General
-
Target
2024-10-28_181f176a3977c2bddf27bb334e33b789_globeimposter
-
Size
53KB
-
Sample
241028-qrybfaxrer
-
MD5
181f176a3977c2bddf27bb334e33b789
-
SHA1
733080a58442d2c9fc8477058808e2a5856351fd
-
SHA256
2f2932e0116bbff9d831b178a67208584fb42522075464fcdb4afd417e323909
-
SHA512
5b09fc0233551a7173828f929b8a740a7769e1794912466f235b7e824d94c2ccf2d11de689075bfd58760897f01fbbbb7ab38b0941f9bcaf084633ccb07bf294
-
SSDEEP
768:VTHOvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5vIb:qeytM3alnawrRIwxVSHMweio3ZIb
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Music\Sample Music\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
word-break: break-all;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">��������������80 CD E2 4D 49 CA 6A 2D 97 99 BF 39 8F 89 29 2E
74 7F F6 DD 30 C7 5D 8C E2 68 A5 F1 0D 89 82 0F
33 54 32 2C 57 5A E1 0D 22 67 0F 82 23 5D 1F 6F
93 A1 43 1A 3A DE 0E 3A F1 DC FD 09 6D D4 E9 2A
EB 24 B1 03 62 7F 40 B9 0A F1 F7 8F 4B 2F 7B F7
57 52 FB FB B0 D7 4C 89 7E 97 DE 80 B1 0F 91 FC
AC 5E A9 DF 54 C2 72 12 7E 35 24 C2 7E A0 7C D1
7D C6 E6 9F EC CB 76 0B 73 5B 64 E1 0D 29 9A 1E
3B 15 C8 32 6F 44 25 DD EC DE D4 09 34 F2 C8 DD
2F 6D 69 31 FB AC D9 A5 F5 29 8C 63 6B 9F 4E 02
44 FD 1A FF 9B 53 D1 37 7F 98 7D 86 2B 0A 83 B1
9B 44 B7 85 E4 8E 25 61 D9 78 3C B7 C0 FD 00 0A
A6 16 00 B9 FD 1C 18 A7 A8 F5 F9 32 8A 02 04 58
A9 7D DA F4 A4 43 3F 77 06 7A 5D F5 E9 69 11 BE
47 13 CB D9 20 D2 BF EC D8 7C C0 C1 98 24 EE 0C
32 52 B4 5D C6 2E 75 2F 16 1F 08 0C 1C 71 B0 B5
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<hr>
<b>email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
<p>* <a href<a href<b>
</div>
</div>
</div>
<!--tab-->
<b>
<b> <b> <span style="font-size: 22px"></span>
</b><br><br> </b><br>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
������
Emails
Extracted
Path
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
word-break: break-all;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">��������������0E 1A C4 47 A0 81 C8 48 01 5F FF 3A D4 B0 93 F2
89 FF 72 0D 8D 4E E0 9C 0A 6D C5 8C 86 6F 1C 13
A7 75 58 2C A7 F3 BA DC F1 67 A9 BE 7B A7 AA D3
5E 01 7D 62 B5 77 0C 39 F6 BE 5A 48 24 AE 44 9B
A1 6B 8A 57 5B 95 AA 50 12 0B 0A 4C 0D 36 19 FE
24 61 E3 4C 61 F2 87 A6 6F E0 DD 08 A6 4C D3 F1
C4 9E 0D 99 FC A4 EF 43 93 A4 B6 0D DD 65 01 D1
69 BA B5 3F 4E F5 9B 44 EF AB 06 9E 26 21 BC 61
EC BD 7F 0E 44 26 2A F2 33 E2 AF 39 B0 59 C1 C4
61 CB BF 6D D5 A5 56 A7 F0 15 5E 53 7F A1 01 79
C3 BC 2B 49 24 9A A7 C2 99 E9 A6 39 37 FA 20 47
20 89 59 81 D6 76 A8 12 40 90 76 5B FA C6 D8 F0
E3 45 CF 50 E4 72 ED CE 46 87 85 86 9D A1 86 E8
7C 5D A2 BC 00 E0 85 D3 81 96 E4 C4 01 8A BB B9
F5 C9 B6 26 DB 0B 0A 81 AA E5 43 9B 88 21 3A 18
9C 44 C6 31 33 B7 9E A1 4F 42 FA D7 8F B9 B1 3F
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<hr>
<b>email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
<p>* <a href<a href<b>
</div>
</div>
</div>
<!--tab-->
<b>
<b> <b> <span style="font-size: 22px"></span>
</b><br><br> </b><br>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
������
Emails
Targets
-
-
Target
2024-10-28_181f176a3977c2bddf27bb334e33b789_globeimposter
-
Size
53KB
-
MD5
181f176a3977c2bddf27bb334e33b789
-
SHA1
733080a58442d2c9fc8477058808e2a5856351fd
-
SHA256
2f2932e0116bbff9d831b178a67208584fb42522075464fcdb4afd417e323909
-
SHA512
5b09fc0233551a7173828f929b8a740a7769e1794912466f235b7e824d94c2ccf2d11de689075bfd58760897f01fbbbb7ab38b0941f9bcaf084633ccb07bf294
-
SSDEEP
768:VTHOvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5vIb:qeytM3alnawrRIwxVSHMweio3ZIb
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Globeimposter family
-
Renames multiple (7337) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1