General
-
Target
975c3211d94d21ddfbdf7197e50d616ca96716aee48c870b95a340835d7295c4
-
Size
54KB
-
Sample
220211-hfwpgadehq
-
MD5
d5b84f60ce06d4f5578eb9b763b28f95
-
SHA1
bd17addd0b8fb3ce9724dc357af5055f51238ebc
-
SHA256
975c3211d94d21ddfbdf7197e50d616ca96716aee48c870b95a340835d7295c4
-
SHA512
a5a85d77804ed66efb3e602c3a195a52a2c63cc78385cceade90676fc807e78cf351fe69c5acfc7b45379f50de55a5cf7cdf9aea6cd4d054e19753406e0fcaf2
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #303030;
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>��81 C7 39 83 9D 2D EF B4 E6 3C 98 E5 33 FC 17 A6
2F DF F6 48 C1 65 CD 6C 5A 74 08 84 62 04 D7 EA
BD 48 C3 AD AE 42 F6 F4 69 A5 20 15 22 43 44 0A
D2 87 AA F4 9A 90 4B 3A 87 3C 21 18 F4 88 49 5A
95 FF FC 5A F6 5C 2C D3 17 D2 FA 9D 67 04 A0 E1
4A BD B8 33 6D D7 F1 96 5B 29 85 E5 59 F5 7B 3E
4E 28 93 7F 20 B6 BF FA 74 F1 75 43 30 89 53 9B
1B 55 0E 58 DC BB 16 9C 54 91 75 AF 3B D7 4B A1
21 81 58 6E 73 1E 06 D4 AB E4 37 86 4C 12 07 8A
30 2E EE 5D B4 D6 03 1B 21 CE 44 11 C9 55 D8 C7
77 CE 8B FF BF E4 93 9A 6E 94 4B 29 0B 94 E7 4A
EC ED 05 1D DE 43 96 F7 20 8B 05 21 93 8C 30 EB
CE 47 71 61 36 A1 A5 93 99 8A 8B 58 76 5E 07 4F
2C 44 15 37 F1 32 E9 76 68 11 D2 59 10 45 D7 0F
08 F5 76 2A 74 F6 30 25 3E A8 47 44 2D F2 D2 BE
5E A0 C6 BD 98 F8 5E 7A 37 F5 38 BF 8E B3 1E CB
</p>
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☣ Your files are encrypted! ☣</h1>
<hr/>
<h3> ⬇ To decrypt, follow the instructions below. ⬇ </h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decrypt tool.</br>
To get the decrypt tool you should:</br>
<p>Send 1 crypted test image or text file or document to <span> <font color="FF0000"> [email protected] </font></span></br>
(Or alternate mail <font color="FF0000"> [email protected] </font>)<p>
In the letter include your personal ID (look at the beginning of this document). Send me this ID in your first email to me</p>
We will give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt tool and after payment you will receive a decrypt tool and instructions how to use it
We can decrypt few files in quality the evidence that we have the decoder.</br>
<hr color=red>
<center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center>
<center><p style="color:#FF0000"> Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services.
No one, except [email protected], will decrypt your files.</p></center>
<hr color=red>
<ul>
<li>Only [email protected] can decrypt your files</li>
<li>Do not trust anyone besides [email protected]</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
������
Emails
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #303030;
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>��63 BC 56 81 53 51 83 9C E1 9A A8 47 5B 45 9D 9D
41 08 6A 81 7F 82 7F D7 C3 58 E2 AA F8 B5 CF D4
CE 9D 51 CC E4 CD F2 0E A2 70 49 EC 7B 82 DE 70
A3 01 39 DA 5E DE D8 E6 3A 53 9C A4 AD C0 AA 77
8B B8 7C 13 27 F0 ED 6D 78 E7 E3 18 8F 0F F5 C3
43 9A B8 08 9A 03 A1 34 8C B8 13 DE B7 DF 55 5F
4F 63 DE CA 6B 18 EB E3 CD 67 65 D7 B5 26 A2 5E
23 7F 86 6D 0D 5E F9 26 41 AF B1 42 40 96 AB 5E
58 69 6D F1 2B 92 A8 05 03 25 05 7F F2 0E 78 74
7E 10 BA 43 0A 16 32 24 C6 24 C9 34 72 FB 04 A0
8C 74 E8 86 B7 F0 C7 4B 04 31 48 8E E8 55 88 79
F0 0E E1 57 FC 0F D3 A3 8B 3F 4F 5E 82 39 B0 66
80 3B A9 C8 D7 A6 F6 54 06 BD 9E D2 63 96 6C EB
E4 62 BB 75 D2 E8 76 25 3D B5 97 C4 E8 E0 B4 EF
6C 93 24 EB 5D 11 13 54 B4 7A 3A C1 E7 21 AC 42
69 5C 5D 11 BC D5 B2 B4 1D FD 04 5C C4 9D E9 1D
</p>
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☣ Your files are encrypted! ☣</h1>
<hr/>
<h3> ⬇ To decrypt, follow the instructions below. ⬇ </h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decrypt tool.</br>
To get the decrypt tool you should:</br>
<p>Send 1 crypted test image or text file or document to <span> <font color="FF0000"> [email protected] </font></span></br>
(Or alternate mail <font color="FF0000"> [email protected] </font>)<p>
In the letter include your personal ID (look at the beginning of this document). Send me this ID in your first email to me</p>
We will give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt tool and after payment you will receive a decrypt tool and instructions how to use it
We can decrypt few files in quality the evidence that we have the decoder.</br>
<hr color=red>
<center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center>
<center><p style="color:#FF0000"> Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services.
No one, except [email protected], will decrypt your files.</p></center>
<hr color=red>
<ul>
<li>Only [email protected] can decrypt your files</li>
<li>Do not trust anyone besides [email protected]</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
������
Emails
Targets
-
-
Target
975c3211d94d21ddfbdf7197e50d616ca96716aee48c870b95a340835d7295c4
-
Size
54KB
-
MD5
d5b84f60ce06d4f5578eb9b763b28f95
-
SHA1
bd17addd0b8fb3ce9724dc357af5055f51238ebc
-
SHA256
975c3211d94d21ddfbdf7197e50d616ca96716aee48c870b95a340835d7295c4
-
SHA512
a5a85d77804ed66efb3e602c3a195a52a2c63cc78385cceade90676fc807e78cf351fe69c5acfc7b45379f50de55a5cf7cdf9aea6cd4d054e19753406e0fcaf2
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-