Overview

overview

10

Static

static

star.exe

windows7_x64

10

star.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    star.exe

  • Size

    360KB

  • Sample

    220525-2edbaaabfk

  • MD5

    2f121145ea11b36f9ade0cb8f319e40a

  • SHA1

    d68049989ce98f71f6a562e439f6b6f0a165f003

  • SHA256

    59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

  • SHA512

    9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���6A B7 C3 B8 18 5E D1 2A 41 32 4E 79 82 C5 18 B6 0C 14 18 EC 6C EA A7 C5 12 F8 51 BB 5B A6 C3 46 25 F7 AD D1 32 2C 92 F8 AC 5C 08 6C 82 DA F6 DA 1A B6 29 14 60 7F 3D 6D EB 8C F8 DC B4 83 8A F2 84 76 44 18 22 73 9C F2 A8 3A 97 1D 47 3A 9D 0A 21 EF 11 C5 A6 A8 68 4D 42 59 5A 53 D2 3A 6E 00 AA 32 FB 16 AF 8C 48 01 7E AD A2 35 5F 25 7F F1 05 2B CE 37 4E 12 80 A0 B8 43 0C 0F A0 5F 64 2F 15 3E 75 71 38 5B 6A 3D A8 E4 0D 43 AD A4 98 B9 4F D8 CA C5 72 18 AB 95 A4 FB 21 DE 65 3C DE 10 96 C4 89 35 06 2A 18 C6 FE BA A7 1C CC 5D AC 2B FB 46 F0 B4 30 84 CF C4 AD AC 5A A2 EE FB 9E 6C 54 95 7C 06 6D A0 B3 12 AC D5 AF D9 7B D6 E0 3E 88 3F BD 38 90 5B 4B 2E 78 32 F9 8F 70 CE 53 9E CB 41 46 3C 2D CF B1 EF 2A B7 91 94 E2 C1 DF 21 C0 84 94 FC E0 65 EF 75 D8 85 B4 32 DF EA 38 65
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���29 90 AF 7F 59 31 3A 1C 72 BC 98 3E A8 44 59 89 94 4D A6 6A 2E B4 82 D5 1E A8 E6 A6 D2 8A 65 A3 27 C2 11 98 58 8A 27 C9 E0 ED 22 58 D0 F4 DF 0D 2D 25 7A 51 B5 C0 85 9A 5F A1 BB D8 45 15 14 07 E4 8D 3C ED 64 6A 76 74 D6 63 50 63 FF E7 FC 17 A8 B1 0B 53 31 E9 54 35 61 AF F4 F7 21 D5 15 BE 25 14 19 AD D7 7C FD AE 76 E0 11 7D D4 5A 73 E2 B5 80 68 9D 64 55 3D EC DA E4 EC 59 60 9C 82 FD 18 E2 49 C3 32 39 BF AF D2 D4 7C 0F FF 3F AB 57 D1 40 F2 02 70 B9 BA 58 82 2C 6E B2 2C 45 7D 04 70 A7 41 2D 0D B4 5C BD 7D 0F 70 D4 15 D3 30 21 30 23 FC 0A 32 B8 C3 95 81 C2 79 30 8A FD 6F 77 B9 F2 86 BE 3A 98 92 C7 9E 4D 47 F3 FD 42 55 B4 04 7E 73 4A 94 BD 87 FA AB 15 0C 01 2D C3 08 B7 57 55 1A BE 36 43 EC 61 22 E2 A2 3F C7 51 A9 A1 17 56 88 EA 39 57 97 81 53 EE 41 C0 2C D0 B2 49
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      star.exe

    • Size

      360KB

    • MD5

      2f121145ea11b36f9ade0cb8f319e40a

    • SHA1

      d68049989ce98f71f6a562e439f6b6f0a165f003

    • SHA256

      59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

    • SHA512

      9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks