General
-
Target
5e420e8d8e9c10de757f9cda8cf5deff9feccee2c87f5508e0d2e0b6ccce6600
-
Size
53KB
-
Sample
220211-hnc74acac2
-
MD5
9b1b4a4a0aa0b86ca07fa688acf55f0c
-
SHA1
c40e19611edf3becc18824d82b95e8f0eec52c39
-
SHA256
5e420e8d8e9c10de757f9cda8cf5deff9feccee2c87f5508e0d2e0b6ccce6600
-
SHA512
7258099f6811e1ea918704fc495d6e5003d704aba0d983df7349f3c6d24caef82ba663d1679be61073317c2a2ad868051bd5b38fdaf99ff202fc42fb1efcb587
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>���������������6E FB E8 CD ED 92 FC 49 35 48 B3 39 5D B3 EF 24
D5 BF CE A3 F9 37 2E 31 1A 59 E7 5A 24 97 99 8F
6B 7D D8 05 65 28 B5 DF 95 2F D8 A6 97 0F 46 A2
22 CE D5 33 22 3A 21 D3 45 10 68 6E F2 FC 7C 54
FC DF 9D 24 B4 DB D9 66 81 0F 84 1D 63 79 FD B6
59 FE 46 53 E9 16 88 B5 D0 D6 E1 02 C4 6D 26 E8
4B 63 A1 28 B2 52 AC 39 A3 5F 08 6A D1 96 71 7F
94 0A 22 D7 1A 98 B8 77 EE AA 45 6E 1F 12 8D BF
D0 A9 D1 D9 C8 70 8F 6D 3A 6C 86 64 31 EE 0D 88
C4 2D 6F 0F 87 15 72 07 CA FA 45 28 71 FD 80 BC
5C E2 07 11 43 43 B9 00 03 00 65 B4 F3 02 B3 95
AC 41 15 FC E8 06 9D 10 05 D0 08 79 9B 1D E5 72
66 FA 33 B9 AF F9 36 4E E6 72 65 41 17 8D 35 F7
1A 55 37 E8 ED A8 C3 29 51 B8 83 B3 E6 BE DE A8
F8 69 6F 37 9C 3F FF FD 45 9D B1 72 B6 7A 85 7A
DE 8C 3C 72 05 59 BA 06 75 A3 6A E2 41 C4 30 64
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<hr/>
<h3>All your important data has been encrypted.</h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 test image or text file <span> [email protected]</span>.</br>
In the letter include your personal ID (look at the beginning of this document).</p>
Cost of decoding 1200USD. NO discount. Payment is accepted only bitcoin</p>
You can buy bitcoins in your bank or from private currency exchangers. After receiving the payment, you will receive a decryptor that will automatically restore the data + practical tips for protecting your server from hacking.</br>
<center>Attention!</center></br>
<ul>
<li>Only [email protected] can decrypt your files</li>
<li>Do not trust anyone [email protected]</li>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������
Emails
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>���������������12 E4 75 DB 75 D1 A8 B0 D0 3C 6F 3C 2A EB 3B 5F
97 69 8D 85 14 7E E6 36 C2 D6 3D 31 9A 56 B5 FD
35 CC 4A 44 8C F3 E6 32 39 34 B8 73 7A 06 95 08
45 1D DF F5 F6 D5 EB 1E E8 9A AD EE A2 25 93 58
AD 89 3C B3 C3 04 6C AE FE A8 A4 1B 3E 0D 5E A6
30 F2 A1 D9 DE 50 4C D6 A2 A9 27 64 ED 99 59 17
F5 D1 59 D5 6E 54 C3 DC E9 2B 06 96 29 EE 83 37
8C EE DA FB B5 E2 DC BD E3 D5 C3 31 2B D0 B1 73
C4 D8 31 95 D4 E8 3F 17 C8 6E 52 A1 A5 40 50 E7
9B 82 13 E1 0A A1 03 7E 18 77 2E CB 64 AB 74 2E
E7 BD E1 81 DB FB 33 7A 59 58 2C 43 75 51 5A 9A
36 02 B3 0C 66 08 39 78 AE 69 6F DE 87 F4 E3 71
2F AF F6 D0 75 90 BD 50 C0 38 84 6D 6B 0D F5 75
4F 0E 79 12 F9 41 E8 52 F0 3F 86 B4 75 60 CB 51
DB 8F A9 D5 AF 61 29 41 53 9A 64 01 D9 2D 07 D8
28 FB 6C 2E FD D1 F4 E6 36 61 84 DD 18 1C 61 03
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<hr/>
<h3>All your important data has been encrypted.</h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 test image or text file <span> [email protected]</span>.</br>
In the letter include your personal ID (look at the beginning of this document).</p>
Cost of decoding 1200USD. NO discount. Payment is accepted only bitcoin</p>
You can buy bitcoins in your bank or from private currency exchangers. After receiving the payment, you will receive a decryptor that will automatically restore the data + practical tips for protecting your server from hacking.</br>
<center>Attention!</center></br>
<ul>
<li>Only [email protected] can decrypt your files</li>
<li>Do not trust anyone [email protected]</li>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������
Emails
Targets
-
-
Target
5e420e8d8e9c10de757f9cda8cf5deff9feccee2c87f5508e0d2e0b6ccce6600
-
Size
53KB
-
MD5
9b1b4a4a0aa0b86ca07fa688acf55f0c
-
SHA1
c40e19611edf3becc18824d82b95e8f0eec52c39
-
SHA256
5e420e8d8e9c10de757f9cda8cf5deff9feccee2c87f5508e0d2e0b6ccce6600
-
SHA512
7258099f6811e1ea918704fc495d6e5003d704aba0d983df7349f3c6d24caef82ba663d1679be61073317c2a2ad868051bd5b38fdaf99ff202fc42fb1efcb587
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-