Overview

overview

10

Static

static

star.exe

windows7_x64

10

star.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    star.exe

  • Size

    360KB

  • Sample

    220507-e2bpmsbga5

  • MD5

    2f121145ea11b36f9ade0cb8f319e40a

  • SHA1

    d68049989ce98f71f6a562e439f6b6f0a165f003

  • SHA256

    59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

  • SHA512

    9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score
10/10
globeimposterpersistenceransomware

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���3F 34 F5 B6 DA 9E 34 E3 D7 A1 E5 C4 31 88 EA 93 55 87 1F C4 3E 07 B3 50 89 18 46 61 80 EA E7 94 4F B1 29 3A B3 BE 31 96 14 B1 71 3A DE DF 7D 48 F8 BB FD C2 F5 20 3B A1 BE 93 87 47 FE AF 6C 4D 7F 9D DC 15 93 B7 12 A7 FF 3E 03 54 37 32 11 0F C8 CE 82 F0 11 8C 64 CA 20 EF A3 1C A4 A6 EE 86 0E 77 E1 79 2C 2F ED 67 4F C6 49 A0 F5 06 AF 9C AA 8E FC D1 49 13 70 CF CF 99 C2 D4 C8 CC 41 59 BC 86 2B 29 4C 99 D7 74 E7 5A 08 74 15 EA AE 1D F7 07 27 BC 13 6E 17 57 60 43 89 05 D0 F8 AF 1F BB AD F5 DB 15 85 21 29 5F 71 8F D0 33 3E 2D 96 84 98 8B EC 58 75 F7 72 46 C1 38 94 50 17 45 DA 20 D2 7E BE 08 38 3A C4 D9 E4 65 05 AF 8F 5E C3 B5 80 D9 E3 AE 03 CF AA E2 31 54 70 54 7A 72 90 D7 CE EE F6 D6 D7 26 E3 66 15 34 13 1C 0B 3B 86 63 C4 02 EF 3D 37 F2 AB 6D 1D FC F5 E2 B0 E3 9F
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���3D 0D 1A 7A AF 47 27 8B 51 23 BF 0C 80 06 B7 59 78 E4 7A 0F 7D 20 83 17 1D DB BD DF 95 D0 61 B9 AD 2F 1F 62 F7 F4 77 08 A9 03 12 AE 42 B0 DF ED 87 81 BE 49 31 C5 5A C5 F3 31 7D 80 64 91 21 3D ED E4 F4 AD 6A 4D FA 0D 26 1F 1F A1 A1 AB F5 F9 93 D4 EE 11 4F 07 7D E4 90 C3 37 B2 00 4E B0 59 EF CE 24 A3 73 D7 E5 3F D8 6A 3E CF B8 3B 81 C6 82 D0 31 F9 96 54 C5 64 B6 39 66 F3 6F 92 E3 1C 95 74 BD DB 03 01 D4 9D D5 B4 82 F2 5B 12 67 69 19 CC E1 03 6B F5 96 66 E4 1D 35 A7 35 FA 2D CA 7B 2F C8 B1 A5 0D 7F 0A 47 29 BF 97 CC 54 9F B2 D7 74 D7 E8 A2 C2 21 31 15 44 AD 3B EE 31 8C 9E C5 98 B6 D7 E8 20 28 A0 A8 21 CC 14 44 70 D9 EF 53 B5 B6 5F A9 0E 3C E6 F4 67 23 DE 77 B6 5B 9C D3 79 3A 74 7D AA B6 EB 01 FE D2 57 C4 0B B3 87 DD 63 C3 AE 7D 33 BC 4B F2 30 75 5A 88 29 47 5D
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      star.exe

    • Size

      360KB

    • MD5

      2f121145ea11b36f9ade0cb8f319e40a

    • SHA1

      d68049989ce98f71f6a562e439f6b6f0a165f003

    • SHA256

      59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

    • SHA512

      9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

    Score
    10/10
    globeimposterpersistenceransomware

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks