globeimposter

General

Target

73cd06370c7a97d7f24f5beb8eb8876702365d0cc8803b669a217036411543ea
Size

50KB
Sample

221208-nsc1sahh26
MD5

8797e2092484f8dde83871366dcfbdae
SHA1

53c0530d195de802b62dde6da0e5e335c5083963
SHA256

73cd06370c7a97d7f24f5beb8eb8876702365d0cc8803b669a217036411543ea
SHA512

f187607d7443d282bbad8a54fb3f702cdeb0af9ad160f0745bd1db67cec146bf509f48a5202bf27f47322e228a1010abb5feb0c3aa93725c3f9398c79e8cfa12
SSDEEP

768:kSvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5G:BeytM3alnawrRIwxVSHMweio3Y

Score

10^/10

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 ��8D 23 BA 92 EA 51 E2 AB 41 49 B2 7C 29 57 10 3B E9 E7 3A FB FE 96 94 D5 41 80 18 9D 68 21 31 AA B8 C8 0C 97 AB CC 05 07 8F 20 A1 61 1D A2 DC 7B 25 C8 20 35 AA 25 B6 5D DF F8 5B A5 D1 67 0B BB 89 9B 11 EE 80 13 4E BE 60 A2 D5 15 C4 CA FD 34 DD 9F 9B 45 0A 3F CE 13 2A 5D 74 4A 1A 89 AC 63 BE A8 42 D3 A7 B9 92 F5 6F 7B 1A FA 18 AC CD 9C 01 AC 40 3D AC E5 21 E1 CA 19 CA 32 25 E0 52 45 F6 BC 9C 3B 88 AC AA 27 1B 2D E6 51 68 A0 47 AF 10 B9 BF 42 F7 B6 B2 86 2D 6E 4A FE 0A D2 3A 69 24 75 10 D5 F0 96 B3 65 B8 BE D9 7F BE 0F 0B 8C D8 EB 09 48 3B 7F 12 47 2D A3 3B 38 A4 D4 A6 F5 85 54 45 D9 D1 BA 22 E6 05 C3 FD F3 04 46 A4 B7 84 4D 9D 9A 0A F5 92 C1 15 9C 2A 14 57 E8 A3 36 AF 14 55 5D B6 3F 03 65 B5 C4 55 D8 3C AC 2E 9D 3D CE 8B B6 E9 8D 96 84 C0 A9 99 9D F6 41 1B AF

URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR

https://yip.su/2QstD5

Targets

- Target
  
  73cd06370c7a97d7f24f5beb8eb8876702365d0cc8803b669a217036411543ea
- Size
  
  50KB
- MD5
  
  8797e2092484f8dde83871366dcfbdae
- SHA1
  
  53c0530d195de802b62dde6da0e5e335c5083963
- SHA256
  
  73cd06370c7a97d7f24f5beb8eb8876702365d0cc8803b669a217036411543ea
- SHA512
  
  f187607d7443d282bbad8a54fb3f702cdeb0af9ad160f0745bd1db67cec146bf509f48a5202bf27f47322e228a1010abb5feb0c3aa93725c3f9398c79e8cfa12
- SSDEEP
  
  768:kSvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5G:BeytM3alnawrRIwxVSHMweio3Y
Score

10^/10

globeimposter persistence ransomware spyware stealer
- GlobeImposter
  GlobeImposter is a ransomware first seen in 2017.
  ransomware globeimposter
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1