General
-
Target
55e12521d3f5497a87545453fb6697917d0ac381e1f319d0d855a6c88342cac3
-
Size
53KB
-
Sample
220211-hpt71acad8
-
MD5
edd6deea4d3a250791bd73fcecade5fa
-
SHA1
cf9e35a45ac13955cef15853032238edda0a67e6
-
SHA256
55e12521d3f5497a87545453fb6697917d0ac381e1f319d0d855a6c88342cac3
-
SHA512
58164b91e13e23030dc73471bea65d9554b3f673feb836879eb04ed69b896e58aa30790635cfcd67a3fa0893b8442f1a66907cddee946cb5643d2987fedbb4c8
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������1C 6E 72 03 DC 04 A3 A0 0E BB 48 73 B7 35 3E FC
38 8F 6F A6 8D 1C EA 32 0F 02 22 24 9E CA 0E 1E
81 E9 66 45 7B 76 B6 4B 2F 96 89 64 CD 4E 02 C4
08 72 7F 9B 9B 29 BF A7 AB 73 45 6B E3 12 8F A3
09 49 3F AC 1B B3 CA 25 94 6D C6 F1 E7 5C BC 03
9E 72 91 E3 4E 05 E9 D6 C1 73 00 95 34 E0 CE 85
E7 E3 E0 99 B1 85 E4 56 EB F8 EF 8A E9 F3 32 10
CC B1 F6 FA 89 35 26 35 95 66 5F 0B 7F E3 8B D2
C5 B1 4B 60 A4 FC 1C 2D DF D7 CB 15 F2 8B 28 41
56 32 51 35 F7 9E AA 03 2B 19 8C 9D 98 88 BE B0
96 82 C9 3F D0 7D B5 E1 AE CF AA D3 46 C9 F6 37
AF BF FA AF 23 47 04 DD DA 2F F2 9F 76 4F 30 06
31 75 BB 51 6B 89 07 23 21 29 62 0B F5 8D 7D A6
8B 8F 9B 45 93 D7 A7 66 7D 43 97 48 CF 54 49 64
0D CE F4 0C 86 40 3D 04 E8 A3 E9 A6 78 C2 F6 FB
DA 57 49 D5 BF EA 20 4D 28 45 E4 0E 2E 49 52 B4
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a>
<br><a href="[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������������
Emails
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������11 B8 12 E7 CC 50 21 23 06 2F 2C CF 4E 69 7D AA
CD BD E3 05 90 F8 22 97 B3 12 9D BB 8E 6E 87 85
D9 ED 16 91 8D 64 EA 6F A5 E8 8D 3A 70 6B 86 67
F2 A8 A4 62 46 9F 9D FF 90 5F 23 87 F7 67 BF 72
00 80 44 EC E8 D6 21 BA CD A4 DB E7 2D 8B 3D 8E
71 5A F0 88 B4 65 28 02 FF 73 9D C7 94 85 47 79
A1 94 FB 3C CB B9 24 84 9E 72 30 6F 4B 8A 20 10
74 89 C0 5C 07 1F 10 C8 14 A9 54 07 4C E4 46 D8
D6 F9 51 3F A0 80 FA 13 6E 59 48 3C 81 F2 7E D6
51 D0 10 37 BF 61 88 79 E5 8F AB F5 69 3B D2 FE
25 5B 99 08 BE F1 31 99 E2 AC 16 CC 86 7E F6 7C
BB 7D 3A 2E BC 6A F5 F7 1A 0B A3 A7 F9 EE 92 5C
71 17 31 8B 27 D8 8E D8 A2 8D 01 11 D6 1F 41 8D
4F 50 B1 8E 9E E0 80 2B 37 1C E7 7D BB 51 7F 1A
30 53 E6 27 A1 83 94 DE 30 2F 75 33 2C 3E 00 17
2B 37 C1 3A 5A 16 B0 C5 68 E9 E2 30 01 97 C3 70
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a>
<br><a href="[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������������
Emails
Targets
-
-
Target
55e12521d3f5497a87545453fb6697917d0ac381e1f319d0d855a6c88342cac3
-
Size
53KB
-
MD5
edd6deea4d3a250791bd73fcecade5fa
-
SHA1
cf9e35a45ac13955cef15853032238edda0a67e6
-
SHA256
55e12521d3f5497a87545453fb6697917d0ac381e1f319d0d855a6c88342cac3
-
SHA512
58164b91e13e23030dc73471bea65d9554b3f673feb836879eb04ed69b896e58aa30790635cfcd67a3fa0893b8442f1a66907cddee946cb5643d2987fedbb4c8
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-