Overview

overview

10

Static

static

star.exe

windows7_x64

10

star.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    star.exe

  • Size

    360KB

  • Sample

    220519-cqrklscehj

  • MD5

    2f121145ea11b36f9ade0cb8f319e40a

  • SHA1

    d68049989ce98f71f6a562e439f6b6f0a165f003

  • SHA256

    59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

  • SHA512

    9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���4B FD 69 E5 72 09 3F 54 B1 4A 70 FC 77 43 8A 36 EB 68 3B 2C A9 7D A3 A2 0A 62 89 0E 8F 51 C2 09 88 92 D9 76 B6 0D B5 75 C9 81 FE D4 6C 7A D6 6A A0 AE 06 20 49 71 3B 1A E6 4A 21 D1 13 21 6A 8A 33 15 C6 65 AB FA 3F E8 E9 15 67 FA 7C 82 92 4D 27 60 14 00 97 B3 C7 79 96 76 F3 58 06 64 F4 F6 C5 24 A7 F3 96 3F 46 7F 31 3C AC B7 C6 3F 58 6B 4B 97 46 71 3B EE 85 66 C3 9F 14 67 1E 33 B6 87 1B 32 EA 7A DC C9 1B CE 3F 7E 7F A7 21 4D DE C2 AE 35 EB C1 F4 26 C1 1C 7C 45 9E 78 89 F1 D6 2E 9B 70 FD 97 BE BB C5 BC DA 96 D3 B6 0D 7A BB BD 5D 89 1F FF F6 8A C5 2F 99 F8 35 90 F1 1E F0 3B 88 F8 9B 3E D2 0E E9 6A EE 68 E1 29 D5 FF E4 30 C0 E7 59 FE 57 2E 95 0A 44 27 46 24 19 F6 9B A9 24 8C 43 FC 15 FA F7 3E 65 7F C9 89 90 DA 71 FF 69 E8 94 35 21 5C 42 54 5E C3 D3 FC EE 60 6C 63
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���B5 A9 37 CB 87 5F 5A E6 F5 6E 02 06 79 E4 B7 04 93 03 90 D1 59 DA BE 08 E0 B8 C7 33 0B 83 B6 EF 06 58 24 F8 4F 25 8B 26 43 E2 0A 13 CA B4 EA 7E 55 16 84 42 1D 2F D0 D3 72 74 A7 6D DF B2 D6 64 8F B1 4F 52 F2 B1 94 90 01 BF B2 ED 52 E8 97 D8 31 CC 82 9D 25 5B 86 F9 B9 CB 2A 01 65 74 14 38 BA 53 BA F1 B5 05 E5 35 DA A2 D8 98 10 04 D9 1E 72 C3 7A 1B 81 F6 7E C8 CC C7 42 B8 F5 A5 9C CD 02 18 1B D4 D0 A8 D7 23 F5 30 DE AB 41 94 86 85 34 6C 8D 77 FE 25 45 66 9F FE 6F AB 61 00 BA C1 38 8A 3E 4C 5C 93 CB CA FE A6 E5 ED D0 0F A7 F9 6D 44 DB 06 39 EF 3D B3 A9 8F B7 3C B0 90 7E F5 0C 23 40 93 6D 18 46 74 11 6F A1 86 D7 47 CF 04 A4 74 1B 8F 83 EC 89 5E 25 E2 8F 9A 00 DF D6 DA EE 44 E5 DF 60 4B 2D A3 BB 7D A2 CB 8D 4F 9A 2A FA C8 4A A3 1F 98 A1 B5 18 54 C3 4D E5 52 3D 9D
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      star.exe

    • Size

      360KB

    • MD5

      2f121145ea11b36f9ade0cb8f319e40a

    • SHA1

      d68049989ce98f71f6a562e439f6b6f0a165f003

    • SHA256

      59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

    • SHA512

      9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks