General
-
Target
4343749c8d6b79e9d25c0a9b53de331edb340472dcc949680a9d1a1fc7de88da
-
Size
53KB
-
Sample
220211-hs393scag5
-
MD5
e4fd7157b23ed237cff07f1ab35636d8
-
SHA1
f6e8188ada1b5d0bbbe986091d12d8e7fb5d4f67
-
SHA256
4343749c8d6b79e9d25c0a9b53de331edb340472dcc949680a9d1a1fc7de88da
-
SHA512
6493bb7bbd80a31675ec4a0bdf954c081b3ffe38f4fc16efb8aeac29d5aabdb87bf4012ac60a0d30742f63096513d74f7e86b299bc852cd5553d5ed1ade0ba6e
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������46 C4 C5 09 AD B9 52 10 E1 38 7E 4A 31 44 FB 75
08 4D 78 DD D1 4C A9 74 6D EA 16 D1 89 0F 71 5D
93 B2 8A 69 BF 73 8B B2 2E B7 DE 6C B9 F8 AE 83
7E 69 14 DF 73 80 93 92 9A 16 FE 72 EA C0 D4 85
1C 3F B6 02 88 BD 80 8F 1A 12 53 3D 39 17 38 21
39 50 9B 10 7B E0 14 47 BE 8E B7 BF 86 8B CE 5A
EB 3F 93 C9 93 02 63 C4 C9 35 B1 C2 6D 49 55 73
29 7C 72 1E B0 CF 71 C5 D0 1D D6 1F A2 F3 73 D9
19 82 BD 53 53 08 DE 99 47 59 B2 63 9E 23 84 5A
F5 B7 6F A2 FD 3A 1C CB 1B 16 9C 9B 36 5D DE C7
8D A8 87 C5 27 C8 02 23 00 7D 89 E1 8A 9A 7C 40
C9 91 92 A1 98 12 12 07 CD 15 9D B8 2C 1E 8F AE
0A EA 11 4B 95 62 35 DE D6 BE A8 A7 8D FC 66 79
46 02 6B AC AA C2 B0 9B A4 46 3F 39 91 A8 05 5C
EB 27 33 C1 F7 5C 04 88 1A 55 37 0E F7 CB 58 DC
5D 22 15 A9 B9 ED 58 36 AE 26 B3 68 2A CD 52 BB
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
��
Emails
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������4D 57 D4 34 0B 74 49 AA 7E 88 9D 2D 8C 1D 78 4D
A1 6B E4 05 D9 67 18 61 F9 5E 24 B6 8E A0 93 79
C1 AB 61 4D 03 20 F2 22 EE CA 1D 1D 0D BF BB 75
0C 91 76 32 D5 71 62 FC B4 17 2E F2 FE 3D 77 76
2E 03 32 83 F4 6C 67 2B F6 77 43 87 87 79 BF 26
41 45 C4 8F AA 42 D6 25 EF CE 5D B3 75 E5 C5 86
58 8A EA 2A BA EA 25 FB 29 9C 5F 48 E4 EE 0B 5E
63 C0 6D 3E 7F 96 E7 34 98 74 BB A9 82 CC C4 34
CE C1 13 DF 14 DF 54 F8 B7 27 AD 45 61 6B 2F 04
E1 C4 BA F5 2A 41 DF 74 40 0C 58 D4 77 47 28 D7
5B 8E AA 76 88 BE 71 B2 BF D6 34 2D 8F 71 A6 3B
FB 51 38 7E E6 32 6F 10 1E B6 D1 B0 FC CF 0B BD
6B 92 FE E1 BA 3C C0 4F 57 91 6E 03 CE 14 53 AB
BF 71 BC 92 3D D3 33 7B A1 C8 BE AB 1F 02 B2 05
D9 32 72 4F 55 42 BD 91 6C 49 35 52 0A 15 F3 45
36 E0 51 E3 04 77 07 82 51 19 D4 84 51 3E B9 8C
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
��
Emails
Targets
-
-
Target
4343749c8d6b79e9d25c0a9b53de331edb340472dcc949680a9d1a1fc7de88da
-
Size
53KB
-
MD5
e4fd7157b23ed237cff07f1ab35636d8
-
SHA1
f6e8188ada1b5d0bbbe986091d12d8e7fb5d4f67
-
SHA256
4343749c8d6b79e9d25c0a9b53de331edb340472dcc949680a9d1a1fc7de88da
-
SHA512
6493bb7bbd80a31675ec4a0bdf954c081b3ffe38f4fc16efb8aeac29d5aabdb87bf4012ac60a0d30742f63096513d74f7e86b299bc852cd5553d5ed1ade0ba6e
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-