Overview

overview

10

Static

static

star.exe

windows7_x64

10

star.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    star.exe

  • Size

    360KB

  • Sample

    220522-gga9gsgdh2

  • MD5

    2f121145ea11b36f9ade0cb8f319e40a

  • SHA1

    d68049989ce98f71f6a562e439f6b6f0a165f003

  • SHA256

    59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

  • SHA512

    9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���8E 93 7F E0 82 CF 1C 8B 6B F3 E4 1E B2 44 25 D2 68 76 16 CA B1 58 B8 9E D4 63 98 4F 18 11 EB 31 68 4F C1 8C 1D DF E1 BA 9A F1 D4 8E ED 69 8F 3D D5 46 9D 1C 56 4C F2 69 5C 8C 2B 14 18 D4 A4 91 42 7E 9A 53 19 0C 3E E1 7C ED 71 18 1A 2D C1 73 29 8A 62 D6 3E A9 24 36 56 FA 8F 24 A9 BB 0B 95 FC 94 A1 B5 40 FF A5 24 2C 31 7E 53 E2 4B 9B 12 57 51 D0 9A E7 B9 90 06 A6 B8 EB 9B 3D A8 59 65 58 C4 32 6A 51 AC 99 A5 79 51 B8 E3 70 C0 0B A6 20 AC 76 85 B9 79 37 AB E8 8D 04 61 88 58 59 14 27 D6 0B 43 E7 39 3B 20 8F 60 17 8B F8 FF 9B EF 8F E3 89 3C ED 4B 04 1A 33 03 D0 31 EE 89 B8 1B B7 EE D0 55 BF C4 AE FD A3 F3 44 FA 4A 2A 82 72 F2 B3 42 EE 7A B3 1E 2B 5A DA 96 5B BC 26 58 AF 00 49 A7 24 18 9A 54 97 70 28 C3 91 CE 39 99 0E 71 55 92 8C 91 06 CE 79 0B 9A A1 25 3F E1 06 FA
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���57 55 F7 6E 74 D3 8A 73 C4 AA 3E 16 95 65 1F CD 7E 48 83 08 9A 60 E6 21 87 2C 6E FC B0 26 E4 D5 8B 74 E9 67 54 58 1D 76 5F 99 73 F9 FF 04 51 30 5F BC 21 29 BC 23 D6 9B 0F 42 E6 5D 8D B7 17 53 80 6B 02 37 6F 32 8E 59 42 E7 47 A5 6D 47 8B D2 EB 8A 04 A8 49 93 30 02 02 E0 43 44 2F 94 41 4F EA 46 4C CE 59 10 7A B9 F1 44 AC EC B8 C9 51 21 7B 3E 44 55 E7 00 B5 CB CE 30 5B F8 CC 62 2F CA BE 18 53 BA D5 CF E7 C0 12 7D 61 88 8A B5 BA CF 8E 24 08 E4 CF BC 28 1F 75 58 F1 A3 11 51 E4 4F 3C E5 13 C5 FC EB 3D 8B CF C6 85 A0 BF ED 4A 8A C8 EF 02 C5 C0 9F 42 44 83 BA 66 11 7E EF 7A 0D A1 F2 8E FC 7E 1E 4C E3 49 26 FF 5A F0 30 FD E6 D7 E2 C9 A0 DA 88 D4 79 EA EF 5F 32 EC 98 89 A3 82 3B 1E 33 18 59 FB 54 5B EB F0 01 D6 73 1E 5C 94 14 DB 97 FB 9D 63 05 07 08 CF D0 B3 03 CF 9B
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      star.exe

    • Size

      360KB

    • MD5

      2f121145ea11b36f9ade0cb8f319e40a

    • SHA1

      d68049989ce98f71f6a562e439f6b6f0a165f003

    • SHA256

      59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

    • SHA512

      9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks