Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    42cf8f16f7a65509a5916cd1f0b25d6192749965fe5ee32c63428cb8f63c6a75

  • Size

    463KB

  • Sample

    221129-a1ebxshe6x

  • MD5

    350542a03ae2eab2f12f6f61abf925e2

  • SHA1

    b943c338607b82fcf72d398ebb317731b5c267c1

  • SHA256

    42cf8f16f7a65509a5916cd1f0b25d6192749965fe5ee32c63428cb8f63c6a75

  • SHA512

    cba2429d51c436c3a1f18bbd28a5a625810c3c11321648ac0ccbb47a511eed1c0818adbe31e3a0c2d074559044ca5536a9a92de1da1f327c923fa070a9ad6cc2

  • SSDEEP

    12288:UxkzrbETClw86ZILRaflV8jN69EpHskFgFwIyXCD:d76CxYP8j89ExskFgqIyX

Score
10/10
globeimposterpersistenceransomware

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 ��30 D6 74 A3 27 DB 6C 28 FC D3 FB D6 D3 11 B6 4A E6 F8 93 1C 1F 33 36 39 B4 4C E0 D2 E7 0D 36 22 14 58 1F 57 0E BC A6 D1 CD 2D FB B0 A4 2F 58 BC 3F 3E F9 D4 24 C3 22 CB EC 72 1A 33 1B FF 32 23 E7 5E B5 33 99 74 34 03 F2 E6 14 1F 2F BF 1A D8 65 8E A3 6E DA B3 2E F8 77 46 D3 55 7D F7 1D 02 E9 7B 62 40 84 CC 17 D5 6F DC 5F 8A 9C D5 6D 2D 9D 9B 72 23 3C 9A 58 E9 B1 98 9C 0B 8C E5 12 67 95 36 EC 9E 0E C1 BB 4B DF D6 92 7F C4 D6 6A D0 FB C1 02 B9 70 AB D0 91 1C F4 61 36 81 07 08 64 6B 6C 00 B6 E8 1B 1F CE 55 6A F3 EC 81 16 07 E1 75 34 28 C3 35 F9 50 C9 97 45 0E 4B CC 24 7C 19 CF E7 55 59 F5 57 90 9C F8 87 7D 76 49 87 8F 9E A3 A3 AB 51 E5 89 F3 32 9F B7 0A 30 F7 91 88 F7 EA C2 5B 55 B7 FD EA CB 2C 35 E7 DA 84 7F 8F 31 30 7A 94 C8 C8 92 6A 29 13 1E A6 62 32 F4 FE B1
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR

https://yip.su/2QstD5

Targets

    • Target

      42cf8f16f7a65509a5916cd1f0b25d6192749965fe5ee32c63428cb8f63c6a75

    • Size

      463KB

    • MD5

      350542a03ae2eab2f12f6f61abf925e2

    • SHA1

      b943c338607b82fcf72d398ebb317731b5c267c1

    • SHA256

      42cf8f16f7a65509a5916cd1f0b25d6192749965fe5ee32c63428cb8f63c6a75

    • SHA512

      cba2429d51c436c3a1f18bbd28a5a625810c3c11321648ac0ccbb47a511eed1c0818adbe31e3a0c2d074559044ca5536a9a92de1da1f327c923fa070a9ad6cc2

    • SSDEEP

      12288:UxkzrbETClw86ZILRaflV8jN69EpHskFgFwIyXCD:d76CxYP8j89ExskFgqIyX

    Score
    10/10
    globeimposterpersistenceransomware

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks