General
-
Target
767d78b37cf4e079adb1f52d86846d77af853bbf0489b43df9b73d0e3dce5337
-
Size
53KB
-
Sample
220211-hklp3adfdq
-
MD5
35143587f761112c666f579ee0d8c025
-
SHA1
b0453a61945fafda4b7d538d17d7dec3495f2bba
-
SHA256
767d78b37cf4e079adb1f52d86846d77af853bbf0489b43df9b73d0e3dce5337
-
SHA512
6ccaf52a2f82bfd08926349e59c84973037eff9a5ace4cb84c359193687f16251317f602ef844ada680ab6935d2b712b877f3f8c2f4ea7276347db08f24c9806
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>92 03 23 B5 2C 6D 9C E9 1E 90 4A 4F 0A A1 FE 4D
86 EF 52 9A A7 52 19 7C 3A F0 A4 03 C5 3A FE FB
E3 BE 6E 0D 0B 26 3C 01 F6 66 9D 43 0D 50 8F 25
26 27 61 2C 97 A2 8E 8B E4 2E 5D 8E C4 92 1F E5
DE C1 42 93 3A 53 87 60 CA E2 34 42 9F 2A 39 E1
77 2D 79 32 D0 53 12 82 E2 59 88 B9 2E 26 8D 7D
9B F0 D6 4D 88 86 DC 90 5F 7A 92 20 F4 58 E2 4E
15 3E 47 7B 68 84 19 3D 7E 08 B1 98 AB 70 36 F1
85 E4 3F 6B 9F E8 85 F8 3C 0E 73 57 7A AA 8F 30
17 A3 F9 46 D9 3A 61 F4 E5 8A 5E 40 A3 D1 40 21
4F 85 2A 47 C1 25 38 AE 15 AA CB B4 2C 74 E6 25
18 EA B0 02 AC 6D B0 56 BA B2 A7 5D D0 91 EC DB
54 35 97 DA E8 0E C2 E6 E8 1A 37 EA AB 2A FC 4B
9C 4E 4C A9 E8 3C A5 31 0B 21 3A 82 C4 AB A1 52
A5 6E E8 3A 6B 1D 11 37 6D 5F AD 37 87 0A 17 7F
4B AC D0 4B E4 85 D4 C6 39 68 0A DA 28 80 62 1C
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder..<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only skunk_girl with proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>3C A1 25 0E 9F EE B9 EA C2 52 13 03 BF C7 54 39
9F B2 65 93 88 8A FB 82 63 4B FC 4D 0E C4 E4 8D
F3 4A E0 96 20 B8 18 A9 59 31 81 7F B3 76 09 B9
87 25 5E EA E6 0F 08 3F 46 E4 C0 9C 3F E7 50 D3
DE F7 6F F5 FC 11 FA BD 01 3F B8 0E 32 54 0F BB
C4 DB AC 58 AE 98 DD 42 31 94 FF 80 17 33 BA A8
F3 BA 9F F2 B2 0B A5 24 55 61 9A 1A 1F 90 13 19
A4 68 08 8D 06 58 61 2C D1 87 90 15 F6 07 BE 19
D8 45 29 44 C9 97 6E 02 2A 07 B6 BF 1E A1 87 3F
0F 0B 4A C2 2E 9D 20 88 63 AF 99 42 76 11 31 AE
50 56 6C F9 DF 4A 78 2D 45 79 20 77 9A 87 28 68
2A 19 C9 A6 F3 D7 CA 4E 88 5E 70 02 24 CA 5B 4A
DB 94 25 66 D2 27 58 15 1F 01 AF 9F 3E 5F 83 C6
4E 75 65 D0 85 7A 70 8D 6C 00 CE 6F 09 7A 3F 09
C1 76 ED AE 96 4B 2E 5A F4 F7 A5 99 5F 31 00 63
19 0A 53 C2 1A 67 5A BD 15 21 83 1A 28 DA 64 C9
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder..<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only skunk_girl with proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Targets
-
-
Target
767d78b37cf4e079adb1f52d86846d77af853bbf0489b43df9b73d0e3dce5337
-
Size
53KB
-
MD5
35143587f761112c666f579ee0d8c025
-
SHA1
b0453a61945fafda4b7d538d17d7dec3495f2bba
-
SHA256
767d78b37cf4e079adb1f52d86846d77af853bbf0489b43df9b73d0e3dce5337
-
SHA512
6ccaf52a2f82bfd08926349e59c84973037eff9a5ace4cb84c359193687f16251317f602ef844ada680ab6935d2b712b877f3f8c2f4ea7276347db08f24c9806
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-