General
-
Target
fa5ca28f848e47e8eff8c50d548d5117a3834500fc92134602cc1a672a592ff1
-
Size
53KB
-
Sample
220217-q8v8eabca6
-
MD5
81fc683982ed765613c7b5162e515fc4
-
SHA1
9f51654df74aee64550cad2dedec3d956210ba17
-
SHA256
fa5ca28f848e47e8eff8c50d548d5117a3834500fc92134602cc1a672a592ff1
-
SHA512
d874e27c689842bf0b7074950ab5697f1c4662fc2832b5c060168988a20f0eb6d12e2dc63a272df9e09f7fb18fd116f78eb5bf8d6332db8f51d5a4013a60065c
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������20 3C DD 91 7D F3 7E 6B B5 F7 6C 36 34 14 CB 6A
72 6F E8 CE F7 51 7F BC 10 84 7A 99 BC 98 A6 F8
DE CC 2C 9D 72 01 97 3D EA 95 7F 5A BD 06 E1 8C
40 6F 75 A5 D1 44 23 8E 90 44 5B CA AD B3 51 23
E1 FB 54 7B 0C 60 97 74 F1 D6 27 4C CF 03 D7 3C
AA 59 04 65 A9 E3 40 D0 22 CB 9C D3 82 3F E1 F2
FF 87 3A 63 71 AB 39 69 3E B1 D6 1A 40 E9 89 00
33 5E 6F C1 6E C5 5F AD 87 61 20 64 80 51 0A D5
12 6E 8E 8C 17 13 E6 88 6F 49 23 57 BD 02 70 D3
EC 74 29 D6 DC 49 28 2D 3F 1B DC E5 3F 68 D1 07
31 0A 76 E5 91 72 1A E8 20 D3 69 F9 54 FC 9F 17
24 CB 5C D6 F7 52 F0 C8 2D F9 06 F8 C7 32 87 D0
AE A4 1C 09 E0 49 2C EE 0C 15 F9 25 36 4F DE 6B
7C 81 5D AF 47 E2 5C 3D 3B CB C8 ED 87 47 3D 9F
A9 01 CD 32 46 18 9F 09 C4 3C E0 2E 0D 52 29 4B
8E D8 42 22 EF 48 F2 69 C6 E6 68 2E B7 35 16 92
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
��������������
Emails
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������6B 18 C8 BF 6F F0 8E 43 56 E5 D3 26 38 14 6C 77
D4 70 D8 3C D3 B0 7A 93 8B 00 06 00 CC 25 F9 6A
E5 89 FC B1 E5 B8 88 79 DF 44 DA 01 42 04 8B C7
30 FD 44 F8 CB D5 DC 12 ED EB 01 76 A7 20 29 AD
A9 DC 67 CD D1 0B 91 7C 37 12 C9 B6 19 6A 6F 37
C6 DE 41 5A 3A 38 93 47 69 0B D3 88 FB 2D BA E0
7B 93 8F 08 E2 E0 88 BF A5 F4 3C F3 1B 3C 10 4E
FE 10 0B D7 24 B2 BD 54 05 65 06 98 3C 11 14 2E
98 AB 49 0D BD 68 8E 36 16 36 39 E3 B6 05 A2 5B
13 8B 33 EA 3D 56 E6 95 FD 76 86 D0 4C 55 1C 60
1B AB 68 B7 EB C8 AC D9 3B 4E A2 9B CB 96 90 E2
21 B2 51 43 60 8C E6 B3 9E D3 3F 42 03 65 C9 FC
59 AD CB 3B 1F F1 06 F5 75 A0 D7 4C 1B C0 BC 9C
61 F4 D8 B7 7B 84 A4 A3 1D 00 E9 82 62 99 79 EB
FF D6 F8 6D 37 EF AE A0 74 50 DA 9D 92 0B 3D 3D
C0 DA C1 05 5B FD 7D 22 4C 5A 4D 96 92 98 21 E0
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
��������������
Emails
Targets
-
-
Target
fa5ca28f848e47e8eff8c50d548d5117a3834500fc92134602cc1a672a592ff1
-
Size
53KB
-
MD5
81fc683982ed765613c7b5162e515fc4
-
SHA1
9f51654df74aee64550cad2dedec3d956210ba17
-
SHA256
fa5ca28f848e47e8eff8c50d548d5117a3834500fc92134602cc1a672a592ff1
-
SHA512
d874e27c689842bf0b7074950ab5697f1c4662fc2832b5c060168988a20f0eb6d12e2dc63a272df9e09f7fb18fd116f78eb5bf8d6332db8f51d5a4013a60065c
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-