General

  • Target

    dbe80bbe8073e95976ca36c5f04136e1a2918843adb01e9d7c7f7731d61633ac

  • Size

    739KB

  • Sample

    221206-eljqbahc95

  • MD5

    1bb12439b687e78b4533d9f7bcd46e2c

  • SHA1

    809371c39aa8e11cf1a50060f892106c94de0829

  • SHA256

    dbe80bbe8073e95976ca36c5f04136e1a2918843adb01e9d7c7f7731d61633ac

  • SHA512

    0d62a124ba923275ddc3a36b2fe8092a5a5f8bf029c01a499914c4c697cb6a62e8d4f61dc8c542235de3509899438ef3d83ddcff09668106e4c2702bcd3b4ecd

  • SSDEEP

    12288:cQEVq7PKlSwx7IkNtTeUGr++RYxhMiMyrhODTa:cKWQw+mtyWxuihOfa

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 ��0A 14 F0 5D F7 23 37 D1 A8 45 88 16 38 A7 82 DC 15 4F A5 EE D5 C4 4D 2C D9 61 5D 10 AE 3E 81 B4 A4 34 C2 A6 95 D4 6E E5 68 00 F6 06 05 6E CB D0 C4 15 EA 0F A4 14 51 12 6E 3F 01 64 BF 85 93 7C F7 05 3C AC D7 74 42 A3 9E D6 47 91 B9 3B B2 20 0B 4B 4E 04 0F 1F 6E A3 9C 51 A1 A9 B6 A5 3C 9E 2E 43 A6 84 59 46 9A 8C 64 C8 73 16 11 1E C9 21 0A 41 B9 01 78 37 1F DB 7C F0 61 79 23 A6 44 B8 22 26 2D CA 79 07 48 48 CD 1D BC 9F A8 FA 88 B3 01 B7 5E B4 25 97 A8 D5 4F A8 9E 94 69 CC 92 AE 52 86 DF 82 D8 BD EE DB 42 74 AC F1 B1 EB 35 B3 66 63 4F 26 7C 59 11 7F 77 34 13 E7 30 65 35 82 E6 5D 0E 80 5B 19 5A FD 4F EC 75 79 8B 1D 6F 73 79 45 62 F5 F9 5D CB 8D C2 7C A4 D6 10 D3 5F 31 33 A4 10 BB 5C E1 32 D3 B5 7B 0E AB D7 4F 9A 3C EF D4 93 BE 55 0F 9A 23 81 13 C5 E9 3E 50 88 B7
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR

https://yip.su/2QstD5

Targets

    • Target

      dbe80bbe8073e95976ca36c5f04136e1a2918843adb01e9d7c7f7731d61633ac

    • Size

      739KB

    • MD5

      1bb12439b687e78b4533d9f7bcd46e2c

    • SHA1

      809371c39aa8e11cf1a50060f892106c94de0829

    • SHA256

      dbe80bbe8073e95976ca36c5f04136e1a2918843adb01e9d7c7f7731d61633ac

    • SHA512

      0d62a124ba923275ddc3a36b2fe8092a5a5f8bf029c01a499914c4c697cb6a62e8d4f61dc8c542235de3509899438ef3d83ddcff09668106e4c2702bcd3b4ecd

    • SSDEEP

      12288:cQEVq7PKlSwx7IkNtTeUGr++RYxhMiMyrhODTa:cKWQw+mtyWxuihOfa

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks