General
-
Target
5588fb6d626fa5f0e183859f05c75673a468fe8d144b69dc8c8fe6a631413383
-
Size
54KB
-
Sample
220211-hqcz4sdgal
-
MD5
b898d451eff721d1afbd4cc314d66030
-
SHA1
196f8e9833c6ded3970be0656e71d366cc9847be
-
SHA256
5588fb6d626fa5f0e183859f05c75673a468fe8d144b69dc8c8fe6a631413383
-
SHA512
ae2365030a893fb4bc1b75de08552ad451dc9d85d405108d05901ea31e22015e27faf917f5df518033a057419535d157bc7c14644ad6a59816f9946025f504eb
Score
10/10
Malware Config
Extracted
Path
C:\HOW_TO_RESTORE_FILES.html
Ransom Note
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
<style>
html, body {height:100%;
color: #fff;
font-family: monospace;
background-color: #000;}
a,h1,h2,h3,h4,h5,h6 {color: #fff;text-decoration: none;}
a:hover {color: #aaa;}
ul {list-style: square outside;padding: 15px;}
.wrap {
position:relative;
width: 850px;
margin: 0px auto ;
height:auto !important;
height:100%;
min-height:100%;}
.contentdiv {padding:10px;}
.heading {
text-align: center;
font-size: 25px;
letter-spacing: 0px;
font-weight: 700;
text-transform: uppercase;}
.mould{
width: 400px;
display: block;
margin: auto;
text-align: center;
position: relative;}
.mould .main{
padding: 10px;
margin: 5px;
border-radius: 6px;}
.mould .main-part {
padding: 10px;
font-size: 12px;
font-weight: 700;
background-color: #252525;
background:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAAECAYAAACp8Z5+AAAAJ0lEQVQYV2NkYGD4z8vLywADjLy8vP/hPAYGBrjA58+fGUAqMVQAAPnKB51wUh2MAAAAAElFTkSuQmCC) repeat;}
.mould .id-text{color: #B22222; text-align: left;}
.mould .ID{overflow: auto;}
.content {
width: 800px;
display: block;
margin: auto;
position: relative;}
.text-data{
width: 800px;
padding: 10px;
font-size: 14px;}
.attention {
margin: 15px auto;
text-align: center;
font-size: 20px;
color: #fff;
font-weight: 700;
text-transform: uppercase;}
.emails {
background: #191919;
color: #34dddd;
padding: 2px 5px;
border-radius: 4px;}
.tech {border-left: 5px solid #3CB371;}
.our {
height: auto;
padding-bottom: 0;
padding-left: 5px;}
.our .support {
font-weight: bold;
text-indent: 5px;
height: 10px;
line-height: 20px;
padding-top: 5px;}
.our ul {margin-top: 0;}
.our ul li {padding: 1px;}
</style>
</head>
<body>
<!-- Head -->
<div class="wrap">
<div class="contentdiv">
<div class="heading">☠ Your files are encrypted ☠</div><br />
<div class="mould">
<div class="main">
<div class="main-part">
<div class="id-text">// Your personal ID</div>
<div class="ID">
<pre>�������������53 D8 21 9B 3C 1C 36 46 25 30 B3 08 08 B2 EF C6
52 B4 49 A2 BC 6A 65 AD 91 22 9C 36 5A 3F 81 06
4B 4D AE 22 04 C9 DF 3E 7D DF 6B 50 AA E9 AA FE
B1 B7 43 6B B8 80 04 71 A5 63 45 4F 94 F9 B0 BD
DD E0 1A 43 08 09 1A 29 5A 74 14 37 54 91 F4 49
8D 59 EF 45 2E 7E 52 EE 99 28 2B 2B 3D 0E 98 6A
CD 77 D8 BC 9E E4 DF 01 79 A2 D7 6F 68 2B 57 1D
58 55 18 E9 B9 C5 48 B1 82 96 7E 35 81 96 30 92
2D 0D B1 FF FB 3B AA 03 BE 81 20 6A 3B 05 E3 1B
9C 68 4C 5E 6A C3 AC F8 3F F3 9E 42 BE 62 EB E5
8B 7A F3 E9 1C 9B DA 2A A2 4B BB E1 7C DA FD 32
9B E8 D3 16 49 11 B8 09 E2 C7 B9 9E 8A D1 46 F1
E8 80 82 07 D8 E3 9E 92 A2 E0 25 11 E5 8E 17 4F
25 3D 01 C7 FD 00 96 72 5F CC 8A 48 3B D2 46 21
0F 61 9A E0 88 68 04 7C 0F C9 A4 C7 A5 3F 23 CB
86 17 A4 D3 74 28 15 1C 4B 61 49 D6 B9 4A 15 2B
</pre>
</div>
</div>
</div>
</div>
<!-- end -->
<!-- index -->
<div class="content">
<!--tab-->
<hr align="center" width="800" color="White" />
<h3>ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED</h3>
<br />
<!-- end -->
<!--text data -->
<div class="text-data">
To recover data you need decryptor.<br />
To get the decryptor you should:<br />
<p>Send 3 test file not more than 10Mb: <span class="emails">[email protected]</span> or <span class="emails">[email protected]</span><br />
In the letter include <span style="color:#B22222">your personal ID</span><br />
You have to pay for decryption in Bitcoins.<br />
The price depends on how fast you write to us.<br />
After payment we will send you the decryption tool that will decrypt all your files.<br />
<div class="our tech">
<div class="support"> <span style="color:#006400">Our tech support is available 24\7</span></div>
<ul>
<li>Do not delete: Your personal ID</li>
<li>Write on e-mail, we will help you!
</ul>
</div>
<div class="attention">⚠ Attention ⚠</div>
<ul>
<li>Do not rename encrypted files.</li>
<li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li>
<li>Decryption of your files with the help of third parties may cause increased price<br /> [they add their fee to our] or you can become a victim of a scam.</li>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders are not compatible with other users of your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
</div>
</body>
</html>���
Emails
class="emails">[email protected]</span>
class="emails">[email protected]</span><br
Extracted
Path
C:\HOW_TO_RESTORE_FILES.html
Ransom Note
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
<style>
html, body {height:100%;
color: #fff;
font-family: monospace;
background-color: #000;}
a,h1,h2,h3,h4,h5,h6 {color: #fff;text-decoration: none;}
a:hover {color: #aaa;}
ul {list-style: square outside;padding: 15px;}
.wrap {
position:relative;
width: 850px;
margin: 0px auto ;
height:auto !important;
height:100%;
min-height:100%;}
.contentdiv {padding:10px;}
.heading {
text-align: center;
font-size: 25px;
letter-spacing: 0px;
font-weight: 700;
text-transform: uppercase;}
.mould{
width: 400px;
display: block;
margin: auto;
text-align: center;
position: relative;}
.mould .main{
padding: 10px;
margin: 5px;
border-radius: 6px;}
.mould .main-part {
padding: 10px;
font-size: 12px;
font-weight: 700;
background-color: #252525;
background:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAAECAYAAACp8Z5+AAAAJ0lEQVQYV2NkYGD4z8vLywADjLy8vP/hPAYGBrjA58+fGUAqMVQAAPnKB51wUh2MAAAAAElFTkSuQmCC) repeat;}
.mould .id-text{color: #B22222; text-align: left;}
.mould .ID{overflow: auto;}
.content {
width: 800px;
display: block;
margin: auto;
position: relative;}
.text-data{
width: 800px;
padding: 10px;
font-size: 14px;}
.attention {
margin: 15px auto;
text-align: center;
font-size: 20px;
color: #fff;
font-weight: 700;
text-transform: uppercase;}
.emails {
background: #191919;
color: #34dddd;
padding: 2px 5px;
border-radius: 4px;}
.tech {border-left: 5px solid #3CB371;}
.our {
height: auto;
padding-bottom: 0;
padding-left: 5px;}
.our .support {
font-weight: bold;
text-indent: 5px;
height: 10px;
line-height: 20px;
padding-top: 5px;}
.our ul {margin-top: 0;}
.our ul li {padding: 1px;}
</style>
</head>
<body>
<!-- Head -->
<div class="wrap">
<div class="contentdiv">
<div class="heading">☠ Your files are encrypted ☠</div><br />
<div class="mould">
<div class="main">
<div class="main-part">
<div class="id-text">// Your personal ID</div>
<div class="ID">
<pre>�������������3B 97 2E 74 1A 86 8F 9D 5D 97 72 EB 6A B3 62 2C
66 E3 9B 61 C9 3F 7A A3 38 58 31 7F A8 2F 1D C1
6A 86 10 5C FC 6A F1 6F 34 4A FF B9 9F 40 56 E6
5A 75 C8 2C 1C 5C 82 79 CD C1 C3 08 54 39 15 7A
DB BC DD A6 AB 0C 21 F7 0A 61 1E 75 FE E4 FD C6
FA 8C D3 56 8E 93 FB 02 8B 3E 12 85 44 24 53 18
15 1B B2 2A D3 86 41 75 BB 3F B3 54 46 1A 17 3D
42 29 4F C4 8D EC EE C7 6A 57 28 8E B8 9D A4 90
6E 7D F6 2A 22 40 60 47 FD 39 CE 0C DC B1 C5 67
38 2D 0A A9 EB 71 F0 A9 85 A9 6D 6A 02 D6 04 CD
9B 9D 7C E9 4B 84 1F D1 E5 0D 2B D0 4A B8 FD 8C
F8 CE 46 41 CD 3C 9D D2 81 1D 2F 20 35 2F 87 E6
E4 2C 96 B9 E8 BA 12 E2 78 E9 79 59 6A 14 91 E5
74 5C 18 69 D6 95 EC A2 65 22 BA 9E 2A 79 84 05
44 51 8C 08 C4 14 73 84 0E BC 52 63 35 76 00 5C
28 E9 21 0C E4 03 87 33 6D 3A BA C9 5A 68 67 B8
</pre>
</div>
</div>
</div>
</div>
<!-- end -->
<!-- index -->
<div class="content">
<!--tab-->
<hr align="center" width="800" color="White" />
<h3>ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED</h3>
<br />
<!-- end -->
<!--text data -->
<div class="text-data">
To recover data you need decryptor.<br />
To get the decryptor you should:<br />
<p>Send 3 test file not more than 10Mb: <span class="emails">[email protected]</span> or <span class="emails">[email protected]</span><br />
In the letter include <span style="color:#B22222">your personal ID</span><br />
You have to pay for decryption in Bitcoins.<br />
The price depends on how fast you write to us.<br />
After payment we will send you the decryption tool that will decrypt all your files.<br />
<div class="our tech">
<div class="support"> <span style="color:#006400">Our tech support is available 24\7</span></div>
<ul>
<li>Do not delete: Your personal ID</li>
<li>Write on e-mail, we will help you!
</ul>
</div>
<div class="attention">⚠ Attention ⚠</div>
<ul>
<li>Do not rename encrypted files.</li>
<li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li>
<li>Decryption of your files with the help of third parties may cause increased price<br /> [they add their fee to our] or you can become a victim of a scam.</li>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders are not compatible with other users of your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
</div>
</body>
</html>���
Emails
class="emails">[email protected]</span>
class="emails">[email protected]</span><br
Targets
-
-
Target
5588fb6d626fa5f0e183859f05c75673a468fe8d144b69dc8c8fe6a631413383
-
Size
54KB
-
MD5
b898d451eff721d1afbd4cc314d66030
-
SHA1
196f8e9833c6ded3970be0656e71d366cc9847be
-
SHA256
5588fb6d626fa5f0e183859f05c75673a468fe8d144b69dc8c8fe6a631413383
-
SHA512
ae2365030a893fb4bc1b75de08552ad451dc9d85d405108d05901ea31e22015e27faf917f5df518033a057419535d157bc7c14644ad6a59816f9946025f504eb
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-