Overview

overview

10

Static

static

star.exe

windows7_x64

10

star.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    star.exe

  • Size

    360KB

  • Sample

    220611-vkeyqsggdn

  • MD5

    2f121145ea11b36f9ade0cb8f319e40a

  • SHA1

    d68049989ce98f71f6a562e439f6b6f0a165f003

  • SHA256

    59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

  • SHA512

    9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���65 1A C3 B3 1E D3 06 8D FE 58 C0 1C 62 13 D8 04 45 9F 70 B5 99 40 8A A0 0A 30 2D 1A A8 2D 8F A3 64 D1 34 79 09 19 54 76 AE 76 93 23 80 55 60 76 51 3C 25 EB 38 BE C2 F7 3C 38 0B 29 3F 21 BE B3 5F D6 DD B4 C6 E1 8C 11 D9 3D C0 E6 1A F6 32 4E 71 FC 19 EF 81 C3 27 BF DD 64 BF E0 E8 36 50 2A C5 DC C8 C4 76 8B 08 31 00 8E 39 8D 36 4C A3 32 FD 6C 2B 3E 5C 26 D8 11 34 0B 07 C5 92 00 4D FE E8 CE 1D C1 A4 F5 69 A2 26 41 9B FC 4A FD DB AA BE FC 9E 14 68 BE 2C D7 E8 0C 95 51 C3 D1 BC D6 9F F8 F7 C5 DE 6A A0 94 BD D6 17 E4 5D FD F2 64 0F 92 36 C9 1C E5 53 A3 12 4C BA 85 B3 06 93 02 06 8D 93 EC E4 BD 00 C5 FB E4 2A 10 A5 34 B3 66 F1 04 81 8B C4 84 AD 2F F5 02 3B B4 E5 58 11 5C EA ED 84 07 EB 4D 63 0D 36 35 AB 10 96 22 C7 55 6F CF 39 B8 52 63 AC 12 50 C3 54 80 14 E7 AD A1
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���05 89 AB 6E AA 5A 8F 2E E4 43 B7 B8 3A 60 6E 09 74 3F A2 AF DA 24 B0 5C 98 3C 25 C6 0C 59 D7 3D B2 74 A5 A6 A9 8D 33 93 D7 D1 A8 30 51 D9 63 3A 0E B9 F9 AA 30 8C 8D 43 19 6E A5 9B 01 81 31 B9 72 3F D4 24 10 74 64 0C CC 09 22 0A 86 48 FB F7 FA C6 58 04 CB 69 B0 C5 73 BA 02 3A 95 C0 67 76 BE 6C 97 63 90 80 F0 A3 7D AE 49 42 05 E4 0D F4 0C 47 0F C5 1C B4 17 87 0D 5E 1C 84 92 3E D6 7A 12 13 6F 24 01 4D C0 00 7F 80 BC EF ED CC 32 E9 28 FE 8D 5C 88 A9 56 52 47 5E BC 59 AB 35 AD 45 63 0C 2B 9C E8 F4 34 28 EB FB 40 9F 81 73 D2 FC 99 0A 03 98 42 0D 24 A0 A2 82 F8 2E BB 42 79 D8 32 94 07 72 78 8B AC 87 C8 FB 2A A1 06 0F EE 80 26 40 52 3F 3C C2 CA 82 A5 E7 4A DE F2 7B 98 B4 95 2A B3 FD 03 70 A6 5C ED 24 9A 92 79 AC 0F B9 F5 3F BD 08 42 BE 72 69 7A DC E6 04 AD 02 11 33
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      star.exe

    • Size

      360KB

    • MD5

      2f121145ea11b36f9ade0cb8f319e40a

    • SHA1

      d68049989ce98f71f6a562e439f6b6f0a165f003

    • SHA256

      59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

    • SHA512

      9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks