Overview

overview

10

Static

static

star.exe

windows7_x64

10

star.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    star.exe

  • Size

    360KB

  • Sample

    220512-t7xavsfhfp

  • MD5

    2f121145ea11b36f9ade0cb8f319e40a

  • SHA1

    d68049989ce98f71f6a562e439f6b6f0a165f003

  • SHA256

    59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

  • SHA512

    9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���67 43 6C 7D 19 38 B0 5D AC B7 66 0C 4A 04 55 36 8C A7 C5 3D 6E A3 18 E9 76 7D 60 E0 9A D7 53 4A A4 37 1C 65 87 06 2A 99 7F 92 CF B9 D9 48 94 C9 61 8E 04 B2 C1 75 B8 01 6F 2E 79 43 47 83 37 2E 22 67 15 08 3B F7 D4 46 74 D5 52 9A D2 F4 12 59 0C 80 97 66 F6 20 44 D8 0E 99 9E 17 60 98 D8 95 25 8A 94 CF D9 9A 53 B8 2E 8C F8 B9 68 D7 79 45 69 92 C0 EA 27 1F 69 F5 DF C9 4D 25 ED AD CF 17 AC E7 38 AF BF C7 C5 44 5E 48 60 2C 5D A6 C1 85 95 36 FA 92 00 31 20 50 41 DE 6C A9 DD 32 50 70 1F 48 3D 01 15 76 C0 A1 4E DB 58 F1 E6 57 64 6F 99 C8 6C 95 91 C0 22 9A 01 9D F2 4D 3F 9C 46 45 F7 3A A1 E8 E8 53 8D 73 A8 55 2C 47 61 ED 09 A4 F3 4F 99 8A 4F A4 3F 7E 5F AA 1F A4 B4 35 21 82 76 28 FE 6B 6B 51 25 0A 70 E3 52 CC 38 C8 FF ED 6B CC 6A 2A 0E CE B7 3D 5C 2F C0 3B 5E 2C A2 92
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���5A E0 F3 11 A8 37 A5 A9 DA E3 91 5E 75 33 E3 A3 43 C6 3D BE 9A 5F 39 39 86 7E AD A6 65 D3 F1 8C CF C8 D4 D2 98 99 1E 49 4D 95 D1 03 59 63 C8 48 B6 66 33 DB 86 CD A2 1C AC F1 99 73 38 C7 0F 1C 7D F0 25 7B 82 6A C5 BC 1D 03 F0 B7 B0 64 C3 52 B3 9B 8E DD 11 67 21 36 3E C7 16 22 4A 04 89 81 BD A6 2F 93 5C 15 BA C0 44 2C 58 CE 0D FF A2 43 BE 49 63 20 4C 3B 19 BB F0 E0 57 F3 81 4F 15 E8 D7 D2 13 24 4F 2C 29 D5 9A 31 EF D8 4A 38 77 3D E6 3F A6 3D 98 74 5E 12 AA E1 D8 BB D1 1D E5 07 DB F4 5B 17 4A 1F FB 5B C7 C4 D8 34 45 22 72 65 7E 85 4A 1C B0 77 2E 3C 65 0D 69 8E 3D 31 FC 08 33 F9 2A 67 CE E6 47 92 7E B3 FA A5 92 29 6F 3F F7 D7 8F 40 EB FF EF EA 82 B6 F8 6C C6 85 75 38 B6 6E 5E AF B5 DC BE 46 54 A9 AB 27 E0 27 B7 47 05 20 EA A8 76 EB 4B 7D 9E 41 27 22 D4 CB 3D FD
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      star.exe

    • Size

      360KB

    • MD5

      2f121145ea11b36f9ade0cb8f319e40a

    • SHA1

      d68049989ce98f71f6a562e439f6b6f0a165f003

    • SHA256

      59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

    • SHA512

      9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks