General
-
Target
8cbb405174fb7ae4cbbfefd934e5396feddd33cfdaed075ce439cc82b710c711
-
Size
54KB
-
Sample
220211-hhaj1sdfap
-
MD5
b5204963231f9bddba42e611c9f09400
-
SHA1
018166da7dce248f8a9104fa4a5f2dc20038c0e7
-
SHA256
8cbb405174fb7ae4cbbfefd934e5396feddd33cfdaed075ce439cc82b710c711
-
SHA512
ec9de09cc2b83e4446d6954f8e220296b70ca3a0fb5b1e7ee01e949199dc0276413550c5adfd01ff0dd4ede7ad0bb1b24948831610a502acb35096609598eecd
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>���������������B4 99 DC 42 E4 5B B2 90 CC 57 BD D2 C3 CA 35 2A
08 A8 3F 35 F5 3A F2 91 42 A0 4B E3 C2 5B 32 3E
6E C5 98 94 AC B5 D8 4B DE EE D6 08 BF D2 96 FB
36 C2 DE E3 DB B4 2C EA 2D 7A 06 7E 5D 66 0E CF
3A E9 1D 60 F0 66 B2 CE 26 EB FB 15 1C 75 EF 58
18 EB E9 4E 0A 40 76 29 50 A8 F1 01 55 5E 43 58
B4 31 D1 DD E0 F4 97 E0 43 29 34 E5 E3 92 E6 4A
8F 0C 17 40 C0 F1 D7 56 85 14 6E C1 09 7B A3 D4
2B 57 51 D4 69 02 E1 7F D7 C8 34 91 E2 18 75 4B
A6 C9 58 DF 7D 79 67 00 61 72 0B AF 8C 9A 27 E4
64 FB 93 DB 40 93 9C 3F AE 56 4C 34 47 0E 96 36
84 CC 17 2B 0C 4F 9D D2 6B 67 BC 0F C8 4A 5A 50
3D E4 76 BF 0B A6 17 94 25 F0 CB A0 D7 EC 17 48
44 78 7D B5 CD B6 F7 20 13 B6 ED 3E BD 14 E1 47
DA 67 BA 24 56 27 91 C3 B7 94 97 E6 66 52 73 FC
FE 1A 36 DA 48 01 26 FA 24 DF 43 A9 AD 6B CF 9D
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<hr/>
<h3>All your important data has been encrypted.
</h3>Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files
.
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
·Register email box to protonmail.com or cock.li (do not waste time sending letters from your standard email address, they will all be blocked).
Send a email from your new email address to: [email protected] with your personal ID.
· In response, we will send you further instructions on decrypting your files.
<center>Attention!</center></br>
<ul>
· It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time.
· check the folder "Spam" when waiting for an email from us.WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA
ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE
IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY
AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO
NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.
· If we do not respond to your message for more than 12 hours, write to the backup email : [email protected]
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>���������������DA C2 95 43 95 AD 6C 55 B5 E5 30 3A 60 F2 CF AE
DF EC 08 7E 43 3E D2 0E A5 A5 3C 22 46 FE 01 04
80 FB FB 81 4E F6 B2 13 C3 21 70 B1 34 51 3E 48
1B 0F 44 4E 82 E2 10 73 92 8B F4 C3 F7 64 E1 F7
BB 8C F9 79 B7 D5 DB 58 F8 A8 8E 0A 26 3E 33 CA
A8 6F 35 0D BE 83 D1 56 A5 C1 36 05 23 22 3B CC
D2 CF 4A 9B E1 7C B7 DA 3B A8 B7 AC C9 65 FD D3
19 D0 0B F0 7B 0F 60 CA 0F 10 49 90 EE 9F DB 3F
A9 2D 5B C5 E8 51 9F ED F9 F1 6D AD 16 8F E0 95
59 28 E7 84 B6 F6 41 6C 75 01 11 F7 02 1D F2 27
8A CC 0E C4 07 8E C5 55 5C 0B 89 92 90 D3 35 76
C2 42 9B 50 3E 82 53 2C 7C 71 5B 8F E5 80 24 90
D5 82 49 B8 4F 56 48 7B B7 51 94 6B A8 C0 26 F0
B9 B7 9D 7F 1A 0B 39 DC E7 BF B0 FD E3 F3 6E BA
08 8A D2 52 EC 0E 21 2D DD 4E 3A 57 D1 4A 22 33
2E E7 A0 1C 47 07 C3 BA 7A 23 6C 1F 61 A6 95 A4
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<hr/>
<h3>All your important data has been encrypted.
</h3>Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files
.
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
·Register email box to protonmail.com or cock.li (do not waste time sending letters from your standard email address, they will all be blocked).
Send a email from your new email address to: [email protected] with your personal ID.
· In response, we will send you further instructions on decrypting your files.
<center>Attention!</center></br>
<ul>
· It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time.
· check the folder "Spam" when waiting for an email from us.WE GATHERED HIGHLY CONFIDENTIAL/PERSORNAL DATA. THESE DATA
ARE CURRENTLY STORED ON A PRIVATE SERVER. THIS SERVER WILL BE
IMMEDIATELY DESTROYED AFTER YOUR PAYMENT. WE ONLY SEEK MONEY
AND DO NOT WANT TO DAMAGE YOUR REPUTATION. IF YOU DECIDE TO
NOT PAY, WE WILL RELEASE THIS DATA TO PUBLIC OR RE-SELLER.
· If we do not respond to your message for more than 12 hours, write to the backup email : [email protected]
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Targets
-
-
Target
8cbb405174fb7ae4cbbfefd934e5396feddd33cfdaed075ce439cc82b710c711
-
Size
54KB
-
MD5
b5204963231f9bddba42e611c9f09400
-
SHA1
018166da7dce248f8a9104fa4a5f2dc20038c0e7
-
SHA256
8cbb405174fb7ae4cbbfefd934e5396feddd33cfdaed075ce439cc82b710c711
-
SHA512
ec9de09cc2b83e4446d6954f8e220296b70ca3a0fb5b1e7ee01e949199dc0276413550c5adfd01ff0dd4ede7ad0bb1b24948831610a502acb35096609598eecd
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-