Overview

overview

10

Static

static

globimp_82022.exe

windows7-x64

10

globimp_82022.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    globimp_82022.exe

  • Size

    50KB

  • Sample

    220819-arz72aghe4

  • MD5

    fc9ca0a85e47088d25483dd47fba3244

  • SHA1

    fed2e7f2818daf55a463520ec21f337fc8679246

  • SHA256

    e8e6365ddaf5b0a40250eaab09bc61904ad5818c835ae2555c36ddc380c70ece

  • SHA512

    a4f8f0004cbcef618f5bad7ab26b83617f5107a176c68cbae6497e7acf4a36d7f690a1c9ab459d68d2d4b3153de2939857dee4ea8706d107294fcdfb67f2127c

  • SSDEEP

    768:vNvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5+d:NeytM3alnawrRIwxVSHMweio3

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read_me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mrv44idagzu47oktcipn6tlll6nzapi6pk3u7ehsucl4hpxon45dl4yd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://yip.su/2QstD5 Your ID �������������AD 1B CE E5 28 13 63 64 49 98 87 D7 E1 28 A8 4C 2B B6 CC C7 11 D0 7F DB EE E5 AB 8F 69 44 93 B3 C9 C1 D0 A1 3F C0 4B 15 77 3B 3F 96 FC 9B 70 8D C0 7D E9 C1 96 20 CD EB C5 FE F2 EC D7 58 5E 82 A9 FF A2 C5 6A D3 1F D9 DD 7F 50 19 EC 33 F7 15 FB 86 91 A5 B5 2E 9F 05 DE 21 B6 47 CF 10 8C 53 CE 82 DD 3E 01 14 1E 35 B5 C0 4C C0 7C AD E0 31 DD 56 8F 22 A4 B7 98 A4 2E 7D B2 15 43 F3 54 C3 B0 F8 83 61 83 E6 45 62 5F 57 A0 90 14 5C AB CF C2 02 F0 D2 BB DC F8 34 3E DC 72 A8 06 E9 6E E6 C1 D7 88 49 52 FE 56 D2 8B 99 26 D7 1D 94 15 B7 66 1F 8A 2E E9 5A A4 67 BE 87 D4 5A A8 1D 96 E4 6E CB E4 0A 00 73 E9 0C 3B 40 13 91 79 17 9F BD 48 A9 E4 13 99 8C 9B 70 95 A4 76 77 5B 8B 91 81 CB D5 78 94 BA A2 A5 B3 BE 43 0C D3 08 14 44 51 1B 5F 78 57 71 C3 D3 DF 29 E9 68 EE 24 5A C5 51
URLs

http://mrv44idagzu47oktcipn6tlll6nzapi6pk3u7ehsucl4hpxon45dl4yd.onion/?ST4HYJUHGFV

http://yip.su/2QstD5

Extracted

Path

C:\read_me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mrv44idagzu47oktcipn6tlll6nzapi6pk3u7ehsucl4hpxon45dl4yd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://yip.su/2QstD5 Your ID �������������8B 31 21 D1 12 1C 69 C0 B5 7C 6A 82 36 48 38 4D 30 FF 60 B0 1C 55 C3 9B 13 80 29 94 08 EF F5 71 24 14 D0 E3 1E 80 8B 38 38 CB 5B CC 3B C9 79 49 AA 0A 95 46 1A 94 9B 28 D9 42 76 24 C6 BF D0 4F 1C A5 63 4D 3E 99 8F E6 F6 99 0D 64 DF 62 E6 E0 64 5C 24 81 27 8D 48 C0 CF B1 67 C9 18 D7 38 3A 2E 3D 78 82 7A 50 95 D4 0F A1 5A 07 C4 2B 28 F6 77 43 74 6F 93 CC 26 C3 73 E6 5C A3 C2 09 0D 06 8A E6 9C 68 C4 33 38 10 59 72 C2 1F 1C C9 CA A5 C0 D2 8D 2B 3E B5 F5 34 26 7D 39 A5 C3 97 F3 02 75 46 E5 A0 46 FA 51 3A F8 A2 8A EA 7E 28 D0 25 5F 27 38 25 63 27 61 B7 74 5D 4E CD 03 55 64 47 6A 92 DF 34 E9 59 6D 9A DD A1 B4 B6 24 B7 4D FB 56 B4 22 3E 33 39 C8 B7 D2 06 D5 D0 9C E8 2A 18 39 27 69 70 AE 32 A6 68 62 AE 66 56 0A 73 81 78 6C 5F D7 A3 B3 3D FC D1 19 4F 32 59 8E CF C4 8A
URLs

http://mrv44idagzu47oktcipn6tlll6nzapi6pk3u7ehsucl4hpxon45dl4yd.onion/?ST4HYJUHGFV

http://yip.su/2QstD5

Targets

    • Target

      globimp_82022.exe

    • Size

      50KB

    • MD5

      fc9ca0a85e47088d25483dd47fba3244

    • SHA1

      fed2e7f2818daf55a463520ec21f337fc8679246

    • SHA256

      e8e6365ddaf5b0a40250eaab09bc61904ad5818c835ae2555c36ddc380c70ece

    • SHA512

      a4f8f0004cbcef618f5bad7ab26b83617f5107a176c68cbae6497e7acf4a36d7f690a1c9ab459d68d2d4b3153de2939857dee4ea8706d107294fcdfb67f2127c

    • SSDEEP

      768:vNvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5+d:NeytM3alnawrRIwxVSHMweio3

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks