Overview

overview

10

Static

static

21b38af989...ab.exe

windows7-x64

10

21b38af989...ab.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    21b38af989d3f5f3bf16e0a7562b5bdb4c544b49c0711b8f055b4fb61e242eab

  • Size

    390KB

  • Sample

    220829-mj4lpsfgfl

  • MD5

    fec6f114419bfb3182ce771e7e4cd384

  • SHA1

    c63f0ce447c63fe232e6ba45d259110f167d6746

  • SHA256

    21b38af989d3f5f3bf16e0a7562b5bdb4c544b49c0711b8f055b4fb61e242eab

  • SHA512

    27960a22c708990fcf3878d7a65ccea44bcea554c565d166d8df590dc36b9ab5c3229a73168cc8fe6ce3241b3732ab181ce44c3fb1144e4d63972d71b66f895e

  • SSDEEP

    6144:B1iTvDacVTkrzy8FdikDUWrZJyTWZZDmehT4ZyPsr3YUkDMB2fukylSxpY0:Iu8KikDByT1ClylSx1

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\readme.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ Your ID ���������1C 2B 4E 9D 2C 60 6C B8 CB 6E BF 8D FB F2 B8 98 03 11 05 CB C5 84 47 DC 49 E3 54 35 AB 08 DD 89 B1 43 EE E0 7D 8A 71 F4 CE 1C 76 7F D9 CD 85 EC A4 23 3E 86 9C 6C 13 90 A9 90 F6 82 E4 FF 1D 14 E5 5F D2 D8 1C 1A B0 58 9D A6 B0 FD 56 8B 63 75 C6 37 AD 76 81 39 70 47 4C CF 4F F8 2E 0E 61 C5 A7 57 C0 14 2D 58 FD CE B6 C2 42 14 41 C0 06 3A 71 A1 42 86 68 85 25 B0 50 ED 8A D5 E1 51 ED FB B6 90 77 77 7D B2 28 8B 0D B3 09 C2 C2 82 CC 16 6C D1 8B F3 42 6E F5 1F 9B 5B AE A4 07 DD 86 4F 27 E8 24 F0 EE AF 68 BC AB 65 A5 84 E0 3E AF E4 77 91 16 32 D3 BA A4 97 EC 89 A0 A5 E2 E9 BB A3 12 54 1D 37 FD 51 3B A3 15 A5 A6 1B C4 53 98 2A 3C 6E 44 78 73 02 AA 56 FB 21 61 2B 55 A2 6B 0D F7 54 10 31 32 69 C1 EF C3 14 A5 87 82 D5 DA BE 80 F1 49 75 BE 77 A4 C4 1E 2D DF F8 8A F5 12 76
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV

Extracted

Path

C:\readme.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ Your ID ���������B4 E6 42 DA CA D8 37 FB 2A 70 A8 32 32 E6 00 34 FC 1D D9 14 3B BE 61 95 3D DD 61 0F 78 83 28 1F DE 5E 90 6C 35 5E 8F 4A BA 35 73 A1 78 31 4E 40 06 02 F9 21 D6 4E EB 50 C4 23 E1 A7 2E D2 EA D2 3B 16 F9 59 F4 68 2F C5 90 05 85 6A 44 A1 86 88 CD 59 BA 84 37 B0 7F 16 2E F9 AC 16 42 E0 7F 4A E4 6D 27 71 C3 EE 34 2E BA 16 4E 4B EC 8C C8 A0 81 46 D5 F8 B3 BD 77 0B 17 4E 0C F0 16 4D B8 CF CB 3E 76 22 AB AB D2 11 3B 35 1C B8 86 A7 6B 02 E0 CC 27 B0 EE DF 83 92 DC 21 77 F8 2E CE AE EC 94 F5 B0 3C DF 12 A6 0C E5 C2 19 77 08 DB 29 0E 51 AB A2 33 50 3E 10 C5 AA D1 F5 4E 4F 71 6C 91 E9 4F 4E C6 3B E2 23 09 1E AE 12 B8 56 A1 22 77 33 5A 27 1F B8 24 9B CA A6 F1 81 DB D3 5C 73 41 CB 8F B3 47 59 D5 D7 39 15 64 98 64 11 E4 B1 30 D6 3C E3 A9 95 D9 AA 10 37 FA 67 3C AA EC B2 A2
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV

Targets

    • Target

      21b38af989d3f5f3bf16e0a7562b5bdb4c544b49c0711b8f055b4fb61e242eab

    • Size

      390KB

    • MD5

      fec6f114419bfb3182ce771e7e4cd384

    • SHA1

      c63f0ce447c63fe232e6ba45d259110f167d6746

    • SHA256

      21b38af989d3f5f3bf16e0a7562b5bdb4c544b49c0711b8f055b4fb61e242eab

    • SHA512

      27960a22c708990fcf3878d7a65ccea44bcea554c565d166d8df590dc36b9ab5c3229a73168cc8fe6ce3241b3732ab181ce44c3fb1144e4d63972d71b66f895e

    • SSDEEP

      6144:B1iTvDacVTkrzy8FdikDUWrZJyTWZZDmehT4ZyPsr3YUkDMB2fukylSxpY0:Iu8KikDByT1ClylSx1

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks