General
-
Target
8b6af2ac39a80dd70e0b7825e116802c9811129eb0a071c086e0440d6afef7e3
-
Size
53KB
-
Sample
220211-hhgy4adfar
-
MD5
219c8cf5fce1e0c1fc606f10c685507c
-
SHA1
e3ff139b04465febb88e3831eba90249c5ca22a9
-
SHA256
8b6af2ac39a80dd70e0b7825e116802c9811129eb0a071c086e0440d6afef7e3
-
SHA512
6802a1364da38f5dab8b803b5bbf27c1985b7d5f19e8f840f9215b13155df69962d6ade0ae9a0bf9fc89368bc84a7a9dcc12b771554e20bf3907af1988af6262
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������7A 60 DE 31 C7 25 2F BC CC F2 09 E7 9C BA 0B 1C
14 1C 65 B2 97 C9 2B 81 86 48 99 CA 00 68 D4 52
C7 C6 88 03 15 13 B2 60 98 E1 18 62 67 E1 F1 3E
75 8B 8F AE 88 4F 33 35 C5 88 E8 63 A5 92 3B 1F
9F 26 74 23 E0 DC 1C 9A 73 D9 29 E5 D8 86 C0 7A
D7 FE 7F 4E E3 D7 D9 34 68 B3 D9 92 74 20 9D C1
77 12 0B D4 EB 5B 6C C2 29 80 8A 6B 65 CB C9 90
D5 C2 E2 54 EE 69 E0 23 73 FB 47 22 31 4F B7 A4
E5 8A 6F 12 48 23 5B D7 84 4B 54 E5 B5 53 43 EE
25 EC 75 70 45 AA 9A 77 FE 0E 4A F7 9A 2C 32 82
FF 89 02 82 4A DA CE C3 00 E1 5E B4 03 AB F9 C8
6C BC 49 23 21 C5 7A 17 0F C9 CB 8D 83 11 20 8F
EF CA 33 C1 D8 D6 5D CD 11 18 AE 0A 09 89 BD 22
F2 F4 1B 6C 36 B7 63 4E 81 19 5D 6D DC F0 8D E6
7D 84 87 8D 2B DD 48 F5 C9 04 22 C8 48 72 8E 53
63 99 8B 0D BB 0F D0 B3 9F 79 48 41 EB FC 86 CC
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a>
<br><a href="[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������
Emails
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������84 E8 6D D2 B9 E1 31 3D 05 05 B5 58 61 90 0F A1
9A A6 E9 CF F6 53 1A DC 70 B7 D1 82 83 6C CB A3
63 BB 27 5A A8 8C C7 72 B5 64 FD 22 65 C7 D6 08
46 77 21 91 80 12 4C 6A AF BE 0F ED 10 45 BB 6B
F8 06 13 CD FD 22 71 91 9D 75 FE 99 A1 EB AF 23
99 14 BA 37 3D AD 0B 53 A7 4F B6 85 79 D2 42 52
FA 5C F8 40 D5 03 38 5B EA 3A 23 A8 62 D4 53 2C
DD E9 C3 FC 2B 33 B3 53 CD CB F8 88 CD 29 C2 69
F5 FB 74 33 8E 44 32 45 B7 1A 26 FA 1F 36 96 9C
B9 6B B9 88 42 3A 96 C8 6A DE EE BF 60 1D 59 65
40 63 AF B9 E0 34 C7 D3 25 D8 0C DE C9 19 26 8B
84 6D 5D 09 F4 E6 11 92 2D 49 46 46 D1 05 12 A8
0D B8 58 2A 2D 55 F2 B3 49 CA 97 CC BC 9E 0D C4
E6 2C D2 F5 CC 88 67 3A FA 2D 98 F7 5D 81 B6 59
3D C1 96 43 CC AD DA D4 06 D1 4F 75 91 A1 35 49
FE 02 4C 24 83 94 8B 06 A2 3A DF 65 9C F3 BC 75
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a>
<br><a href="[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������
Emails
Targets
-
-
Target
8b6af2ac39a80dd70e0b7825e116802c9811129eb0a071c086e0440d6afef7e3
-
Size
53KB
-
MD5
219c8cf5fce1e0c1fc606f10c685507c
-
SHA1
e3ff139b04465febb88e3831eba90249c5ca22a9
-
SHA256
8b6af2ac39a80dd70e0b7825e116802c9811129eb0a071c086e0440d6afef7e3
-
SHA512
6802a1364da38f5dab8b803b5bbf27c1985b7d5f19e8f840f9215b13155df69962d6ade0ae9a0bf9fc89368bc84a7a9dcc12b771554e20bf3907af1988af6262
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-