General

  • Target

    tmp

  • Size

    463KB

  • Sample

    221128-k6fgaabh65

  • MD5

    350542a03ae2eab2f12f6f61abf925e2

  • SHA1

    b943c338607b82fcf72d398ebb317731b5c267c1

  • SHA256

    42cf8f16f7a65509a5916cd1f0b25d6192749965fe5ee32c63428cb8f63c6a75

  • SHA512

    cba2429d51c436c3a1f18bbd28a5a625810c3c11321648ac0ccbb47a511eed1c0818adbe31e3a0c2d074559044ca5536a9a92de1da1f327c923fa070a9ad6cc2

  • SSDEEP

    12288:UxkzrbETClw86ZILRaflV8jN69EpHskFgFwIyXCD:d76CxYP8j89ExskFgqIyX

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 ��71 46 FD 35 0E 7C EC 63 E8 60 77 6F 7B 31 BC BC 32 8C E8 41 BD 29 B2 ED CA 4F B6 69 3F 9C B3 E0 4B 9F A3 77 E3 E1 00 47 56 5F A6 FC 8D 8A 87 86 52 85 21 83 55 3F 9F 6E 92 03 E5 00 1F 48 76 20 F9 A2 AE 8A 73 DA 8E 71 89 2E 36 9F A1 A0 77 8B FB E0 70 8F BF A5 DC C3 BD AE A3 A4 08 88 F3 49 27 D5 3E 61 98 13 F4 0C 5C 7A 9C 04 51 EC 4F BE C9 8A 39 44 0A 3B BA 0C D7 13 99 F8 BF E9 E6 F2 04 2D 76 27 77 C9 05 C3 EC 0C 40 06 EE C7 A2 FA 91 B0 B1 E2 49 B2 E8 76 37 76 8B F2 21 12 07 E4 AA 6A 44 13 52 D3 23 17 EB C6 39 77 C4 27 5C 1F 42 33 5E AB 39 24 AE 69 2F 4D 93 D5 02 57 88 B2 AF 12 41 E5 4C 0B 46 64 5E F6 F0 BF A3 2D AB D9 98 B5 8D 1A EA AF 25 1A E3 0B 9A 93 1D 0C 67 93 E0 AE 7D 71 7B 01 E4 72 B3 1E A4 76 CA DC 46 3F 5B C0 40 AB 3C 7F F3 4B 0F D0 80 73 43 1B 15 DB
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR

https://yip.su/2QstD5

Targets

    • Target

      tmp

    • Size

      463KB

    • MD5

      350542a03ae2eab2f12f6f61abf925e2

    • SHA1

      b943c338607b82fcf72d398ebb317731b5c267c1

    • SHA256

      42cf8f16f7a65509a5916cd1f0b25d6192749965fe5ee32c63428cb8f63c6a75

    • SHA512

      cba2429d51c436c3a1f18bbd28a5a625810c3c11321648ac0ccbb47a511eed1c0818adbe31e3a0c2d074559044ca5536a9a92de1da1f327c923fa070a9ad6cc2

    • SSDEEP

      12288:UxkzrbETClw86ZILRaflV8jN69EpHskFgFwIyXCD:d76CxYP8j89ExskFgqIyX

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks