General

  • Target

    1a40a8f87e649416ae337d1b634112bc2c5c78f867834982f4b4716c71357e71

  • Size

    905KB

  • Sample

    221207-qw2jnafa65

  • MD5

    ddd2812e43f859ee1f763d51839f838e

  • SHA1

    c1aa1e6b405676a54060cdc747e47fb6e85ee536

  • SHA256

    1a40a8f87e649416ae337d1b634112bc2c5c78f867834982f4b4716c71357e71

  • SHA512

    42ad95ce568d69451cbfb284c4ee1e1dd641e5c1bbeefbfe469d165a1506ea40e2882759535e9fb055fa284977dc4e1ddbbf49a2bf72550b8f9ba273aa85f18b

  • SSDEEP

    24576:D4CDAKIv2P/ghIS8ickIqplgKiDvRjK7A:D4CDpdPoRoB6g3l

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 ��18 AE 95 36 AA 5F 63 29 6F 15 89 79 FF CF 34 7E 58 FA C8 D9 22 B1 44 21 EE F1 48 EF E5 03 FB 7E 13 EA 3B 81 4A B4 40 F7 E3 B1 5E FE 2A ED 55 A7 F1 AD 87 C8 63 8E 8F 2A 7B 69 85 F8 AE 75 38 96 09 EA 8A F2 39 63 C0 BD 68 5C 1A A1 AE 24 67 7B 1D B1 1F CB 9E D3 D6 42 75 B9 0D A4 CB F9 FA BF CE 8E 45 8F 39 C1 E8 9D 64 29 C4 6F CA A5 22 D6 47 9A BE CF 3B 4B 5D 42 BA 75 BD F0 C7 82 15 7E 50 AA 97 9A 6B B3 1D DA 09 DA 78 8D FC 45 C0 5E EB E0 1E B1 49 6B 5A 33 77 65 9E DA 38 27 01 B8 83 BB B3 06 96 BD 0F 12 5F 7F C5 A1 4A 6D 60 CB 93 2B 4B F9 69 18 96 39 91 4E D1 30 8D AE 09 12 2D F6 1A AB 41 09 72 26 70 7D 6D 39 AB E5 DB 48 54 60 EC E5 8F 98 DC 5B 64 C5 57 50 AD 8B 59 5B 0D 9C A6 C2 B2 62 3F 66 59 B7 0D 0E C8 81 FC 18 55 2C 53 E4 32 D9 06 39 B1 D5 F6 88 08 FE 8E 45
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR

https://yip.su/2QstD5

Targets

    • Target

      1a40a8f87e649416ae337d1b634112bc2c5c78f867834982f4b4716c71357e71

    • Size

      905KB

    • MD5

      ddd2812e43f859ee1f763d51839f838e

    • SHA1

      c1aa1e6b405676a54060cdc747e47fb6e85ee536

    • SHA256

      1a40a8f87e649416ae337d1b634112bc2c5c78f867834982f4b4716c71357e71

    • SHA512

      42ad95ce568d69451cbfb284c4ee1e1dd641e5c1bbeefbfe469d165a1506ea40e2882759535e9fb055fa284977dc4e1ddbbf49a2bf72550b8f9ba273aa85f18b

    • SSDEEP

      24576:D4CDAKIv2P/ghIS8ickIqplgKiDvRjK7A:D4CDpdPoRoB6g3l

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks