General
-
Target
8ebbb1131e1a4dd52e3555e9bcef4cd3b23d560010ed015a9d78bbfc3a6270d8
-
Size
53KB
-
Sample
220211-hgzshsbhf5
-
MD5
bfb21bd0faa1d71032d8db4160b3d8bb
-
SHA1
7088e72c134021a906585848518f78b9f159347f
-
SHA256
8ebbb1131e1a4dd52e3555e9bcef4cd3b23d560010ed015a9d78bbfc3a6270d8
-
SHA512
f5340b355be8474e25d504ce38081c2fb8e536dd6e97568a8a4fc9c9b5f68df0fef1b5228fa4b08ce81dcc2f1df0634201121d6eca7666d249566ed6d0fc6bf8
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>���������������6A F9 22 A4 A6 01 DB 9F 2D AB 01 64 43 DD 7C 60
FC C3 49 A9 35 57 E5 09 EE CB C1 A0 0F C4 F0 66
FF 12 72 59 7C 14 78 09 67 E5 38 AF 11 20 20 21
DF 33 D0 61 64 1A E9 70 9A 13 E3 6F 0B DF CF 67
A6 4C FF E8 F2 C0 01 9F 78 02 7B 71 3A 38 86 C0
1C D8 03 32 DD 3A 36 1C 94 CA 75 7A 7D AF 00 AA
51 76 67 EA 35 A7 63 10 95 39 C2 33 33 A8 5D AE
31 FE 55 1E 65 7F DF 4E 9E A2 BA BA 4A 16 0D 5B
35 65 E8 02 0D 23 44 50 7E EF D6 9C B8 20 83 45
24 D8 D9 5A 06 8C E8 DD 72 C3 32 4D 2E DB E6 9F
28 3C F6 3B 53 DC 99 94 FA EA C6 2A 74 12 B9 17
67 BA E2 43 BF 1B 77 A9 9A BD 63 35 A3 BB 42 38
08 2B FB E8 1D 73 D8 C5 B6 10 D4 91 AF FC FE F3
67 63 A1 09 D0 A6 77 48 E9 FD 04 D7 04 26 3D 5B
BB 4D CA 30 38 37 78 99 8D CD 61 DB 24 47 20 5D
A9 BF 16 D6 27 09 5F C8 55 88 85 2A A3 C4 C7 44
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<hr/>
<h3>All your important data has been encrypted.</h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 test image or text file <span> [email protected]</span>.</br>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.</br>
<center>Attention!</center></br>
<ul>
<li>Only [email protected] can decrypt your files</li>
<li>Do not trust anyone [email protected]</li>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>���������������27 DE C0 B0 E9 05 DA 0A 4B FB 3A B3 32 10 5E D7
AA E6 6A CA 2A 86 42 10 5E 9C D9 7B 35 A5 D5 97
FB A5 39 6C 1A CA 1A D7 1B BF ED 5B A9 D6 F7 9B
D2 0D 22 3C C6 7B 3F 83 FB 74 9F EF 8C B3 8F 6B
49 39 53 3B 57 6C 68 99 2B 8C 7A 3E DA 21 3C F6
83 D5 C5 FE 6D 54 5E CC 31 7C 04 6D AA E2 AB 83
85 C1 74 3F E0 61 4D 5F 5E D6 3E BE 76 9F EC 43
73 9B 23 AF 0B 6F 88 FD D3 40 82 E0 5D 33 83 D4
4C CC 3F 0E F0 05 3E D9 11 69 AD 46 28 85 F6 80
ED 98 E5 28 0B 93 AE 86 FC C5 CC 89 2F F1 89 3B
A3 80 FA F5 04 3E D1 FF 48 E3 9A 5E 2B 94 0E 9E
F0 8A EB 82 C2 AB 4B 47 B5 45 C4 49 F2 90 03 63
33 61 FE 3F 91 89 DB 3C 2A 8E 6C 42 08 94 16 DA
38 EB F1 E4 4C 06 A7 53 1E C2 4A 27 66 1F A8 23
A6 F2 88 6F E2 4C 56 31 B5 AB 1F 20 13 9D DF 4E
90 F6 B9 62 F6 EB D3 1A AE EF 0B E1 25 B7 F3 FC
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<hr/>
<h3>All your important data has been encrypted.</h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 test image or text file <span> [email protected]</span>.</br>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.</br>
<center>Attention!</center></br>
<ul>
<li>Only [email protected] can decrypt your files</li>
<li>Do not trust anyone [email protected]</li>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Targets
-
-
Target
8ebbb1131e1a4dd52e3555e9bcef4cd3b23d560010ed015a9d78bbfc3a6270d8
-
Size
53KB
-
MD5
bfb21bd0faa1d71032d8db4160b3d8bb
-
SHA1
7088e72c134021a906585848518f78b9f159347f
-
SHA256
8ebbb1131e1a4dd52e3555e9bcef4cd3b23d560010ed015a9d78bbfc3a6270d8
-
SHA512
f5340b355be8474e25d504ce38081c2fb8e536dd6e97568a8a4fc9c9b5f68df0fef1b5228fa4b08ce81dcc2f1df0634201121d6eca7666d249566ed6d0fc6bf8
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-