globeimposter

General

Target

131ca56bb58b9fc68b7cc595e534208625bb9230d7d5b42e747ca4fa1945e044
Size

361KB
Sample

220603-qmxt4sbdhl
MD5

3969f76be0d978d81cf587a7e8fab17a
SHA1

2f69a78547ed0a7cb6869c237b50c6ed6c54cd77
SHA256

131ca56bb58b9fc68b7cc595e534208625bb9230d7d5b42e747ca4fa1945e044
SHA512

cdbebe34b661f449f9696c3bb2a27297b0e23e8e0b012d6a809c8a4ca12138fe2592170ea15c79076e3f9d3620f292a4847c48594459e207732e74037c14b2fc

Score

10^/10

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��55 23 B9 A3 7E 87 A6 DB AD E4 9B F7 1E 96 A7 35 71 DC BC C7 B8 93 C6 E1 77 C1 ED 54 F1 D9 E3 BF 1B 2C C5 DD 77 1A 46 1A F7 60 E8 74 4C 1F A1 8A 12 FB 0C 0D 6F 90 2B D2 48 F7 AA 05 5E A3 EB 97 3E 9A 1E E6 DC 04 A3 8F A9 B1 1E 12 59 A1 39 2F C3 35 0F 66 A5 39 9E 2A D3 00 DE B7 81 E5 27 0F F3 FB 79 F9 22 DD 9B 3B 97 6B 95 C5 CF 45 FE F0 8F 0F 76 A0 64 EE 57 71 8F 79 48 E2 5F D6 FA 1E 96 22 F6 E4 FC 1E D3 0B C9 FD AF F0 32 C0 FF 62 14 17 0E 51 FB 68 4E 19 7C 0D 9C 74 5A 5E 54 79 0F 6B 40 89 F6 3F CC F0 72 7A D0 40 56 AA B3 6A 3B 38 D3 89 24 9F E1 92 8A 8B 6B B0 A2 08 6B BB 84 54 30 EE 09 59 18 67 28 0E D4 9F E4 BE A8 A9 AC 8C 4B 99 CD CF 18 01 EB C8 49 3D BE 23 2F 09 75 5B 1E FF A8 E2 2D 95 DB 86 F9 3A AE 6A 87 07 56 11 6B E0 8D 27 B6 1E 42 65 52 AA D4 87 83 43 ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��48 E4 A2 A8 16 47 F0 ED CC 19 FE F3 0B D3 1E F2 BE 63 69 7D 4F 1B AF 84 33 A7 F4 C1 7C 17 85 C6 E5 68 A6 33 E7 7E 0B 24 4A 2B EB CD 66 2B AF C4 8E D7 AB 53 76 E0 E0 B4 40 37 E7 D3 C7 9F 9A 04 4C 16 CF 90 46 E0 3F AA 27 80 04 45 E6 EE 97 63 F7 1E 3D E7 CC 61 98 F0 18 43 59 5D C1 63 2C 91 3D 0B AD D8 22 28 BB 14 FF 64 C5 D6 E8 CB 95 20 BA F9 69 95 CA 92 1F 6A 2F 58 21 84 FC 39 07 B7 63 9E 62 05 BF 38 1C CE 8F 5B 0E C6 EE A1 E5 BF BB AE BA 5D 57 4C 2F FC 6A D9 D3 4C E4 64 C9 CF 5D B1 C4 C7 F6 07 C8 FA 7B 7E F2 2B 03 73 D4 BE 7C D6 48 44 B1 9D CE D5 71 22 30 72 BC 43 A0 18 42 54 06 75 14 52 D2 D7 30 48 3E 07 27 84 FF C9 7E 2D 89 68 B1 0D E9 3F 8B 4D E5 4E CD 2E 44 FD 2F 3D 80 37 2C 87 04 20 9E E8 A8 6E 4B 22 4C BC 3E 42 F6 96 82 F1 CF D6 7C A4 26 D7 E2 C9 6C 92 ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

- Target
  
  131ca56bb58b9fc68b7cc595e534208625bb9230d7d5b42e747ca4fa1945e044
- Size
  
  361KB
- MD5
  
  3969f76be0d978d81cf587a7e8fab17a
- SHA1
  
  2f69a78547ed0a7cb6869c237b50c6ed6c54cd77
- SHA256
  
  131ca56bb58b9fc68b7cc595e534208625bb9230d7d5b42e747ca4fa1945e044
- SHA512
  
  cdbebe34b661f449f9696c3bb2a27297b0e23e8e0b012d6a809c8a4ca12138fe2592170ea15c79076e3f9d3620f292a4847c48594459e207732e74037c14b2fc
Score

10^/10

globeimposter lockbit persistence ransomware spyware stealer
- GlobeImposter
  GlobeImposter is a ransomware first seen in 2017.
  ransomware globeimposter
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Lockbit

Modifies extensions of user files

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2