General
-
Target
e0e0c26b78f258324345886b83c8a0b6bf6b8ccdf5412c5dfdc10141932090ab
-
Size
53KB
-
Sample
220701-bxcvcsedcq
-
MD5
b9a84d52093a20975d44418e9eaec631
-
SHA1
fa464b36590d93a4ec6d9f63817dd931dd1a9ac8
-
SHA256
e0e0c26b78f258324345886b83c8a0b6bf6b8ccdf5412c5dfdc10141932090ab
-
SHA512
ad7d95c59b17586f1214ad9f1696de153d0cd6e2b375efa3f93057b6ed07aba1048f71238dfb59b29b1a47fdd7eca4d846cdb00fce901d5526d2c33c1448b96d
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #ff0000;
}
.tabs1 .identi {
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
/*height: 30px;*/
background: red;
}
.tabs .tab{
/*float: left;*/
display: inline-block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 15px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #ff0000;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 100%;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
outline: 1px solid red;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="on" id="tab1" />
<div id="tab-content1" class="content">
<h1>Your files are encrypted! </h1>
<hr/>
<div class="text">
<!--text data -->
<center>Don't worry, you can return all your files!<br>
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.<br>
The only method of recovering files is to purchase decrypt tool and unique key for you.<br>
This software will decrypt all your encrypted files.</center>
<br>
<center>----------------------------------------------------------</center>
To start the recovery process:
<ul><li>Register email box to protonmail.com or cock.li (do not waste time sending letters from your standard email address, they will all be blocked).
<li>Send a email from your new email address to: <strong>
[email protected]
</strong> with your personal ID.</li>
<li>In response, we will send you further instructions on decrypting your files.</li></ul>
<center>---------------------------------------------------------</center>
<strong>Your personal ID:</strong>
<pre>������������01 2B 37 3C 0B 6B 96 69 41 71 A7 E0 79 75 92 88
17 0D D7 5B 47 8B E9 76 5C 77 AC 4A 25 93 9C F3
44 45 1E 7C 20 46 8F 9D 07 48 D6 DF CB 6F 11 4F
7B 63 39 03 1F 29 BA 43 A2 5E 7F 19 CB 1E 1E DF
00 35 74 63 E0 86 2E 5E 49 F4 4B 77 2B CE C0 9B
74 FA 4A F4 6F B4 01 08 B3 C0 34 11 05 27 F0 D7
49 90 37 91 45 88 8B 4D 7A B3 6C EF 01 96 14 3B
50 72 71 BA A6 7A 10 BE 70 55 BD 16 2F 5D 90 FA
51 7B 80 FF CC 84 47 B4 80 5C DE DE DC D6 52 E5
AE B6 36 A7 81 DD 30 39 80 AF 86 2B 12 3B E9 A7
BB 72 7C BC FF 10 CE 45 D6 19 3B 9B 56 41 78 FC
22 31 5B 93 12 54 25 EE 58 27 AB A8 2B 2F C6 EF
34 4F A7 17 A7 59 42 AE 27 A9 45 64 A4 81 CD 43
3D B7 2A 37 CB 08 D8 77 08 DA 3D F1 BC 49 0F 7A
C4 74 83 E5 E1 F3 67 5C 77 BB 44 99 2C CC B5 A0
86 92 95 55 A6 1C 9B 79 8D 83 94 D3 41 AF 6B 2A
</pre>
<center>----------------------------- P.S. ----------------------------------</center>
<ul><li>It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time.</li>
<li>Check the folder "Spam" when waiting for an email from us.</li>
<li>If we do not respond to your message for more than 48 hours, write to the backup email : <strong>
[email protected]
</strong></li>
<li>-----------</li>
<li>Q: Did not receive an answer?</li>
<li>A: Check the SPAM folder.</li>
<li>Q: My spam folder is empty, what should I do?</li>
<li>A: Register email box to protonmail.com or cock.li and do the steps above.</li></ul>
<!--text data -->
</div>
</div>
</div>
</body>
</html>��������
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #ff0000;
}
.tabs1 .identi {
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
/*height: 30px;*/
background: red;
}
.tabs .tab{
/*float: left;*/
display: inline-block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 15px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #ff0000;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 100%;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
outline: 1px solid red;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="on" id="tab1" />
<div id="tab-content1" class="content">
<h1>Your files are encrypted! </h1>
<hr/>
<div class="text">
<!--text data -->
<center>Don't worry, you can return all your files!<br>
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.<br>
The only method of recovering files is to purchase decrypt tool and unique key for you.<br>
This software will decrypt all your encrypted files.</center>
<br>
<center>----------------------------------------------------------</center>
To start the recovery process:
<ul><li>Register email box to protonmail.com or cock.li (do not waste time sending letters from your standard email address, they will all be blocked).
<li>Send a email from your new email address to: <strong>
[email protected]
</strong> with your personal ID.</li>
<li>In response, we will send you further instructions on decrypting your files.</li></ul>
<center>---------------------------------------------------------</center>
<strong>Your personal ID:</strong>
<pre>������������43 41 7D 34 85 F4 A2 26 D5 E2 E6 1C 24 CA 29 AD
5E 75 75 AA 65 5E EF 55 A7 78 9B 50 93 DF C7 85
A2 79 EB 38 D3 07 2A CF CB F2 26 A9 48 B6 6E E1
51 3A A1 1B D8 0D 0E B8 3A D3 BF F5 FD 1A 66 F8
36 E2 8D A5 9E 39 EA C3 7E C3 AC CC 57 DF 9C 61
50 1B EF 69 D0 60 9F DC 45 ED A8 3A 25 E7 D7 41
7C BC 51 CD 3A 99 01 E9 AE 54 E9 9C 39 F7 E3 51
A6 A7 AD 1A 78 DC 64 C6 8B A3 FC 44 DD 34 B7 44
13 CB 79 28 3B 8B A7 89 3F 5D CE 77 E0 BE CB 82
B0 C6 2F F9 22 02 F1 56 CD C9 A6 76 6F E0 72 C1
59 81 17 DF 1F 11 7D 42 65 A8 34 C4 82 5C 43 2A
34 8D 21 C6 83 0B D6 B3 04 4B 64 E9 F0 52 E0 D0
A0 9F 90 53 C4 0F BE 60 47 AE F2 3C 28 00 3B E1
22 3F 13 10 0F E1 CB 63 FC 1E CF 20 6D F6 F6 66
8E 39 6E 13 AF F2 6F 3B 95 CF 7D C9 9F 2B FC 2D
A5 5D 20 26 AD 75 10 2A 9C D1 E8 2A FC 99 E9 08
</pre>
<center>----------------------------- P.S. ----------------------------------</center>
<ul><li>It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time.</li>
<li>Check the folder "Spam" when waiting for an email from us.</li>
<li>If we do not respond to your message for more than 48 hours, write to the backup email : <strong>
[email protected]
</strong></li>
<li>-----------</li>
<li>Q: Did not receive an answer?</li>
<li>A: Check the SPAM folder.</li>
<li>Q: My spam folder is empty, what should I do?</li>
<li>A: Register email box to protonmail.com or cock.li and do the steps above.</li></ul>
<!--text data -->
</div>
</div>
</div>
</body>
</html>��������
Targets
-
-
Target
e0e0c26b78f258324345886b83c8a0b6bf6b8ccdf5412c5dfdc10141932090ab
-
Size
53KB
-
MD5
b9a84d52093a20975d44418e9eaec631
-
SHA1
fa464b36590d93a4ec6d9f63817dd931dd1a9ac8
-
SHA256
e0e0c26b78f258324345886b83c8a0b6bf6b8ccdf5412c5dfdc10141932090ab
-
SHA512
ad7d95c59b17586f1214ad9f1696de153d0cd6e2b375efa3f93057b6ed07aba1048f71238dfb59b29b1a47fdd7eca4d846cdb00fce901d5526d2c33c1448b96d
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-