globeimposter

General

Target

bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3
Size

552KB
Sample

220625-clfmjscdh4
MD5

f864a5f13e37bab86d97343b4d16ea59
SHA1

d068383fecb14f38b58ba76a79d6cd8ea616cadd
SHA256

bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3
SHA512

58ea72ffeef34ec3699e55ab0fa049709c184a4d13710c910ed089e0bbf75637fc54d5a59aa92e9b52478b8f2220fe514a28c7d5e029ed197b5c753b81671b3b

Score

10^/10

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��4C 6E 7A 81 2A 2B 2B 9C 25 ED 33 76 B6 A5 3E B6 8E 2C 44 5F 12 9F B9 E6 6C 13 0F 3D 34 D4 B4 3B 99 10 BD 14 E8 D9 0C 47 D7 34 14 70 BF 37 AF BD FA 2E AB A2 B8 CE B0 F3 2B C0 3D 3D 2B 72 0E 54 6D 53 4D 5D 1C 66 A6 7E EC 0F 56 FF 8B 13 8C BF 7E CD 00 AF 40 B2 22 47 65 07 02 21 82 63 7A D4 45 A7 52 C9 F3 BC 15 5C 85 F8 B0 AD F8 1F 1F 0C 93 A1 D4 80 8E 92 F5 6C 57 45 66 40 0C DB 33 88 5D 45 78 85 8D 02 BA 44 41 ED EC 0A 7D E6 9B 1F BF 3D 04 25 37 03 B4 2A 89 0E FF 26 15 79 EA E4 B7 E1 92 DD E6 B7 A5 CA 56 EE 00 03 DE F9 AC B5 D8 4B 65 A9 7F 8E 3D 60 B6 DC 4A A5 AE DE 9F 31 79 50 0C 69 4A 0F 8D F7 62 B1 64 AF 05 11 18 F8 8C CA 00 BA 46 6B 67 68 DC BA AA 93 0F 2C 61 B8 FB 80 19 D3 C8 76 27 60 71 96 E6 D4 18 CC 77 0A AD 2B FE ED AE 47 F7 37 C3 C7 33 A9 5B 6D A8 D1 ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��44 07 EA 05 E8 F0 CE 9A 29 AF B4 FF E6 A9 5F 4B 91 D6 23 6B 01 EE F0 DA CD 09 06 E9 26 1A 19 F1 9F 67 26 43 53 CB D3 2C 44 67 F9 B2 CA FC 88 67 80 A7 27 0B F6 82 B9 52 AC EB 39 58 4E E7 C8 0B E8 39 55 FF 39 EC 74 26 11 68 32 48 AB B9 D4 9C 01 1A B0 6D F9 AF AF A9 81 A7 7E 18 2D FD 4B 8B E2 0B BE 21 22 05 FA F6 80 64 59 DC 86 54 99 39 99 66 58 CD A3 44 73 76 78 46 94 83 D4 EF 39 C2 DF F1 77 89 BC 2D D5 9A BE B5 6A 70 43 F6 C7 A8 74 BE 9C DD 27 EA 49 7D 92 5D D5 08 D0 00 14 85 CD 7B 8D 2D 40 B9 00 29 6D A0 71 5C 81 79 3A 99 2F 5B 1B B9 46 70 30 33 05 07 BA FF 84 C7 A0 4B 7C 93 59 74 2A 87 CB 83 B5 05 44 3F 2E AB C0 AD F9 82 8B CF 82 E5 6E 08 AB D0 B3 29 A5 0F 69 0D CD 5D 5E 44 A3 84 7F DB 72 0F 57 B5 C6 CF 51 5F 4B 06 3A EF CB B7 CF 61 DC 1F 49 99 44 61 A0 BE ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

- Target
  
  bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3
- Size
  
  552KB
- MD5
  
  f864a5f13e37bab86d97343b4d16ea59
- SHA1
  
  d068383fecb14f38b58ba76a79d6cd8ea616cadd
- SHA256
  
  bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3
- SHA512
  
  58ea72ffeef34ec3699e55ab0fa049709c184a4d13710c910ed089e0bbf75637fc54d5a59aa92e9b52478b8f2220fe514a28c7d5e029ed197b5c753b81671b3b
Score

10^/10

globeimposter lockbit persistence ransomware spyware stealer
- GlobeImposter
  GlobeImposter is a ransomware first seen in 2017.
  ransomware globeimposter
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Lockbit

Modifies extensions of user files

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2