General
-
Target
316219329a6c6a9bb1c0cdcf58faf187f9981b38c586744947a1e1fc62abb436
-
Size
53KB
-
Sample
220211-hvzdxacba7
-
MD5
69e91e6c0522e80bf817578e6c8b5f24
-
SHA1
e7c4dfbb8d3c38954da3713c69164d31b4f76e0c
-
SHA256
316219329a6c6a9bb1c0cdcf58faf187f9981b38c586744947a1e1fc62abb436
-
SHA512
2cc3faa9e663cbbe318dd1846c26bdaf684e8efe0345f6caf616943002a4a6f6cab7dd2493341f09b2619147bc836b65331b0ca4c701765b69167e97f18f0ac8
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>���������������2D E7 C3 25 55 53 5A AD 4E 27 43 95 30 D0 D0 E3
E3 C4 8E 32 C1 F5 85 65 F7 AB B9 5C 52 38 B3 70
81 11 A2 9B BD 39 3A C8 0A CF 0C 46 1D C3 FE 3F
A3 7C D2 44 F8 B2 1C 61 25 3A 6D 27 C8 52 C3 35
1B B8 F7 23 D6 0E 66 7E 14 D0 34 43 E6 4B E5 6B
6F 20 34 F4 FF 85 5A 5A 97 C9 16 62 18 45 C5 7E
CB 8C DD BB 5D 7F CF 0F 01 55 3A F7 21 96 B7 D8
CD 33 00 00 4A E1 4E 7E 1E 7B 65 92 0E 0E E3 E8
43 EA B4 FA 34 3B F6 74 4B FE 91 31 0A DC 01 6B
88 AA BF 3C 2E 4C 73 B8 EE 4A 4E 20 F9 4B D3 05
B9 18 5A CE FD 8C F9 2C 03 9E F8 98 A2 FD E8 48
64 BE FA 7A 9C 8A 41 A7 1B 81 AF 8D D9 E6 7C 64
A5 6C 9C C4 C5 8C 2D 50 A2 62 D5 41 3C D6 EC 0E
AE E9 0E B7 92 CD 10 E4 6D 82 D3 EB C8 95 69 76
B5 EA 50 BE F8 E7 BA 13 EA F4 47 EF BD 65 30 44
8F 4C 3A 7C BA 70 CC 38 8D B4 99 FC B0 8E 4D FA
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<hr/>
<h3>All your important data has been encrypted.</h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 test image or text file <span> [email protected]</span>.</br>
In the letter include your personal ID (look at the beginning of this document).</p>
The cost of decryption is 800USD. there is no discount.</br>
<center>Attention!</center></br>
<ul>
<li>Payment is accepted only in bitcoins (BTC). Bitcoins you can buy at your bank.</li>
<li>Only [email protected] can decrypt your files</li>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������
Emails
[email protected]</span>.</br>
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>���������������96 D3 16 4F 2D BB FB 2C 9B 6D 21 10 8B 3F 2E A6
82 BD 4B 90 DE C1 96 FC E5 90 3A 28 11 7D B4 9B
45 C6 83 F4 17 D4 36 E0 7F 02 F0 80 05 5C ED A9
69 B0 DE A4 43 B2 E2 B4 18 39 31 03 CF B7 D0 8E
47 B3 4D B6 38 B6 16 0B 3C 93 3E B2 3E F0 E2 12
89 57 8A CD 2F 83 A7 E2 2E 61 D3 D7 37 40 24 76
E3 FE DC 69 D2 D7 90 4C 65 4F 8F 0C 04 22 35 88
A4 4E CE A5 63 CA 72 56 29 60 5C 18 07 50 FA 48
9B 8E B8 A7 98 9A 35 E6 8E D5 97 1F C2 00 22 01
D1 12 05 62 B2 7E 04 BD DE F2 6F D9 07 8A F4 5E
40 48 CC 9A 08 93 B9 EA B3 74 E1 E0 0D B0 CD EE
59 74 BD FE A4 A9 73 88 3C 2C 45 50 E5 6E B1 A4
66 D8 26 2D 44 CE FF 02 C8 0E 34 AC DF A2 D3 40
EE EB FD D5 29 88 5D FF EA AE A6 7E 9D 44 9B ED
93 4E 7C 84 E0 1B 96 25 37 8D 93 4E 8F 98 9B CA
1A 27 FE 2B 0A 14 4F 77 B9 61 C6 3A 26 A8 1E 67
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<hr/>
<h3>All your important data has been encrypted.</h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 test image or text file <span> [email protected]</span>.</br>
In the letter include your personal ID (look at the beginning of this document).</p>
The cost of decryption is 800USD. there is no discount.</br>
<center>Attention!</center></br>
<ul>
<li>Payment is accepted only in bitcoins (BTC). Bitcoins you can buy at your bank.</li>
<li>Only [email protected] can decrypt your files</li>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������
Emails
[email protected]</span>.</br>
Targets
-
-
Target
316219329a6c6a9bb1c0cdcf58faf187f9981b38c586744947a1e1fc62abb436
-
Size
53KB
-
MD5
69e91e6c0522e80bf817578e6c8b5f24
-
SHA1
e7c4dfbb8d3c38954da3713c69164d31b4f76e0c
-
SHA256
316219329a6c6a9bb1c0cdcf58faf187f9981b38c586744947a1e1fc62abb436
-
SHA512
2cc3faa9e663cbbe318dd1846c26bdaf684e8efe0345f6caf616943002a4a6f6cab7dd2493341f09b2619147bc836b65331b0ca4c701765b69167e97f18f0ac8
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-