>
<br><a href="mailto:[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�
Emails
Targets
-
-
Target
a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a
-
Size
53KB
-
MD5
6f76f956cd44ed86f462c2a4c17a640e
-
SHA1
25b34ea3cdcc5b6e3f94f27dc250c2f3d8cbd43b
-
SHA256
a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a
-
SHA512
b95bc1a7a4c57a0849e8b0adb24996750bdb676208057d4a4b5c682662ab4903210bbf968b7aa37e8d8d2be2535495c75f2a28347b0b50ace1d695747f59df8a
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-