General
-
Target
78568cb5465e8ab060762f46799499a58fbddd2f58c58a3eb8684b931c0b9d56
-
Size
55KB
-
Sample
220211-hj6c3sbhh3
-
MD5
983c595756df443a888b52e027dd3461
-
SHA1
5f93b7fcbf41fe554039f779c06552bf5e2998fe
-
SHA256
78568cb5465e8ab060762f46799499a58fbddd2f58c58a3eb8684b931c0b9d56
-
SHA512
1f2a9bccc25862f983278b3ad9f6d80f90df1e776a26f5616afc3e29e944bdac05cb15a953079899903d278d6c9d20a492c895f69a0f1b7c3a2752062fdcc949
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
}
.mark {
background: #ff0000;
padding: 2px 5px;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #FFFFFF;
background: #ff0000;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #ff0000;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h2><b>▼Your personal ID▼</b></h2></div>
<div class="identi">
<pre>AE C9 76 12 87 FF 6B A2 C0 D1 04 A1 0C 3B F3 D7
BA 50 3E 4F 1E 93 4F D7 72 69 11 29 0C F8 02 8B
EF 7C 54 DF C5 3D 48 05 D6 C5 DE 2F B4 E8 6C 6D
C5 B9 AB C6 A5 66 1D 59 46 0C D4 40 B1 C2 AE F3
C0 97 A9 64 BC 17 67 90 2E 1B 36 7E C6 EC 83 95
34 96 64 AB FD 22 3F D8 DE 63 6E B5 B6 7E CF 5A
76 79 EE 29 39 21 87 AE 2E 8B 2F 50 2C EB 87 B7
E1 CE CD E3 7E BD 89 E6 61 83 52 44 8D 3A 21 EF
D0 18 84 7B 0F 99 50 14 F8 D2 3D 4F E8 F4 3E 4B
43 0F B7 6F 9B 5F 34 E3 CC AB E1 B3 CD F9 48 53
55 8B 28 73 06 03 24 E7 C9 09 3A DD ED BE 6E 31
CF 8B 61 11 4A 4D 5D D1 8B 17 DE E5 C7 37 FD E3
26 05 B1 37 CE D2 4D 4C 62 0C 17 8F B6 7E 03 13
B2 69 F2 EF 30 99 1E 64 D0 81 45 8B B4 FA E5 E7
3F 99 15 60 66 72 6D 0C 9F CC 50 53 72 70 BC 36
B4 53 28 DE 4B 8B 79 A2 79 B4 15 63 DB B0 3D 96
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1><B>☠ Your files are encrypted! ☠</b></h1>
<hr/>
<h3>All your important data has been encrypted.</h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 test image or text file <span class="mark">[email protected]</span>.</br>
<p>If we do not respond within 24 hours, write to us on the second mail: <span class="mark">[email protected]</span>.</br>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.</br>
<center>Attention!</center></br>
<ul>
<li>Only <span class="mark">[email protected]</span> can decrypt your files</li>
<li>Do not trust anyone <span class="mark">[email protected]</span></li>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
class="mark">[email protected]</span>.</br>
class="mark">[email protected]</span>
class="mark">[email protected]</span></li>
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
}
.mark {
background: #ff0000;
padding: 2px 5px;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #FFFFFF;
background: #ff0000;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #ff0000;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h2><b>▼Your personal ID▼</b></h2></div>
<div class="identi">
<pre>9C 7D D4 64 D8 20 43 09 69 4F 9A 6F 44 E7 9D 64
C6 C1 A2 82 9B D9 55 7E 3D B2 25 15 E1 9B B2 64
2A DD CE AE BE 58 13 9C 1D E3 29 B9 B0 9D 62 15
D7 17 F5 F1 D8 02 31 30 6B C5 37 E8 43 F9 00 78
23 66 A6 2B BE 1D DF A1 53 11 88 FA 81 5B 38 B9
6E F8 3E C9 B5 58 A4 82 3A 69 7E DF 99 08 CF B6
55 92 43 40 1C 36 AC BC 28 4A 6A F3 CD 21 74 7D
45 92 81 EE 19 00 10 9B F1 32 CD 86 CA BA F7 01
C6 50 43 98 B6 13 B5 CB 1A 0E 68 5B E4 DE 0A FA
3B 52 63 9D 8F 83 2C 5B 8E 47 A8 69 C7 13 A4 4F
88 AE C5 CD 87 CB 1B 7A A9 CD 8E 30 BE 13 23 90
9F D8 E3 5A F0 41 E5 DE 19 77 DA 3F C5 B1 22 36
26 1E BF E8 BF C6 7A 63 0F 21 AC B4 FE 42 23 85
DC F1 82 05 6E 3E 41 5D C7 88 DF DF 0E C1 F5 FC
0F D8 3B 9A C5 49 2E 10 AC 4F C3 38 62 04 C8 42
72 33 36 4E 26 A9 3B E1 3A F6 B3 69 E9 AF 03 87
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1><B>☠ Your files are encrypted! ☠</b></h1>
<hr/>
<h3>All your important data has been encrypted.</h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 test image or text file <span class="mark">[email protected]</span>.</br>
<p>If we do not respond within 24 hours, write to us on the second mail: <span class="mark">[email protected]</span>.</br>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.</br>
<center>Attention!</center></br>
<ul>
<li>Only <span class="mark">[email protected]</span> can decrypt your files</li>
<li>Do not trust anyone <span class="mark">[email protected]</span></li>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
class="mark">[email protected]</span>.</br>
class="mark">[email protected]</span>
class="mark">[email protected]</span></li>
Targets
-
-
Target
78568cb5465e8ab060762f46799499a58fbddd2f58c58a3eb8684b931c0b9d56
-
Size
55KB
-
MD5
983c595756df443a888b52e027dd3461
-
SHA1
5f93b7fcbf41fe554039f779c06552bf5e2998fe
-
SHA256
78568cb5465e8ab060762f46799499a58fbddd2f58c58a3eb8684b931c0b9d56
-
SHA512
1f2a9bccc25862f983278b3ad9f6d80f90df1e776a26f5616afc3e29e944bdac05cb15a953079899903d278d6c9d20a492c895f69a0f1b7c3a2752062fdcc949
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-