General
-
Target
2024-06-12_5dac31f7671442a49295cbf7cafc7c0e_globeimposter
-
Size
55KB
-
Sample
240612-r18n7sydqd
-
MD5
5dac31f7671442a49295cbf7cafc7c0e
-
SHA1
a46d5bdd7104ec2d971a163ba94ade6021896083
-
SHA256
70104208036d4ad6a857eb0554b6fd84e01b732ea84accc52d18579a5464b91e
-
SHA512
888f1a01e3684cc22b4ac714806cc61f9a8ade583071ade8ddceece8ac87891629cf2ec74496114d7934a075dea20163828961249c0919f514f5af415c14c6bf
-
SSDEEP
1536:EJi+8UluOXSC5liawrEDKyzirwQu8PfPYgI+:O18OuOXSC5liaFDu0uDI+
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Videos\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #FFFFF0;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
outline: 8px solid #303030;
border: 8px solid #303030;
color: #FF0000;
background: #FFF0F5;
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
outline: 8px solid #303030;
border: 8px solid #303030;
background: #FFF0F5;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
outline: 8px solid #303030;
border: 8px solid #303030;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #FFF0F5;
color: #303030;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3><strong>Your personal ID</strong></h3></div>
<div class="identi">
<pre><p style="color:#303030"><strong> �������45 FA 07 C1 53 6E 57 63 C7 36 53 48 47 59 55 14
A9 51 12 1B D5 8C AC 66 A2 20 9A 08 96 03 BA 38
C7 1D 46 A6 17 0B 8B A0 A1 5C 89 59 24 A5 63 4F
D2 24 9D 5A 70 2F 02 44 E1 A9 01 E0 6A 82 97 D5
28 E1 1B 5D A5 49 12 86 A4 3B 00 20 DE 1A 0D 76
51 B6 76 72 97 F3 1B 13 65 97 B8 AA C8 74 83 C5
F9 F1 4A D3 D9 6C C7 A7 09 20 88 B6 83 58 BC 46
1C E1 9A 63 13 9E 2D 3D B7 F5 B5 69 72 FA 49 39
96 3D 0A E1 21 FB F1 B4 70 0E 90 C7 70 B3 06 B2
FC 23 62 D6 BB 10 DF 45 1F C9 24 71 AD 36 13 BC
31 7F 50 31 DA 1A 3B 89 FB 20 58 D3 A6 34 2A 7A
8B AA 43 83 C1 9D 18 55 42 31 AB A8 A1 D0 6A B2
98 5A B0 F0 9D 7A 25 C3 B9 B5 73 E2 4E 13 32 22
DB 81 9C 46 32 B3 47 50 94 E7 49 CF 83 9E 4C 5B
82 A9 AB D7 28 0C D9 F3 92 4B 4B 6D B7 3B 7F 99
A8 94 8B 2D C5 38 D9 B0 84 2B 88 05 BE 41 C5 71
</strong></p>
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<strong>
<h1>
<strong> Your files are encrypted! </h1>
<hr color="303030" noshade size="8">
<h3><strong> ⬇ To decrypt, follow the instructions below. ⬇ </strong> </h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 crypted test image or text file or document to <span> [email protected]</span></br>
(Or alternate mail [email protected])<p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.</br>
<hr color="Red" noshade size="8">
<center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center>
<center><p style="color:#0000FF"> Do not contact other services that promise to decrypt your files, this is fraud on their part!
When you contact them, they will write to [email protected]
, and buy the decoder from us, but they will increase the cost of decryption for their services!</p></center>
<hr color="Red" noshade size="8">
</strong>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Extracted
Path
C:\Users\Public\Videos\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #FFFFF0;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
outline: 8px solid #303030;
border: 8px solid #303030;
color: #FF0000;
background: #FFF0F5;
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
outline: 8px solid #303030;
border: 8px solid #303030;
background: #FFF0F5;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
outline: 8px solid #303030;
border: 8px solid #303030;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #FFF0F5;
color: #303030;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3><strong>Your personal ID</strong></h3></div>
<div class="identi">
<pre><p style="color:#303030"><strong> �������8C 3A 59 8B 58 0D B5 07 72 F4 D4 52 ED 7F 0B E5
29 25 01 A7 28 98 F6 10 66 84 30 FB 64 DA 91 50
0D C5 89 85 0F 6A 56 83 01 32 ED 9D EF 6B B0 F4
7E 0A 8D 13 82 47 4F 32 8E 73 F2 30 BC C2 B9 A1
97 D1 8A 9A CF 2C D2 11 39 61 40 B0 21 4A F6 E7
BF 0E B0 7E 0D 5B 6D A1 DE 05 64 DE 82 77 75 CE
79 B6 08 E7 D9 4F ED B8 1D D5 2E 00 51 7D ED 36
9F CF 54 71 CC 2D 05 7C 60 8C CF 2E F2 1E 47 7C
30 56 D7 BB 5E 5B 7B AA 0B 56 F0 08 8B 26 82 F9
FB 96 89 60 03 D5 30 1A 14 CC 69 67 2A C0 4B 3F
24 AF E0 B8 04 B3 42 72 1C EC 78 E9 A7 7F 80 A9
74 9A 0E F9 AC D2 0A 66 FA B0 86 38 AE E9 57 4F
B0 21 26 A0 CF 99 CE 3C 0D 25 14 DB 43 EA AB 0E
DA 77 90 49 13 16 F5 4F 7D CC 3A 27 84 49 F3 02
4C DE 24 4F 82 08 6F 23 AE A3 E5 F1 05 2B 82 69
69 4E 1C D4 FB 95 E2 E4 86 7F 3C AD E5 0B 20 5C
</strong></p>
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<strong>
<h1>
<strong> Your files are encrypted! </h1>
<hr color="303030" noshade size="8">
<h3><strong> ⬇ To decrypt, follow the instructions below. ⬇ </strong> </h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 crypted test image or text file or document to <span> [email protected]</span></br>
(Or alternate mail [email protected])<p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.</br>
<hr color="Red" noshade size="8">
<center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center>
<center><p style="color:#0000FF"> Do not contact other services that promise to decrypt your files, this is fraud on their part!
When you contact them, they will write to [email protected]
, and buy the decoder from us, but they will increase the cost of decryption for their services!</p></center>
<hr color="Red" noshade size="8">
</strong>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Targets
-
-
Target
2024-06-12_5dac31f7671442a49295cbf7cafc7c0e_globeimposter
-
Size
55KB
-
MD5
5dac31f7671442a49295cbf7cafc7c0e
-
SHA1
a46d5bdd7104ec2d971a163ba94ade6021896083
-
SHA256
70104208036d4ad6a857eb0554b6fd84e01b732ea84accc52d18579a5464b91e
-
SHA512
888f1a01e3684cc22b4ac714806cc61f9a8ade583071ade8ddceece8ac87891629cf2ec74496114d7934a075dea20163828961249c0919f514f5af415c14c6bf
-
SSDEEP
1536:EJi+8UluOXSC5liawrEDKyzirwQu8PfPYgI+:O18OuOXSC5liaFDu0uDI+
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Renames multiple (2612) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-