General
-
Target
1776750df4968ba3685419918b3dd262eafabdf36cb10987752fcd15efbf257d.exe
-
Size
53KB
-
Sample
221004-lw7nfsagel
-
MD5
5db940cac21726852ab01ce5515c981c
-
SHA1
c547b8d21c5b7dba77ba1ec60ec8d27be67c6e75
-
SHA256
1776750df4968ba3685419918b3dd262eafabdf36cb10987752fcd15efbf257d
-
SHA512
bb686ca6f22de58f5804ed35417bd5117e8d52a5d953f4834d7cfcddc84f305c231291f247113918c57ede1f5b23301be4df36264d4c4065967884cb822c33d6
-
SSDEEP
768:ljvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5Y6yd:l3eytM3alnawrRIwxVSHMweio3+
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������65 EF 08 1B 1B 8D 5D 65 11 79 B7 30 79 80 DC 0D
DD 1D 64 76 1A 69 04 C3 70 68 A7 8F 42 AB 74 D7
37 F9 3D 8C C3 C2 21 7F E5 7E 08 0D F3 C0 3B 1D
94 28 A7 18 0D 51 E5 FD FD 02 16 B4 E0 46 BA A1
53 26 CE C2 2B AF F2 AD CD FD FD 7D 7C 7C 80 6C
85 07 BC F1 1A 7D 6B 99 B2 63 79 23 83 6E 36 2C
95 FF C6 07 29 57 F6 11 4E 6D 51 6C F0 E7 1E FB
47 8B F5 8D 2A 2F DD 47 B9 50 2D AE CB B8 7E AF
E2 54 21 B9 BD 72 F1 A4 CB D4 2C 27 BC E5 2A 88
4F C2 44 23 96 C8 61 44 10 7F 78 B1 B5 F7 52 72
8B 24 73 C2 AA C6 6C 38 71 5C 76 38 D9 60 10 86
27 64 41 4E BA 9C 15 BC 66 6F D5 6A 52 9B 66 1D
47 16 56 EB D7 05 60 BE 1A FD 56 0D BF DF CB 1B
09 DA EB 51 EC 35 77 30 8A EC 94 0E B7 31 72 BC
5C 26 AA BA F2 79 14 F3 75 D8 58 F4 BE 6C 89 33
D1 0B 54 CF 60 69 FE 9B 16 AC 4A 4D 0C BC 1D AE
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
��������������
Emails
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������21 7A B1 4C 31 26 C4 FC E7 97 57 0E C6 03 CB CA
1C 4F A7 30 B5 DF 85 0F 81 3F FA C1 C7 39 F1 74
8A FB 1A C9 4D AF 19 5F 02 66 8F 13 EB 56 C3 AF
64 34 D5 27 74 04 18 55 75 E6 65 EB 96 97 CC F7
20 F2 A2 39 BA 8E 31 E6 DC F4 68 DB 94 6A A4 1F
A5 DF E4 AD 9A 6B 29 E3 44 D1 38 4C 48 A7 A4 5E
2F EE E1 7A 5F 8C AD 7A A9 FC D2 57 92 85 A4 2F
5C F4 DF 2A 59 C7 7E 4E F9 9E 29 A1 FD E7 4F 0B
B2 5B 01 2D 11 9E 39 0D 1C 87 1C 82 90 97 CB B5
12 4F B0 3B 17 73 56 72 0F 4F 30 2A 11 E1 D6 08
14 55 08 D1 8E 51 D6 41 D1 95 B0 E4 39 94 ED 24
FD 24 68 21 4E 96 C5 08 54 DB DB F0 D1 89 3B 1D
0A 41 01 92 2E 0C E1 77 0A D2 43 90 12 CF 0C 2B
24 F4 32 40 B4 7D E2 E1 16 91 5F 28 7B B4 14 5B
59 FC 1E 82 EA 7A D7 E5 DF 56 2F E4 CF CC 4F CF
08 F6 1E 2D 36 E0 1B 6B 06 95 60 EB 64 19 9F B2
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
��������������
Emails
Targets
-
-
Target
1776750df4968ba3685419918b3dd262eafabdf36cb10987752fcd15efbf257d.exe
-
Size
53KB
-
MD5
5db940cac21726852ab01ce5515c981c
-
SHA1
c547b8d21c5b7dba77ba1ec60ec8d27be67c6e75
-
SHA256
1776750df4968ba3685419918b3dd262eafabdf36cb10987752fcd15efbf257d
-
SHA512
bb686ca6f22de58f5804ed35417bd5117e8d52a5d953f4834d7cfcddc84f305c231291f247113918c57ede1f5b23301be4df36264d4c4065967884cb822c33d6
-
SSDEEP
768:ljvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5Y6yd:l3eytM3alnawrRIwxVSHMweio3+
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-