General

  • Target

    b1d5de9be399b181dc0e78fec870aac448548440e7529d8c5e1a95192733f2ed

  • Size

    57KB

  • Sample

    240327-j21e8aga74

  • MD5

    c9787298b457ea192a92a3ad87241cc0

  • SHA1

    c29fb65ebe6134313cb744b3d0e288bfef93163e

  • SHA256

    b1d5de9be399b181dc0e78fec870aac448548440e7529d8c5e1a95192733f2ed

  • SHA512

    d88951466191ebe4b53981dbbb42889b3613a1574f51871b20191abe5867d1c647b19bddf1e4959ca42d2784a6c9f535e767a9938b8d6ecae08c61780b9e6f52

  • SSDEEP

    1536:ajkfV+KJolntwrbDSTWvTwhQMhmpdLWTQZP:a4fIKJolntGDT5qm3L4w

Malware Config

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>�������������C0 5D CA 64 B1 06 02 85 01 CD DE B7 A0 80 6F 11 BF 97 A0 7F FB DD BF DF E5 6E DF 9A 3F D0 17 47 37 E9 50 B4 2D E8 6D B6 15 22 8C DB E0 70 94 DC 53 39 42 18 1B 13 64 FA 56 84 51 C7 B9 2A 4A E1 01 70 A3 76 70 C0 D3 B3 37 1A BD FF 4A 35 0A BC 69 7B 9C 11 23 D9 77 91 F7 90 DB A1 8E EA 69 0A CC 1D 0F 85 10 D6 9E 50 DE 6A 94 28 B7 08 F6 9B 2B 00 BA 09 D5 D9 2E 7F 04 A9 B8 F9 65 63 60 6A 93 4F D6 1E 65 1A DF DC E3 67 D6 FB 20 03 63 05 20 45 38 23 D5 04 35 B2 F7 8D 57 18 08 74 42 53 BD 8D 7B E5 99 80 5E 71 2A 1E 2A 6F F4 05 4B 35 4C 93 0D 3A 9E 97 6F 13 69 B2 DD 80 5C 3D F8 B2 BD 22 45 24 A9 BE 6B 34 38 E6 E5 3A C9 3A 03 AD B1 55 1A BA 33 32 D4 67 BA BE 67 F5 44 38 5A 5D 85 63 6A A8 5C 6C 82 0C E9 2D DB 5A 51 FC D6 B2 06 F8 B2 1B 44 EC 15 39 C2 7A 3F 94 04 5D 3B 01 </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> <h3>To restore files you will need a decryptor!</h3> <center>To get the decryptor you should:</center></br> <center>Pay for decrypt your network 1.5 BTC ( this is price for all PC/Servers in your corporate NetWork ! )</center></br> <div align="left"> <strong>Buy BTC on one of these sites</strong> </div> <div align="left"> <ol> <li><strong>https://binance.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>Any site you trust</strong></li> </ol> </div> <div align="left"> <h1><br> </h1> </div> <div align="left"> <center>&#10004; BTC Wallet for pay: 3DRt**********************EiKj (full wallet ask from support) !Attention! to payout wallet specifically for your company must begin with and finish with symbols indicated above, if you are offered any other wallet - know it's not us, but someone else! do not pay anything- you just lose money. </center></br> &#10004; Our contact: <center> </center></br> &#9998; ToxID: CA04B61C320C50D12A2C1B95B5062474B5C00B995B588D0B3781DC052CBF9A354CD10F96C84D <center> </center></br> &#9998; You can download TOXChat here : <a href=>https://tox.chat/download.html</a> <center> </center></br> The message must contain your Personal ID! it is at top of this document. <center> </center></br> <center>----------------------------------------------------------------------------- <center> Also, your corporate files and databases have been stolen from your network. In case of non-payment, we reserve the right to sell them to third parties or publish them in public resouses. <center> </center></br> HOW IT WORKS: <div align="left"> <li> In case of non-payment, we organize an auction on various sites in DarkNet and try to sell files leaked from your network to interested parties. <div align="left"> <li> Next, we use mail + any other contacts of your clients, and notify them of what happened, perhaps they will be interested so that information does not get into public domain and will be ready to buy out information separately. <div align="left"> <li> If there are no buyers willing to buy, we simply publish everything that we have in public resources. <center>----------------------------------------------------------------------------- </center></br> <center> Attention!</center></br> <ul> <center> If you need a decrypter or return information, please contact us directly, avoid communicating with helper-services, they often take money and do not send it to us, assuring customers that deal failed through no fault of theirs. At same time, leaving money to yourself, and client is informed that money were transferred to us. The guarantee of a successful deals is only a direct contact! If you decide to negotiate not own - we can request confirmation of the negotiator's authority directly from the company. Please do not ignore these requests - otherwise negotiations will reach an impasse and problem not will be resolved. Don't shy... It's just business for us and we are always ready for polite and mutually beneficial communication. <center> </center></br> <center> </center></br> <center> </center></br> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>�����������

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>�������������6A 3F F9 3D 4D B5 D3 BD C2 BE D0 BF 5C 9A 7F 63 44 4F 50 E9 CA F5 05 63 6C CA 52 A5 DA 3E E8 C7 35 51 BD 1F 94 E9 29 A6 B3 28 F4 A7 FF 79 2D FD 9D 5C 5B 01 CF E3 75 F7 69 79 03 26 CD C8 35 D3 D2 45 49 E9 6D 78 8F C3 86 60 B7 84 80 E7 C9 72 48 1C 2C F5 28 A2 90 AC 4B FE BD 23 66 50 13 62 AD 92 3F F6 0D 87 7C 51 5E 07 65 55 D6 E7 07 A9 86 B7 90 9F 99 6F EC 07 00 D0 66 B2 00 D7 AB 96 C9 1D 48 E6 15 1F 95 9D 84 F7 CD 50 50 14 C3 AB 08 D6 64 E9 FD 93 9D F9 28 57 04 98 E7 3E D0 BD 8D 97 14 3F 1B 29 9A 97 C9 B9 F4 5D 7C 58 8A 42 5C 64 0E 9A CF C8 41 BD 93 78 CD 92 92 48 2F C0 C1 2A 33 0F 42 10 76 2C 4E 7D 7E 8F 6D 7F C8 57 03 EF 57 5F 5E B9 60 B9 F1 DE 42 2C 6F 23 1C 56 33 0F 1B 9B 68 22 12 3C DB F0 16 89 C7 65 11 F9 A4 79 E1 47 57 01 23 0C AF 51 C1 DB 76 3E DD 3D </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> <h3>To restore files you will need a decryptor!</h3> <center>To get the decryptor you should:</center></br> <center>Pay for decrypt your network 1.5 BTC ( this is price for all PC/Servers in your corporate NetWork ! )</center></br> <div align="left"> <strong>Buy BTC on one of these sites</strong> </div> <div align="left"> <ol> <li><strong>https://binance.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>Any site you trust</strong></li> </ol> </div> <div align="left"> <h1><br> </h1> </div> <div align="left"> <center>&#10004; BTC Wallet for pay: 3DRt**********************EiKj (full wallet ask from support) !Attention! to payout wallet specifically for your company must begin with and finish with symbols indicated above, if you are offered any other wallet - know it's not us, but someone else! do not pay anything- you just lose money. </center></br> &#10004; Our contact: <center> </center></br> &#9998; ToxID: CA04B61C320C50D12A2C1B95B5062474B5C00B995B588D0B3781DC052CBF9A354CD10F96C84D <center> </center></br> &#9998; You can download TOXChat here : <a href=>https://tox.chat/download.html</a> <center> </center></br> The message must contain your Personal ID! it is at top of this document. <center> </center></br> <center>----------------------------------------------------------------------------- <center> Also, your corporate files and databases have been stolen from your network. In case of non-payment, we reserve the right to sell them to third parties or publish them in public resouses. <center> </center></br> HOW IT WORKS: <div align="left"> <li> In case of non-payment, we organize an auction on various sites in DarkNet and try to sell files leaked from your network to interested parties. <div align="left"> <li> Next, we use mail + any other contacts of your clients, and notify them of what happened, perhaps they will be interested so that information does not get into public domain and will be ready to buy out information separately. <div align="left"> <li> If there are no buyers willing to buy, we simply publish everything that we have in public resources. <center>----------------------------------------------------------------------------- </center></br> <center> Attention!</center></br> <ul> <center> If you need a decrypter or return information, please contact us directly, avoid communicating with helper-services, they often take money and do not send it to us, assuring customers that deal failed through no fault of theirs. At same time, leaving money to yourself, and client is informed that money were transferred to us. The guarantee of a successful deals is only a direct contact! If you decide to negotiate not own - we can request confirmation of the negotiator's authority directly from the company. Please do not ignore these requests - otherwise negotiations will reach an impasse and problem not will be resolved. Don't shy... It's just business for us and we are always ready for polite and mutually beneficial communication. <center> </center></br> <center> </center></br> <center> </center></br> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>�����������

Targets

    • Target

      b1d5de9be399b181dc0e78fec870aac448548440e7529d8c5e1a95192733f2ed

    • Size

      57KB

    • MD5

      c9787298b457ea192a92a3ad87241cc0

    • SHA1

      c29fb65ebe6134313cb744b3d0e288bfef93163e

    • SHA256

      b1d5de9be399b181dc0e78fec870aac448548440e7529d8c5e1a95192733f2ed

    • SHA512

      d88951466191ebe4b53981dbbb42889b3613a1574f51871b20191abe5867d1c647b19bddf1e4959ca42d2784a6c9f535e767a9938b8d6ecae08c61780b9e6f52

    • SSDEEP

      1536:ajkfV+KJolntwrbDSTWvTwhQMhmpdLWTQZP:a4fIKJolntGDT5qm3L4w

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Renames multiple (2271) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks