General

  • Target

    2c5612a412f7b73046bbb37b96d8164b7c909b98bbef2e69546d747bc41305e6

  • Size

    50KB

  • Sample

    220211-hwmrhacbb4

  • MD5

    1af70fedf61539851e4040394369173b

  • SHA1

    20e3dd1542c89e1a6a5cdf6bddab16374c1b2015

  • SHA256

    2c5612a412f7b73046bbb37b96d8164b7c909b98bbef2e69546d747bc41305e6

  • SHA512

    c09ad8d3f66449c1659794b7f0906f79914a0ada58dedd969ba365d92d9773fc3214416f9f75903a8a6760145e622af0dda11880b7d06187ce5eb69f94f740ad

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���5F E0 D4 B6 6C 6B FE 7C B7 3B 5D 82 B6 DE 12 99 D6 D4 7C 8C C3 33 5C DB 3F FD 3B 34 AC 7D 2F 88 3E A3 BE 3A 48 5D 05 09 58 10 50 22 78 AB 08 2E F0 2E 15 21 AE 37 A8 92 85 D4 8A F1 4E 6E 0B D5 4F C8 27 03 D4 42 5D 3F 46 43 8F 2F 4C D2 82 94 4F 07 3E 6D 89 8A 8B 4D D5 E1 A2 23 4D B8 B7 DE 01 33 F3 4A 26 BB CF 15 8B 85 7A 55 83 29 46 71 D5 81 56 11 64 05 4E F9 E4 20 10 AF DB 9B 00 E5 F8 74 C3 4B E2 3A 41 26 17 B9 88 EC 8F 0D D0 6F FE 39 2B 21 4C FD DA 26 CC 3A 0D 9D A7 DF 6D 7B EA B4 10 67 08 9D B6 38 20 96 79 15 0C C7 0A F0 63 CF 7E 88 F2 EC 46 DF 2C 09 48 B2 30 CD E6 BE 95 2B 01 57 BF AC 22 06 C3 F0 FB 04 02 FC 53 F1 62 2B 1A 6D 70 08 36 17 03 C4 31 EE B9 6A E5 45 ED 0F 42 99 06 37 43 BE 49 90 43 56 AC 51 66 3C AB 0D D7 A2 FD DB 08 BC DD 10 FC 38 03 27 89 4F
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���90 24 B9 29 8C 14 6D 7E D1 98 34 84 CE 49 1A 24 CD 59 64 91 0A 0E FD EA 2A 37 5D 1A E5 0D 14 46 2D 04 A8 39 8A 44 AA 90 37 00 29 8B 0E 0C 65 AA 7E 46 16 3F 73 DA A9 97 B2 BA 9E 6B C6 2D 3C C5 74 A0 46 26 99 1E CB 75 28 4D D3 71 EC 5E 3E C2 A0 8B C3 6F BA FF 1A 91 94 C7 50 47 D4 92 A1 6B DF 68 71 85 5C 6A 2B B3 23 31 C1 2A 8D 0C F9 4A 03 44 BB CC 39 49 28 7C 93 6B A2 20 5A 02 B1 C0 0D 17 29 61 E2 B9 7B B5 EA 21 0C FC 69 F5 2F DB 99 7F 0C 0B C3 05 76 28 1C B3 48 14 AD 82 C6 0D AA E5 9F 8E FD 68 50 31 28 E4 58 62 2E C2 D2 E8 61 74 D8 BD 93 CD 50 B8 38 A1 0B 7E 56 9A 9C C6 FE 7C 71 83 85 8D 43 B3 37 CF 5F 66 F9 5A DD D9 5D 82 E3 7E 70 53 24 95 7F 85 CA 90 C5 78 63 BD CA D0 9F 06 EB F0 4F DC 80 15 E5 D4 16 D7 25 1B E2 E1 FE 71 EA 60 F8 DE DA 5B 34 E4 5B 24 1F 49
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      2c5612a412f7b73046bbb37b96d8164b7c909b98bbef2e69546d747bc41305e6

    • Size

      50KB

    • MD5

      1af70fedf61539851e4040394369173b

    • SHA1

      20e3dd1542c89e1a6a5cdf6bddab16374c1b2015

    • SHA256

      2c5612a412f7b73046bbb37b96d8164b7c909b98bbef2e69546d747bc41305e6

    • SHA512

      c09ad8d3f66449c1659794b7f0906f79914a0ada58dedd969ba365d92d9773fc3214416f9f75903a8a6760145e622af0dda11880b7d06187ce5eb69f94f740ad

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks