globeimposter

General

Target

57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53
Size

235KB
Sample

220523-3zp19adefj
MD5

beca53ebe027a5200ae7b0158f2d742b
SHA1

1af422f5bd6f4c4ba570fcd4b823c86f675af85b
SHA256

57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53
SHA512

82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

Score

10^/10

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��81 F3 2B 4E 00 18 D2 15 8C 11 F0 E9 EE 9F AE 9D 7B AD 77 A2 E5 08 5F DF 98 49 93 35 B1 39 59 2F 03 E7 60 DE B6 C2 BE FC 93 EF 44 57 64 70 BB 81 D4 6D FF A7 A6 61 0A 66 EB F7 90 E8 B9 56 32 01 A3 95 C9 37 CA 00 3B 5F 02 CC 0A 23 3F E9 16 8F B8 5B E9 AE 71 C3 B6 2D B0 D6 49 E6 1B E2 AA 67 A7 2D B3 3B 44 58 D8 EC 33 F6 CF 8A 9C 9A A7 26 4C 39 F1 AA D8 E9 6A 54 78 F2 26 D1 3C ED 22 B5 85 DB 67 77 FF DF 74 77 98 5F 29 10 A0 D7 33 6B E1 A1 A2 1B 25 4B 4C 40 2A AB 52 48 6B 06 73 F1 E5 9A BD F6 5F A9 4A 89 F2 7D 34 72 48 21 81 9F 2E 7F A8 E1 74 9F 50 5A 57 0B 3B 28 D9 37 B1 24 F8 74 62 DF D2 3A 1A C4 64 E9 55 ED 00 4C 42 E0 BC 50 E1 66 0F D2 FA A6 BB 48 C7 87 C6 F1 0E ED FE F1 C7 6A 91 EF C1 DB F1 AD 0A 67 D8 90 FC FF 6A 08 8D 97 D0 4E E3 F5 1A 90 5A 8B A5 5A 8B A3 ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��83 41 3E D8 9A 2E 92 01 7A 7A 7B 5B 57 D8 D6 7E A7 3B FE E7 F9 42 6E 3D 79 6B B5 B8 F1 8F 12 F6 E3 1C 39 54 A9 CB A1 DD 78 BA 1E A3 B1 3D 29 1D 2A AA E1 79 CF 5F B8 FA 3A 5D 48 6E A0 A7 34 C1 DA FD 04 7D 31 47 93 37 70 63 D5 EF 1E A3 4A 19 B6 D5 C3 CB 7E EA 99 AA 25 66 02 A8 55 BD 54 83 84 6B B2 16 21 9B FD 5A 94 4F 86 03 28 F3 01 22 15 70 1E 2C 61 0E 6E E1 22 88 DA 55 BC AE 13 A3 83 84 8F 6A 77 D9 6C F3 59 17 96 C4 9E 50 14 C5 E7 B9 E1 3A 58 C0 29 42 8D 64 4A 73 55 9E EB D4 02 90 39 AC B9 4A E8 81 28 99 FA 55 5E 3A A5 DA B3 4B 60 8A 86 09 77 F3 08 82 59 08 B1 35 B1 BB 01 DC 4A 69 5F 36 6B A6 C7 D8 21 11 95 DE 6A 97 B7 C0 F5 A5 A6 E2 01 72 6B 5D 5E F3 1B 1F D8 45 B9 05 28 3B 1C 41 40 FF BE D7 5E 62 04 85 44 5B D7 6B E2 52 98 8D 9C 9D 1A 72 17 9C C6 24 84 E7 ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

- Target
  
  57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53
- Size
  
  235KB
- MD5
  
  beca53ebe027a5200ae7b0158f2d742b
- SHA1
  
  1af422f5bd6f4c4ba570fcd4b823c86f675af85b
- SHA256
  
  57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53
- SHA512
  
  82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80
Score

10^/10

globeimposter lockbit persistence ransomware
- GlobeImposter
  GlobeImposter is a ransomware first seen in 2017.
  ransomware globeimposter
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Lockbit

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2