Overview

overview

10

Static

static

1114.exe

windows7_x64

10

1114.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1114.exe

  • Size

    50KB

  • Sample

    220228-hm1a8sdeb9

  • MD5

    fc9ca0a85e47088d25483dd47fba3244

  • SHA1

    fed2e7f2818daf55a463520ec21f337fc8679246

  • SHA256

    e8e6365ddaf5b0a40250eaab09bc61904ad5818c835ae2555c36ddc380c70ece

  • SHA512

    a4f8f0004cbcef618f5bad7ab26b83617f5107a176c68cbae6497e7acf4a36d7f690a1c9ab459d68d2d4b3153de2939857dee4ea8706d107294fcdfb67f2127c

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read_me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mrv44idagzu47oktcipn6tlll6nzapi6pk3u7ehsucl4hpxon45dl4yd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://yip.su/2QstD5 Your ID �������������4C C5 B1 BB C4 82 73 50 13 FA 40 DD 83 A6 AE A3 F0 AA 95 32 BC 5F E5 E4 70 7E 0D B1 82 43 29 B9 9D 30 C0 5C 8F 69 D1 3E 65 0D 01 5B 78 4A 7C 1B EF DF 09 F1 3B D5 F0 01 AE 42 34 CE C9 28 0F 13 22 8A FE 3A 64 76 2F 81 62 47 58 90 ED FB 69 72 BD CE 79 EB 6E 76 F9 38 98 70 55 B7 BB B1 68 5E 94 56 7C 63 4A CD FA C2 6E 9E 9D 16 CB C2 62 C2 52 2C A3 76 76 A6 97 4E E7 46 E2 39 FD 69 54 B9 DA 11 06 65 4B A7 28 A7 83 35 D8 35 F7 79 83 4A A5 C5 46 9B DF 60 F9 7A E3 E4 76 16 0A 2F 79 A6 8B 24 F1 A4 B0 84 25 44 B1 4F 31 C7 7C 79 24 05 25 23 D0 FD 98 06 9F D1 03 F6 14 EB D8 B1 D4 A3 AA 05 F2 FD 42 50 07 3B 25 21 EB 1B 27 9B 8E 49 DC 0A 67 52 E6 6F 8D 77 36 F1 5A 5B E9 3D C0 3B 44 10 6A 15 77 D4 42 9C 6D D8 FB B9 58 3D E2 97 20 5D 78 CE 84 30 84 61 84 34 22 41 C3 16 DA FA
URLs

http://mrv44idagzu47oktcipn6tlll6nzapi6pk3u7ehsucl4hpxon45dl4yd.onion/?ST4HYJUHGFV

http://yip.su/2QstD5

Extracted

Path

C:\read_me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mrv44idagzu47oktcipn6tlll6nzapi6pk3u7ehsucl4hpxon45dl4yd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://yip.su/2QstD5 Your ID �������������51 C4 6A B4 E5 85 15 83 B0 73 D9 08 46 27 D0 C4 54 3C 2B B8 B6 07 1C B4 90 86 4C D8 8F 72 C2 A3 1F 93 F4 EE C4 EC 39 9E EB 70 9D 5D 6B FC F9 B4 42 42 44 59 25 89 0D E4 92 B9 6D 85 62 42 C8 73 D2 C0 50 D8 E9 B7 6D 78 DE 48 95 BE C2 05 AC D0 66 71 37 35 A8 27 57 97 A9 66 C8 A9 BE 2C A9 10 9B 84 5A 52 79 F9 F6 A9 2C 0D 10 A0 B4 E0 F1 6E 98 4E 1A 17 BB 50 ED 20 27 CD 54 A0 F6 82 08 FB 27 8A 29 FF 13 86 21 0B 11 DE 09 D0 E6 0D C7 FB 4B 03 FF 9B E0 DB 41 9A 10 06 B5 DF 15 E5 43 0B E1 97 C0 3E 55 AE A3 07 A5 91 76 7F CC 04 6E 5D 55 08 70 C8 97 5E 10 C3 11 29 11 78 77 72 57 81 D3 5E E2 28 6A BA 0B 84 00 5B 78 A1 16 C2 D0 C0 6B 3C 75 CA 0E F4 04 E9 39 E4 4C 80 B8 33 73 48 85 E5 0D 6C 36 7A 14 84 BF 69 F2 8E A6 DC 56 EB F3 A0 8B A4 46 93 F6 E9 F3 0C 77 E1 72 65 28 0E
URLs

http://mrv44idagzu47oktcipn6tlll6nzapi6pk3u7ehsucl4hpxon45dl4yd.onion/?ST4HYJUHGFV

http://yip.su/2QstD5

Targets

    • Target

      1114.exe

    • Size

      50KB

    • MD5

      fc9ca0a85e47088d25483dd47fba3244

    • SHA1

      fed2e7f2818daf55a463520ec21f337fc8679246

    • SHA256

      e8e6365ddaf5b0a40250eaab09bc61904ad5818c835ae2555c36ddc380c70ece

    • SHA512

      a4f8f0004cbcef618f5bad7ab26b83617f5107a176c68cbae6497e7acf4a36d7f690a1c9ab459d68d2d4b3153de2939857dee4ea8706d107294fcdfb67f2127c

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks