General
-
Target
78e972669fff152cdd54923993eb98486c347c5a36c9abe733390b1f65785368
-
Size
53KB
-
Sample
220211-hj2d5adfdj
-
MD5
56be376d428914a73a621182f9a098f0
-
SHA1
d201d9384cac1c5ca812367ced50033fba1f298c
-
SHA256
78e972669fff152cdd54923993eb98486c347c5a36c9abe733390b1f65785368
-
SHA512
2a9c9be1cbdd37677044f7643f39639ddfe039647fb3c8a347bb7a35b8ff5bb257ce3fa766f74eb7eb7c3db7693169da695949ff179fd5e703d80a45650e26bb
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>B5 0B 2A B8 87 B3 E1 56 20 80 DE 64 DF E6 DC A5
FE 8E 56 B5 01 0D 24 61 21 E5 DF 8D ED ED 86 71
57 E2 C6 CB 52 F0 61 98 2D 84 A5 CD 37 66 A9 11
5B 74 C7 DA CC 1A 8B 22 60 0B 16 0C D5 ED 75 4B
25 70 C8 58 22 C6 57 5B CF 13 44 68 4A 8A 6A 3B
70 A5 64 14 6D 2B BA 4C 68 0F 3A 48 31 59 A3 66
5A 89 7F 13 91 FE 7F C2 8E 55 3B A2 8E 63 D0 BF
55 E6 0D 4C EF DB 96 02 99 34 44 79 51 63 39 86
2E AB A6 ED B2 25 6C 99 8A 5D 35 35 AD 54 93 56
35 3C 41 F4 F4 AD 59 04 A0 B4 AA 1C CA C2 F0 EA
92 58 A9 20 A2 DB 29 38 06 F8 70 7C 41 A5 6D A5
C0 84 A3 E8 AE 51 76 7C 16 42 C3 15 EE E4 2A C5
84 91 53 8E D9 76 31 38 48 69 13 1C F5 71 24 19
02 82 9B 0E 0D DF FD 9C 2A 61 3B 88 D8 4A EE 3D
4B 33 79 D8 6A DF B9 93 05 05 47 1B 82 F9 DB DF
20 35 7B F1 A6 73 C1 6A BA 14 04 4B 45 77 D5 57
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only sambuka_star proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>0E 79 01 20 AE EE 0A 53 31 2B B3 21 6C 26 1C DB
9E ED F7 FC 31 EA 27 83 45 0D 4A 16 9F FD 70 26
4C 91 90 D4 07 48 F9 17 C7 BE 68 EC 3C 49 2F FB
0B 73 95 C9 2D 31 EE 2A D8 1A 3F 10 9B F1 C2 EF
20 61 CA 7D 9D B9 B8 56 0A BF 56 55 06 52 80 64
E3 A0 6E AA 0A AF 91 2F 8A F9 6C 7B 40 30 8E 1F
2D 83 57 98 AA F2 EF 24 DE 18 DB 5F FF F5 55 73
24 E3 34 52 66 7C 2B 34 76 81 0F 71 E0 15 18 DF
FD ED 8B ED 08 64 88 C1 CB 61 6D 82 D4 76 64 14
B5 65 07 2B CF D4 D2 B4 4E DA 94 99 4F 03 0E 2D
75 2F 71 B7 25 01 A0 CF 37 81 69 CF 22 BF E4 ED
3B B3 66 76 C3 A8 87 B4 9F D5 74 10 D2 AD 39 F4
F9 EF D9 30 21 EB EB C3 9C 95 48 B8 BE 8D F0 5C
7A 4B 3E 67 FB 1F 17 3E DC 4D 6C 1C 75 44 8E 30
0A 41 A7 DA ED 26 B9 6B 13 84 05 E1 97 EC 76 4E
1F 7E 14 F9 E6 83 F7 53 8A 2A E6 28 EC 3B 32 FF
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only sambuka_star proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Targets
-
-
Target
78e972669fff152cdd54923993eb98486c347c5a36c9abe733390b1f65785368
-
Size
53KB
-
MD5
56be376d428914a73a621182f9a098f0
-
SHA1
d201d9384cac1c5ca812367ced50033fba1f298c
-
SHA256
78e972669fff152cdd54923993eb98486c347c5a36c9abe733390b1f65785368
-
SHA512
2a9c9be1cbdd37677044f7643f39639ddfe039647fb3c8a347bb7a35b8ff5bb257ce3fa766f74eb7eb7c3db7693169da695949ff179fd5e703d80a45650e26bb
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-