Overview

overview

10

Static

static

5c1d83ab58...19.exe

windows7-x64

10

5c1d83ab58...19.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5c1d83ab5883129f137ee29c9353a316184243828c2ac79b0c6f6997cff19919

  • Size

    564KB

  • Sample

    220801-s2vpeacebj

  • MD5

    e3c7ad2aa9fb8627409137f52a0e0980

  • SHA1

    2a3160aeb85904ff5cc52242b9553d3f9198ec92

  • SHA256

    5c1d83ab5883129f137ee29c9353a316184243828c2ac79b0c6f6997cff19919

  • SHA512

    8890d121bc4599a1fd9a59c3e99b957340d94e75ffe22f12c302a62a32a5270579e59c51cc024352ee321b559f254b9ae95e07c47b3b1c7307a2331846ef62fc

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������2B A3 79 34 87 A5 ED E8 51 42 4F BD 31 1E D7 6B 0F 1E 25 44 AC F2 49 AA 24 84 3D 80 D5 9C 44 EE F7 4C A9 0F E7 C1 36 5C 62 18 08 F7 AA 95 7B E4 59 A5 FF 1C B7 03 FC 29 70 97 F8 0D 44 CE C6 AC D3 71 8D DD 48 1A 6D 1D 29 C1 3A 8C 4C A7 53 92 CB B3 D1 73 B4 72 C3 F8 17 26 33 7C 89 83 BE 4F 15 72 C4 0C 71 E0 8F 99 3A 85 DE 0D B8 F7 7E A3 3F A4 69 8C A6 32 69 1B 41 17 7E FE 76 5C 8E FB 92 EC 6B DC B2 00 DA CA 38 20 CF 7A E8 59 15 CB 8B D6 8F 2E BA 84 3E 6D 25 47 00 98 87 16 F5 09 74 90 3F E6 13 B8 02 59 83 EA F3 6E CC 5D 31 2A 4C 4A 6E 80 8B 3D E2 83 14 0D 96 B6 0D B4 48 8F E0 68 51 09 B1 69 37 04 7D 5D FE D9 DD DA 57 CA 02 E7 6F B6 76 52 74 1B 93 B4 36 44 70 AC CE 97 32 C1 78 72 18 31 22 DD E6 54 A8 7D DC C9 2B AE 69 DE 39 47 39 3D EF 12 A2 63 8C 82 7E 9D 7A D7 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������6A 34 AF CB B3 EF 9B 5F F4 BF 7B D5 0A 8A B9 C0 9C A3 AC E5 5D 7D 7A A9 AA 0A B1 98 6B 31 B2 79 F2 54 27 C7 4C E8 3B 3A 3A 99 8A D6 9C 73 D8 70 C1 2D 5D E6 C0 E1 49 60 66 46 E7 9F 41 A4 27 1D B6 6E D1 EC E1 32 8C DA FD 15 C0 6B 13 D6 71 A4 05 75 CD 3A D0 BD BE E1 78 9E 18 87 15 B8 C8 02 10 59 D1 9E 61 72 46 6E 45 65 1D D6 66 6B 57 1C 77 38 D1 41 4F E6 9F 59 E5 B4 46 75 D4 2A A7 B4 C9 9E E6 6B 40 DB AC ED 24 15 3D B0 D6 00 3B 3B B4 87 C5 EB 19 4D 0C 9E DB EB 0E F3 66 A9 E1 37 43 E5 C6 53 5E A4 30 8A 22 F5 D7 D2 13 BE FB 6C AB 24 E9 02 68 88 9B AA 63 3F 3B BC 44 08 DF F6 E7 1F C5 D8 29 96 41 D8 9B 58 52 D1 A5 89 B5 09 32 56 20 BF 65 E9 C6 20 00 76 59 18 53 A9 26 09 C1 FF 28 97 49 A7 E2 6A C3 A7 6F 3E C9 28 09 78 0A 8C 6F 3A 0B 94 9B A1 7B CE A6 4E E0 B7 8F 2C ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

    • Target

      5c1d83ab5883129f137ee29c9353a316184243828c2ac79b0c6f6997cff19919

    • Size

      564KB

    • MD5

      e3c7ad2aa9fb8627409137f52a0e0980

    • SHA1

      2a3160aeb85904ff5cc52242b9553d3f9198ec92

    • SHA256

      5c1d83ab5883129f137ee29c9353a316184243828c2ac79b0c6f6997cff19919

    • SHA512

      8890d121bc4599a1fd9a59c3e99b957340d94e75ffe22f12c302a62a32a5270579e59c51cc024352ee321b559f254b9ae95e07c47b3b1c7307a2331846ef62fc

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks