globeimposter

General

Target

67ba173a7bdf01c3016cdd70f40f45b5_JaffaCakes118
Size

265KB
Sample

240522-swnnxafg91
MD5

67ba173a7bdf01c3016cdd70f40f45b5
SHA1

23f7cb130a178507fd0437db28cfd2425c4caa2e
SHA256

db0e80189ecad474b3bb4539a9d0e3dd9e14057871ca9b8ece51400a72ebb84f
SHA512

fd9a2449febf26d44e3b3149ec1ca41d3c2a53e20a1d805e185f0461caf1349000ed88c7d2a800de372b54cc7692d2e695b90659a6fdf04dc6c97a0249af8cdf
SSDEEP

6144:BaHY0DNpINAEQksZu+JKrzvAPXrt8QmodL:BaHY0DNpINABZ9JKrTkOox

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Public\Videos\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��07 A1 E4 F2 9D D5 1C 2D 71 55 57 01 5C ED D3 72 D3 EC 64 C2 12 89 7A 38 95 70 3F C9 E6 0F A2 03 B2 F1 D5 31 44 3A 3C AA 5A BF B7 FB 7B 13 0F 5C 1D D1 86 0F 60 B2 68 0E FF 3C BC E9 FB F1 23 18 1E 70 3B FB 1A 1C B8 D3 C2 CA 33 EE 8F 84 47 DB 12 5E 5D 71 87 68 DC A0 3B 46 4F 36 FF 6D 1B B4 9B 69 10 11 32 48 75 54 68 D7 61 1D BA 34 86 EF 45 BD C5 3C 7C 11 F8 01 94 04 5B 9C 55 1A 66 F6 70 73 CF FB 26 8C B6 E3 81 21 7F C3 C8 07 22 C3 F2 26 68 E6 42 7F 26 12 56 65 40 20 CC DB B4 C8 73 FF 74 0F 0D 40 58 87 92 A1 4F 1F CE 4C 16 68 BF AA 0B 9A D7 68 AC 7A E9 AD 1A 71 46 AE 45 27 37 E2 5F 70 2D 50 02 B1 F0 66 BC 78 F5 3E 6A 59 AE 69 C3 DE AA CD 77 2B B0 30 F4 38 6C 8F 5E 1D 59 66 3E D8 7C FB C4 4C F1 8F 43 FA E0 FB CF C1 0D 85 2B 9F 05 6E 43 C0 7A 2A 7C D4 19 8A 77 1A ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

- Target
  
  67ba173a7bdf01c3016cdd70f40f45b5_JaffaCakes118
- Size
  
  265KB
- MD5
  
  67ba173a7bdf01c3016cdd70f40f45b5
- SHA1
  
  23f7cb130a178507fd0437db28cfd2425c4caa2e
- SHA256
  
  db0e80189ecad474b3bb4539a9d0e3dd9e14057871ca9b8ece51400a72ebb84f
- SHA512
  
  fd9a2449febf26d44e3b3149ec1ca41d3c2a53e20a1d805e185f0461caf1349000ed88c7d2a800de372b54cc7692d2e695b90659a6fdf04dc6c97a0249af8cdf
- SSDEEP
  
  6144:BaHY0DNpINAEQksZu+JKrzvAPXrt8QmodL:BaHY0DNpINABZ9JKrTkOox
Score

10^/10

globeimposter persistence ransomware spyware stealer
- GlobeImposter
  GlobeImposter is a ransomware first seen in 2017.
  ransomware globeimposter
- Renames multiple (6905) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2