General
-
Target
4f2ae2b3596874c305438f1cbe2b91e8efeafcad250b2d849972d12b0d1a93b8
-
Size
27KB
-
Sample
220211-hq1q6scae9
-
MD5
24c69e75e88ca4e1f24e0f39b8b49b55
-
SHA1
62a1169310e55df08ac67b788a94f555216a4066
-
SHA256
4f2ae2b3596874c305438f1cbe2b91e8efeafcad250b2d849972d12b0d1a93b8
-
SHA512
8c8d82c623a6d743a064ce1c2b816d766123a4d7305baafe7f43fbbbae1d345d1149250104491f7dcec64d5032254c376dea6cbd1f0725450941d0e98388997d
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>5F 7F 6F 60 24 4B 5A 5C 8E E2 4C EC 1F 81 BA 51
D5 B9 F7 22 33 97 A3 A7 E5 D4 E3 B4 B9 07 34 C2
28 04 2D 73 3B 16 EB 5B D7 1E D6 2C 28 8F CF 9B
B4 8B 77 EC AB 9A 6C 80 97 27 99 3A A4 B8 DE 76
EA F0 EF B6 42 27 E9 D4 34 49 26 1A A9 AA F7 70
01 8E 96 49 A6 DA 6C C4 E1 77 B2 11 6B 1F A2 57
94 DF CA 1B 14 83 E9 5F 7F E0 35 03 38 A0 34 99
D1 B3 9E 95 E9 FF 2D BC 62 68 BB 86 DE 61 C6 2B
00 34 60 96 DE 5A DA A3 CA 56 AC D0 47 9C 71 C9
37 39 47 26 DC 22 71 C7 DE 5B 8E 1D EE 61 BF 3E
AC F4 F6 02 46 07 14 45 FD F4 1F C2 2E 6F 41 93
76 7D 35 BD 12 E8 D2 11 3B E3 57 AC EF 54 BD 13
67 16 57 70 21 C9 26 FF 54 31 D0 FC 84 60 3F 54
F1 AF A8 94 AF F6 C8 A1 55 77 D9 28 9B 2C E8 45
ED FD 7F C8 CE 23 92 D1 F8 BD B5 A7 C4 EC F1 D8
84 9D 75 5F 6F 33 5A D7 15 50 71 C0 FD 1F C9 72
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder..<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only decoder_master proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>32 16 9A 01 5C F0 BC 60 3D 09 ED 93 4C B5 EE BD
7F 1E 85 D9 79 4F 20 4D 36 7E E0 1B C0 CC 55 E1
28 48 64 E1 B9 C0 8F 54 62 4A 98 D4 2D 63 E5 A2
03 D5 6C D8 DF 50 18 9D DC AE 0A DE B0 A9 9C 26
F5 1E AA 62 64 C4 9F 6B CB EE C5 2B 3C C8 67 F6
4A A7 71 A9 C6 B0 2E C3 F1 76 6F 96 25 AD 9E 04
61 A6 A4 1E 85 FD F1 ED EA C2 7A FA 85 E9 36 98
9D FF 84 5B 3E 51 02 83 D0 63 08 A7 41 C4 AB BA
18 E1 23 2F AD 15 DC 2F E0 0C A0 6D E1 3E 42 50
EF 5E EE 89 09 44 E3 6C F9 4A 49 EE F2 88 6B 68
42 5C 4D 90 2B DF 26 3C AA 1D 08 F9 9D 08 EC A3
50 7C E8 1E 92 4D 63 7D 3E 3F 66 FA B9 2D 6D 41
A6 CA 3B 09 9F 1A 4E 6B D9 8A C6 CC 52 B1 4F 27
5E B5 8F D1 A5 67 75 C2 39 3A 2C E8 4D 41 8F EB
7E BC 13 E1 A2 5C 3D 45 DE 28 8F D4 24 6A 7C 2C
0C B8 62 86 FF 5E 5C 4B 8B 80 E9 48 89 01 84 B8
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder..<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only decoder_master proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Targets
-
-
Target
4f2ae2b3596874c305438f1cbe2b91e8efeafcad250b2d849972d12b0d1a93b8
-
Size
27KB
-
MD5
24c69e75e88ca4e1f24e0f39b8b49b55
-
SHA1
62a1169310e55df08ac67b788a94f555216a4066
-
SHA256
4f2ae2b3596874c305438f1cbe2b91e8efeafcad250b2d849972d12b0d1a93b8
-
SHA512
8c8d82c623a6d743a064ce1c2b816d766123a4d7305baafe7f43fbbbae1d345d1149250104491f7dcec64d5032254c376dea6cbd1f0725450941d0e98388997d
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-