General

  • Target

    7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe

  • Size

    30KB

  • Sample

    220902-z7bbaacdhn

  • MD5

    0d7eb2137c2d696071df27cc6a601a5a

  • SHA1

    f3e487886630e0729fb4b4967cd11c2ee0daa989

  • SHA256

    7fa0fc4b901ff3bb9002f33b4a7f0a01aef10f36c8304d26cdbf0934a9fd816f

  • SHA512

    1b6f45cd581d3cd8292d8b97b840473eddb5239ce07037a8d34cf1530dc6c35613591e1d06f56453b50060d0df8d6066cc675a8cde3018220547597515e8f662

  • SSDEEP

    768:8t6+ztmVfbHmHS8/ckpKd75wiqjUKPO6AAb3vM8pYwA:2ztmJbHmHT/zKdVwigUAAK3qw

Malware Config

Extracted

Path

\??\M:\readme.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ Your ID ���������18 FD 9B 7D 94 A2 CF 7E CD E1 D0 09 EF E3 64 A6 44 2B 0E 12 EB 2F 49 78 09 97 1B 4B 33 38 A3 89 B9 EB 90 B1 C5 85 26 9D EE 7E 5C 49 15 CA 62 F9 7F 7D 1B 22 96 8A 6C B7 F5 BB 7C E8 3E 8A 85 24 2C C2 49 18 DD FA 81 A9 4B 0A F5 68 0E 1F C8 95 7E 6A 68 05 3D 70 44 4D F8 FD 19 F8 41 61 2A C8 C8 B0 9F 6F EB 69 74 86 C9 F6 91 0D 29 D6 EC 89 46 7D A6 99 1C AE 7E 81 1D 12 1F 17 5B 1A A2 7D F7 F4 FD FD 14 4B DC 6D 51 A1 1F 2F 34 B6 E1 C9 07 F7 76 BE 31 EB 1D A8 1A 17 D5 1F 43 3B E8 EE FE 7F 14 B3 EC A7 8D A1 FF 59 E5 BB ED F2 43 70 4E 7E 97 4B BF 8F 94 0C EE 46 36 C4 3F FE 31 01 25 5B DE D7 76 57 53 86 A3 EB FD A6 3E 4F 2B 59 E2 88 01 16 9B F3 BC 5F 6E 55 9E B1 E2 E3 17 DC A0 03 50 29 7C 53 6B 9A D9 65 93 75 49 B2 84 AA 10 54 47 FF E3 DF 9C 4B 71 41 E5 31 38 63 4A 3C
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV

Extracted

Path

\??\M:\Boot\bg-BG\ReadMe.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?403RSUVXZAC 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?403RSUVXZAC

https://yip.su/2QstD5

Extracted

Family

redline

Botnet

0025

C2

216.52.57.15:38185

Attributes
  • auth_value

    e3493445b68f497cdc542eee79f1a761

Targets

    • Target

      7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe

    • Size

      30KB

    • MD5

      0d7eb2137c2d696071df27cc6a601a5a

    • SHA1

      f3e487886630e0729fb4b4967cd11c2ee0daa989

    • SHA256

      7fa0fc4b901ff3bb9002f33b4a7f0a01aef10f36c8304d26cdbf0934a9fd816f

    • SHA512

      1b6f45cd581d3cd8292d8b97b840473eddb5239ce07037a8d34cf1530dc6c35613591e1d06f56453b50060d0df8d6066cc675a8cde3018220547597515e8f662

    • SSDEEP

      768:8t6+ztmVfbHmHS8/ckpKd75wiqjUKPO6AAb3vM8pYwA:2ztmJbHmHT/zKdVwigUAAK3qw

    • Detects Smokeloader packer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks