Overview

overview

10

Static

static

star.exe

windows7_x64

10

star.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    star.exe

  • Size

    360KB

  • Sample

    220510-gq7ztaafam

  • MD5

    2f121145ea11b36f9ade0cb8f319e40a

  • SHA1

    d68049989ce98f71f6a562e439f6b6f0a165f003

  • SHA256

    59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

  • SHA512

    9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���7A 5B DD 61 81 91 81 95 62 B8 B3 76 71 6E F6 F4 59 BE 95 9C 2F F7 1B 5C F0 24 93 97 E3 AA D1 B1 A0 71 AC 95 72 CF 77 70 2B 4B 41 FE 0F E2 91 04 56 27 A6 14 0A E5 85 BE 79 32 FA C9 08 8B C2 0E AF AD 0C 91 D4 43 4F 8C 34 8E 55 4B 2F 8D 11 54 C1 9C F2 82 75 70 31 2F D5 6A 91 B0 28 6B 4B AD 02 CD 59 C1 40 5C 60 26 78 1A 89 D6 DB 6F EA E4 89 07 4B 49 CE 5D 20 89 17 85 E3 D2 87 8C 35 4A CC 8C F5 86 06 D4 8E D5 9F 82 FB 2E B1 83 F7 23 C1 03 1D 7E 74 7E 7B 8B 2F 01 4A DF 8A C7 3D FD 21 3E 88 84 1D A9 EF 7B 30 1D 49 C2 4F 41 C0 BA FA D0 3C 2B 49 52 CD 22 EA 8F 30 05 7B C5 D0 E7 2E 8D C8 51 04 18 68 70 A6 AC 94 39 33 31 E3 24 1A C9 49 3B 67 6E A7 F2 07 BF A2 20 20 8A 47 DC F9 A5 AD C3 71 61 4E 4C 48 BF D8 FD 1D C7 C0 63 97 F6 52 E8 02 E0 CC 37 86 D3 C3 4B 1E 7E 59 23
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���94 20 4B A0 14 B9 8F B1 49 4A 51 19 AD A5 6E 22 4C 99 62 30 BF 0D E5 9F 90 73 E1 4D 84 F0 00 29 7C 42 F6 B2 03 8F 51 AC C7 74 84 83 5A A7 9C 4F A3 B2 E5 F0 5B C0 46 29 41 71 04 4B 68 B7 6E AD 33 11 FB EC 6A 3D A1 5E F6 EF E9 50 CB 60 3C 1C 69 B7 FF ED 59 C7 48 F9 68 C0 29 1A 30 54 A8 A3 3F 61 9D 2B 37 8F 23 AD 68 61 FE 75 44 9D 8D FF 18 8C 5D D7 93 17 23 86 B1 7D 69 1A F9 80 95 92 45 CE 77 95 2D 60 D7 AB 4F 56 BC 60 1C 9A D2 9C EC 12 B8 45 50 EE 2E C5 73 30 2E 96 29 AE 0C 76 17 8A A1 C5 0C 3C 0B 91 DF CF 6A 39 14 93 8E 0A 5E 1E 1B 13 5D 65 0A 38 E9 1D 1F D0 59 55 68 DF A9 3B D2 C3 9B 2E 0E 11 12 5B A0 78 DE 2E 0D 00 C8 C6 48 60 05 7B D2 4F F6 03 9B FD 84 8E C6 C1 6D 7C DC 11 3A 0A B9 13 E9 83 EF 01 BD B0 C2 10 00 41 6D 72 6D 6F 2D 4E B0 7D 86 B7 87 7E 8D 62
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      star.exe

    • Size

      360KB

    • MD5

      2f121145ea11b36f9ade0cb8f319e40a

    • SHA1

      d68049989ce98f71f6a562e439f6b6f0a165f003

    • SHA256

      59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

    • SHA512

      9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks