General
-
Target
3f3e7811deb5e31e26ce2fb600131f668b123617d776ce1bbdde58f7516c0472
-
Size
53KB
-
Sample
220211-htp4vacah2
-
MD5
96177ebebb17f1af4a019db215610f33
-
SHA1
fed6daa1fc2a0b19bbaf3e968f2d52d978baec8c
-
SHA256
3f3e7811deb5e31e26ce2fb600131f668b123617d776ce1bbdde58f7516c0472
-
SHA512
100b2b64ca44b49bed5c3b955b08fa8868e5a4fa6fca130260af50a9524c6cf6414d7c7bb6632a5f31d634c845be9e3f346610e62eb79b86fae23c31c7b1022c
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>6C 44 F1 13 79 58 6B 5B 3B 7E C1 73 38 2E CC F4
68 79 95 F4 B0 1E E2 8A 90 D3 86 C1 07 B9 A9 1C
71 E1 A8 32 67 84 B0 2F 16 D0 81 4C 98 0B C5 B1
C5 79 66 4D 90 76 E8 99 D1 37 0E E2 AE C2 9F 0E
38 6D 3E 31 4F 2F E0 C1 8E 5D CD BF CE 4E 6B 47
02 52 1E 53 E1 F4 7B 5C B9 61 4E DC 16 34 34 4C
86 1F CA F7 92 82 5F 36 B9 B5 72 04 3B 12 2E 5B
57 93 B0 39 57 8F 66 B6 06 95 28 E2 40 FF 6F F4
63 45 10 77 03 AD 52 89 45 DC 98 F6 02 D2 13 EA
B6 DB F2 D9 63 37 41 8E 72 99 D0 D7 D0 1D 3D 5A
CC F8 10 46 3A F7 DB 44 80 03 34 1F BF C1 12 DB
05 D9 D8 38 7A 25 CA CA 76 BA DD 31 C3 01 57 41
47 7C A3 FD 2A 0F A4 3E D4 96 DE 4E 66 A3 FD 50
05 C2 55 53 B6 CE C3 9A 61 B3 15 B4 14 A2 A9 DA
54 E6 43 45 8E 3A D6 4F 38 F9 28 2B E3 86 08 9C
FB 2F A0 11 7E 0A 71 F0 5F 5C 15 B7 AF DB 6F 44
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder..<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only sambuka_star proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
������
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>75 32 DF B6 CA 42 AC B7 F3 45 64 B1 A1 5E 02 8C
BE 64 E2 B2 0B AD FC 49 C9 AE 1B 35 EF 87 75 FD
73 33 4F B2 DB 55 EF 04 AB C3 09 D6 F1 6E D5 8F
F4 87 75 95 14 FC 9F 4E 3F 76 DE 15 6B D8 7A A6
4C B2 10 88 19 6D B6 A3 A5 86 13 7B FF 45 D3 E6
79 B8 E3 94 44 36 1E C4 42 CC 5A 8F 88 71 0A 23
CA 95 0C 03 62 EB 10 74 46 B3 E2 5D 46 E9 6C 69
8A 95 87 B0 C5 F4 98 7E B3 30 D1 2D DC 4E DA 95
82 3E DE 4C AB DF 9A 6D 09 D1 FC 11 70 7D CB FA
B8 68 DB 14 1B 0A 5A B3 DB 3B D2 A5 73 A1 CD 78
5D 9F B9 91 A8 3D 58 31 A2 5D D5 3B 0A 90 0A CC
1F 48 45 41 26 DF 25 73 26 96 97 FA 78 7F A8 EF
8E 4D 1D A7 FF B5 BF 5A EA 2B A5 EC AB 66 1B 77
DB 35 23 B1 C1 D2 96 07 F6 3A 3F 00 F8 D9 C7 57
84 A9 62 B2 D0 17 A5 19 8A B8 88 39 24 22 C9 86
FE 46 6E EB 44 C7 BF E6 8A 70 47 DB 30 72 A4 05
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder..<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only sambuka_star proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
������
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Targets
-
-
Target
3f3e7811deb5e31e26ce2fb600131f668b123617d776ce1bbdde58f7516c0472
-
Size
53KB
-
MD5
96177ebebb17f1af4a019db215610f33
-
SHA1
fed6daa1fc2a0b19bbaf3e968f2d52d978baec8c
-
SHA256
3f3e7811deb5e31e26ce2fb600131f668b123617d776ce1bbdde58f7516c0472
-
SHA512
100b2b64ca44b49bed5c3b955b08fa8868e5a4fa6fca130260af50a9524c6cf6414d7c7bb6632a5f31d634c845be9e3f346610e62eb79b86fae23c31c7b1022c
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-