Overview

overview

10

Static

static

361bd552b2...a0.exe

windows7_x64

10

361bd552b2...a0.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    361bd552b278cf0d956b787abd984b6c86413d668492613782f856040d8200a0

  • Size

    243KB

  • Sample

    220626-d6cbasfeem

  • MD5

    e222299ef243f72a0d45db64601146d3

  • SHA1

    e87bdc834dddd85b5b9b931eaccac03a5caabf81

  • SHA256

    361bd552b278cf0d956b787abd984b6c86413d668492613782f856040d8200a0

  • SHA512

    683c5879edd98b9ed0b71c11bfc0857b2fe2a240d73105e78600c24352c094ceb0cdb6eb78fe22a721d4d1946c034afc0d0240b61f62038a5fd4c1bfb80dae14

Score
10/10
globeimposterlockbitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������00 E0 38 B2 BE CD 0D 40 6D F0 3F EC 9F 12 D1 AD BA 82 FD 75 23 26 BB 84 58 A4 40 A9 B6 B1 75 22 84 C5 1A 91 65 49 2F AB 13 68 E6 98 39 7A EB E2 92 1A 3F 6F 20 74 75 84 82 18 BE D3 A6 4E 84 19 C6 E8 9F 0C 74 6B D7 B2 F6 B0 BE 7A 33 B9 3B BF 36 A5 4F F1 83 36 53 C5 0B BF 91 C5 37 7D 30 EA 1D F0 3E 15 08 19 37 D0 D6 EA B3 15 D2 C3 94 0A 94 A6 E5 57 21 AE 06 EE D0 F7 19 0F 1D F6 BB EB 00 95 62 18 6B F8 6B 54 3F 1F 17 D1 02 33 4A 37 51 FC 8C B8 6E FF E4 CD 67 E5 E6 7F 40 17 91 39 7F 17 AE E0 EA B1 A7 73 17 12 42 9B A1 C9 07 0D C8 46 7E 1A 0E 5E B5 37 76 6E C1 41 2E 65 0B 43 9D BD EE DE 55 DD F0 F3 F0 3A B1 F2 9C FD 55 AC 76 5E 77 D2 2A 0F F6 C9 41 AA 8A 72 3A 37 C4 F2 85 82 ED 56 CC 05 E1 97 BB 3A 19 26 56 4B D8 A2 5E 71 37 B6 47 02 9C 42 DC 6E 1D 28 99 F0 A5 E3 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������35 B3 FE 6B 4A 40 90 9C 6F 82 2A 45 03 7E 8A 68 CC 29 A9 AE 6E 01 D7 32 5A 8C 84 21 DF BA 73 11 D4 78 2B 39 5D 0E 44 AA 96 57 09 61 1B 98 A9 EA 1A 27 9A 95 E1 41 E8 BF 1B 3D AA 14 77 BB FB 11 85 B1 33 4E 4A 9B 43 70 0C EB 41 49 69 33 C8 F4 B7 A0 1D 36 1C C3 52 E6 0D 61 28 BA 64 0B 4D 7B 1D 8C CD 2B E7 4C DA 89 9F 7D 41 4A 59 7A A6 94 0D 48 22 73 BA 2C 29 6E A3 5A EB 86 8E D6 F7 6E 6D 2C 40 4E E8 3F FF 66 EF 76 F5 1B 35 20 00 DA 86 CE 58 CD 10 08 DE C3 73 B7 92 BE 4B 09 78 81 49 2F 3C 47 94 4E EA 7D 45 95 91 61 8E 88 6A 0B 57 66 82 C4 38 47 96 A3 DE 26 01 21 5D 1A EE B0 CB EF 1A CE A0 6D 33 CE DD FB 88 A4 24 7E FA DE C5 EE 30 34 91 64 53 EA FA 77 40 00 91 46 CF 68 46 08 F1 5E 7C 37 FE 22 E4 8D 7B 31 96 EB D6 50 DE 79 60 3A 84 49 ED AB EA 06 BB AF 64 42 21 25 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

    • Target

      361bd552b278cf0d956b787abd984b6c86413d668492613782f856040d8200a0

    • Size

      243KB

    • MD5

      e222299ef243f72a0d45db64601146d3

    • SHA1

      e87bdc834dddd85b5b9b931eaccac03a5caabf81

    • SHA256

      361bd552b278cf0d956b787abd984b6c86413d668492613782f856040d8200a0

    • SHA512

      683c5879edd98b9ed0b71c11bfc0857b2fe2a240d73105e78600c24352c094ceb0cdb6eb78fe22a721d4d1946c034afc0d0240b61f62038a5fd4c1bfb80dae14

    Score
    10/10
    globeimposterlockbitpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks