Overview

overview

10

Static

static

90f277b97d...91.exe

windows7-x64

10

90f277b97d...91.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    90f277b97d30399367a7e56551bbf2135c4968ade64100863095dc7031f34c91

  • Size

    276KB

  • Sample

    220724-v9b85sdbaq

  • MD5

    0f98b7b43ab1b3e2a957c5361fc403cd

  • SHA1

    6afc0ae820991afcf9d6eeab0cbb68378b2f8d00

  • SHA256

    90f277b97d30399367a7e56551bbf2135c4968ade64100863095dc7031f34c91

  • SHA512

    f56b1fbf9ec6c63807882166fd8845ba4660eb16403706d4d0b3c4ee3de8a86549771e516d017058da9a023f787b997855733b975ad98569975655d92101ffb3

Score
10/10
globeimposterlockbitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������1F 21 DD 2A 46 26 C2 ED B5 B8 1A 8D 43 7C 5E 82 C0 6C 49 8C 6B 9D E2 28 66 37 A0 73 7B 6A 89 5E 6B 13 79 6D FA 4F 8D D6 2B 58 34 B8 A5 66 1F 37 E2 0F 28 FF 5D 54 1B B6 53 FF 58 38 26 36 52 2C F4 59 D3 DC 06 4F 56 DC 89 DB 6B F5 84 A8 72 88 2C 07 56 D5 82 22 07 19 AB 8B 4F D7 E0 DB 3A A4 A4 6D CE EF DB C2 2C 89 07 BE D6 6F CA AF 14 DE A3 CB ED 28 35 AF ED E7 56 6B 23 56 2D 65 BB 6E D1 BD D1 26 F4 7B 03 8B A0 55 3F 3E 58 FE A6 E9 4E 46 2B 26 C5 A8 EE B0 46 CE 8F 16 30 1F 65 3F D0 C6 C6 B3 85 03 67 60 CA 8B 21 2D EC 0E 6C 8E FF DA F6 7C 96 D9 B9 62 E3 36 C9 D0 66 41 40 7A B5 2C 18 9D 0A C2 BB BE FA 5A F1 B8 C7 1F CC F3 F5 5C AB 1C 8D 59 6F 7C 12 B4 07 98 89 E7 D4 3C 5C C3 C1 A0 71 96 82 5F B6 94 59 99 60 76 BA 4C 67 A1 3E 24 2A 71 04 C8 69 BB 8D 31 01 39 FD 04 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������AA 23 40 5F EE 8A A8 A9 79 BB 81 DB A2 4A BE 68 C6 78 B2 66 E3 1E 2F 04 26 5C 9D 0B 67 0C 13 89 65 37 69 85 5C 3F 31 89 26 CE 8F 9B 79 9B 93 2D C2 DB 6C 04 68 65 D4 F2 1B 5B CA 21 6C 24 98 E3 E2 E8 F7 0F AB 26 07 7F C4 18 80 A4 7D 43 23 6B 0C 25 A7 5E 8E BD 7B F1 1A 7C BF BC 33 35 6D DE F8 F5 5C 1D 0F BE 9A 43 87 92 79 8D E5 EC E4 4A 77 6D 5E 71 B1 9C 4D AE 26 93 FD 36 90 94 B2 ED CE 82 22 37 3B 12 72 CD 64 E3 57 96 83 C2 06 CB 70 2D 63 8E DD 75 4D 0C E5 1E 5D E3 A0 0B 73 69 49 62 59 41 F4 2C 6F 71 A6 A9 79 19 25 07 8B C1 7D 66 67 43 07 24 83 80 E5 12 9F 2E 52 0A E7 22 49 A2 03 0E 26 40 C6 6A EE D8 BE 97 58 C8 12 AC 22 C4 93 08 1F 59 12 34 5D 09 5D BC 81 49 1F 5A 77 EA 07 BC 4C 65 C9 D1 E4 F8 BC 0C C2 5F 80 5A FA 26 D9 F5 53 86 45 C5 2A FF D9 5D 9C 24 C1 62 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

    • Target

      90f277b97d30399367a7e56551bbf2135c4968ade64100863095dc7031f34c91

    • Size

      276KB

    • MD5

      0f98b7b43ab1b3e2a957c5361fc403cd

    • SHA1

      6afc0ae820991afcf9d6eeab0cbb68378b2f8d00

    • SHA256

      90f277b97d30399367a7e56551bbf2135c4968ade64100863095dc7031f34c91

    • SHA512

      f56b1fbf9ec6c63807882166fd8845ba4660eb16403706d4d0b3c4ee3de8a86549771e516d017058da9a023f787b997855733b975ad98569975655d92101ffb3

    Score
    10/10
    globeimposterlockbitpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks