globeimposter

General

Target

ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043
Size

334KB
Sample

220701-eqm9asbdgl
MD5

8e45b07b7dbf71049ec7590994ce5632
SHA1

8284940b7896c314d196ef7f1453687cd1b35a37
SHA256

ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043
SHA512

4e1f9ef55a387138cd09f7ef8dad4776f11a35448b9664bb3c78a6c2c4c69c0024247cdd03668afcaa3c3c67f1407fe37dcf7927534e35d2e7d67bb37322f5eb

Score

10^/10

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Restore-My-Files.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://alcx6zctcmhmn3kx.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELO ###s6dlsnhtjwbhr###ED56F6A208E3EB2###

URLs

http://alcx6zctcmhmn3kx.onion/

http://helpinfh6vj47ift.onion/

Targets

- Target
  
  ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043
- Size
  
  334KB
- MD5
  
  8e45b07b7dbf71049ec7590994ce5632
- SHA1
  
  8284940b7896c314d196ef7f1453687cd1b35a37
- SHA256
  
  ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043
- SHA512
  
  4e1f9ef55a387138cd09f7ef8dad4776f11a35448b9664bb3c78a6c2c4c69c0024247cdd03668afcaa3c3c67f1407fe37dcf7927534e35d2e7d67bb37322f5eb
Score

10^/10

globeimposter lockbit evasion persistence ransomware spyware stealer
- GlobeImposter
  GlobeImposter is a ransomware first seen in 2017.
  ransomware globeimposter
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2