globeimposter

General

Target

173515afd6301b429f9dab54894aeaf1285e59d25c0a9795eb352b8693c902ca
Size

514KB
Sample

220725-d1tcmadacm
MD5

333692f4aa893a0f1c2f5e0fb6b23737
SHA1

5a951cf930941b88bf4dd250f37f178c4f94c5c1
SHA256

173515afd6301b429f9dab54894aeaf1285e59d25c0a9795eb352b8693c902ca
SHA512

5492f23abf615f62f7b1a43aef1713bb55ecc72d8aa9a0399d97b0f24f116bbf237962de894e9a014a7a13795843d8c1d42b599c89955fd5309270751284d631

Score

10^/10

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��23 F7 AC E1 9A 4B 3F 88 31 26 5D A1 88 E8 AB 96 2B 38 F9 8C 66 04 BD B3 26 5C 60 ED F5 12 53 8C EA EF 09 8A 76 22 2B 4E CF F9 DD A7 D9 45 3E 99 D1 F5 18 3F D2 69 00 8F FB E6 BD 68 73 53 07 69 D3 AB 34 E6 E2 FC 6A 70 06 81 B2 0D 9A E0 68 39 84 FE 97 39 51 FF F8 19 9D 92 B6 F8 FF 44 EC EA F7 A7 18 0F E2 46 71 B7 80 22 EA 45 3C 2A AC 65 06 CD 19 1B D6 B5 31 9D 93 50 E0 20 63 2D 2A 80 69 B2 AD A3 FD 8A 57 59 33 2A 52 46 27 87 AA DA 44 7E 59 F4 79 82 F1 CA E4 FA 26 0B DC 80 17 07 1F 32 22 8C 3B F4 09 69 8D 8E 6E 24 68 E8 0D CC AC 71 46 DE FE 64 5A F2 C8 D8 63 D7 B6 B8 CD DB 8F E5 5D 8D 8A B0 1B AE 4B 11 B3 3F 00 64 1E E8 D0 5A 8A 7A DF 46 1B 3A E6 15 3B 62 C7 D2 CD 9C B6 50 E9 E5 F2 8D 38 FE D3 BB C0 3D 54 69 D7 B6 56 B5 7E CD A4 18 34 85 EB 8A 68 DD 42 64 FD 46 ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��94 0F FB 8F 3D 51 74 F1 79 7B AB C4 6A 19 6C 3C 09 58 65 7A A8 16 90 31 65 71 B4 1E 74 B4 8F CB 75 EC 4E 99 D6 0F E6 6B 03 38 8A 9C 88 AB 42 F0 B9 57 C2 24 B9 77 53 C6 5B 55 0F C9 BA 8E D2 1F C5 62 11 D1 B4 A0 BE D2 5B DE D4 30 5A F2 19 4E 57 8C 7E 03 B6 EF F4 C2 F4 FF 50 BC 82 28 2B 3A 2C BE A0 CA 06 3B 26 9D 6E 97 67 42 D4 CF 97 28 30 8C EA BB 42 76 37 BA 6A 26 64 8D 30 4D 90 6E AF B4 41 1C 22 C2 29 A2 14 21 84 8F 48 E0 C3 C3 9A 1F 52 76 9C 99 68 4D 0D 6C 93 0C 18 AC 77 95 92 A4 A3 99 BB 60 5F 67 C8 F3 5A 2C 43 3F C6 C3 85 65 FE 0D 60 AF 31 FE DE 20 B2 78 63 0E 35 BB 8D D1 27 B9 47 86 41 F9 4C B6 9A 4A D5 C2 1C AE 25 33 21 BA 33 E3 42 12 E2 DA 59 A8 02 E9 13 B4 F0 B6 18 39 89 F2 50 26 4C 3C BD BB 97 13 96 D6 28 0D 2D CA CE 7E F8 14 41 76 FA F0 7D 87 C8 5E ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

- Target
  
  173515afd6301b429f9dab54894aeaf1285e59d25c0a9795eb352b8693c902ca
- Size
  
  514KB
- MD5
  
  333692f4aa893a0f1c2f5e0fb6b23737
- SHA1
  
  5a951cf930941b88bf4dd250f37f178c4f94c5c1
- SHA256
  
  173515afd6301b429f9dab54894aeaf1285e59d25c0a9795eb352b8693c902ca
- SHA512
  
  5492f23abf615f62f7b1a43aef1713bb55ecc72d8aa9a0399d97b0f24f116bbf237962de894e9a014a7a13795843d8c1d42b599c89955fd5309270751284d631
Score

10^/10

globeimposter lockbit persistence ransomware spyware stealer
- GlobeImposter
  GlobeImposter is a ransomware first seen in 2017.
  ransomware globeimposter
- Lockbit
  Ransomware family with multiple variants released since late 2019.
  ransomware lockbit
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Lockbit

Modifies extensions of user files

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2