globeimposter

Sharing

General

Target

RNSM00417.7z
Size

26.6MB
Sample

241028-tx9hfa1nct
MD5

3827bb44108eb019f3d69ec7c9a4c85b
SHA1

3cc6563e65ff0618cee4bcbb8637db128af32c0a
SHA256

0c05113830f590ea0e628c188bf2b0d9554c6e6bb3bb80178b193caf5bb41c96
SHA512

2e575b82c5f1d25233f5ef8ec2042a54a0b21127e73bea1720e8189f57d709879be7c693456217c8d65bc55ba89e51370c3f3fe603fbd3ff07e247c8da5e6caa
SSDEEP

786432:bFe9AF5zQqfplDfrIxRMmGBN63q8bv5ceUPt/q:bFVpjlDfrIxRMzw3lme

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
Lolhacker05@!!

Extracted

Path

C:\Users\Admin\Documents\__READ_ME_TO_RECOVER_YOUR_FILES.txt

Ransom Note

Hello, your files were encrypted and are currently unusable. The only way to recover your files is decrypting them with a key that only we have. In order for us to send you the key and the application to decrypt your files, you will have to make a transfer of Bitcoins to an electronic wallet. We leave you here the data to make the bitcoins transfer. Bitcoin wallet: 3QtbAioBSw249J5xsGd1sCqTqhdDX4CD9L Transfer the amount of bitcoins equivalent to 50 USD. Your computer ID is: cca0d105-8260-4611-8c12-bd85a7208b9f Once you make the transfer of bitcoins, send us the transfer ID and your computer ID to our email: [email protected] When we verify the transfer we will send you your key and the decryption application.

Emails

[email protected]

Wallets

3QtbAioBSw249J5xsGd1sCqTqhdDX4CD9L

Extracted

Path

C:\Users\Public\WERE_MY _FILES.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ------------------------------------------------ create a ticket to any of these addresses yip.su/2QstD5 cutt.ly/0htT0he shorturl.at/GOY24 bit.ly/3399Ozf ------------------------------------------------ you can also attach a small cryptted file for a free test decrypt Additional communication method ------------------------------- 1. Download Tor browser - httpps://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://helpqvrg3cc5mvb3.onion/ -------------------------------- You ID ��7F 12 CE 5D 0A 64 5C 53 B8 32 0F A1 B8 1A 60 64 30 96 09 04 01 3E 02 5D 8B A4 74 0E 98 2A 92 F5 39 E7 A0 C7 2F F3 3D 3E 08 AD A3 29 54 4D 63 45 CC 7B 33 0E 2A 26 2E 25 A2 5A 01 EB F8 A9 E4 F0 23 2B 1F 51 A1 A4 A7 B4 D2 C1 1F 29 89 C6 36 14 CF 36 CC B5 8F AC E9 16 C8 26 8D 80 62 28 23 D2 84 85 35 F2 86 78 32 EA C1 8E 64 93 8D 74 7B CF 4A 39 46 6C CA 37 AB CD 3D 07 9E 1E 0D 01 11 20 46 44 8D FF 99 C5 C3 33 37 30 83 12 3A 4E CA B4 21 39 2C 1A 02 95 24 8B 3F EE 31 B0 64 8F DD B7 BF E3 C2 87 3F 5A 5C 4E 1B 4B DD 95 7C B2 80 BB E3 C6 E5 68 6C FA D7 8C 60 60 B9 BF 3E 97 8F 1D DB EC D6 89 29 CE 0B 1E 5F 5F A4 4E A0 E5 BC 69 9E 29 6E 17 47 85 EC 06 05 17 C5 04 76 48 BC 94 B2 8B D8 66 F8 0B 8B 7A 7E 34 94 EB 86 BD 1D C7 7F D6 27 E8 69 F6 96 A5 40 51 65 42 39 A6 52 B9 ��

URLs

httpps://www.torproject.org/

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\How To Decrypt Files.hta

Ransom Note

<!DOCTYPE HTML><html xmlns:HTA="http://www.w3.org/1999/xhtml " lang="en"><head><title>XINOF v4.4.1</title> <HTA:APPLICATION icon="#" WINDOWSTATE="maximize" SYSMENU="no" singleInstance="yes" contextmenu="no" scroll="yes"/><style type='text/css'>body{font:15px Tahoma,sans-serif;margin:10px;line-height:25px;background:rgb(0,0,0);color:#fff;display:block}a{color:wheat}.mark{background:rgb(189, 54, 54);padding:1px 5px}.header{text-align:center;font-size:53px;line-height:50px;font-weight:bold;color:red;margin-left:80%;padding:30px 0 0 80px}.info{background:rgb(78, 78, 78);border-left:10px solid rgb(59,59,59)}.alert{background:rgb(255, 0, 0);border-left:10px solid rgb(255,0,0)}.note{height:auto;padding-bottom:1px;margin:15px auto}.note .title{font-weight:bold;text-indent:10px;height:30px;line-height:30px;padding-top:10px}.note ul{margin-top:0}.note pre{margin-left:15px;line-height:13px;font-size:13px}#timer{text-align:right;font-size:35px;margin-top:0;color:red;line-height:60px;margin-bottom:0;position:absolute;bottom:0;left:0}.size{position:absolute;bottom:0;right:10px;height:100px;width:250px}#logo{width:15%;height:30%;min-width:15%;min-height:30%;position:absolute;top:10px;left:0}#ico{width:30px;height:30px;position:absolute;bottom:13px;right:5px}@media only screen and (max-width: 1200px){.header{font-size:40px}}</style> <script>var countDownDate=new Date("November 4 2024 16:29").getTime();var x=setInterval(function(){var now=new Date().getTime();var distance=countDownDate-now;var days=Math.floor(distance/(1000*60*60*24));var hours=Math.floor((distance%(1000*60*60*24))/(1000*60*60));var minutes=Math.floor((distance%(1000*60*60))/(1000*60));var seconds=Math.floor((distance%(1000*60))/1000);document.getElementById("timer").innerHTML="0"+days+"d,"+hours+":"+minutes+":"+seconds;if(distance<0){clearInterval(x);document.getElementById("timer").innerHTML="00d,00:00:00";}},1000);</script> </head><body> <br><div class="header note"> All Of Your Files Have Been Encrypted By XINOF!</div> <img id="logo" src="C:\ProgramData\XINOFLOGO.png" alt="logo"><div class="note" style="font-size: 24px;height: 200px;line-height: 33px"><ul style="list-style: none"><li><div style="padding-top: 3%;padding-left: 13%;"> All your files have been encrypted due to a security problem with your PC.<br>If you want to restore them, please send an email to<span class='mark'>[email protected]</span></div></li></ul></div><div class="note" style="position: relative;word-spacing: 5px"><div class="size note"><div style="position: relative;width: 100%;height: 100%"> <img src="C:\ProgramData\XINOFALERT.png" alt="sa" id="ico"><div id="timer"></div></div></div><div class="note"><ul style="list-style: none;font-size: 19px"><li>You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. After payment we will send you the decryption tool.</li><li>You have to 48 hours(2 Day) To contact or paying us After that, you have to Pay <b>Double</b>.</li><li>in case of no answer in 6 hours email us at =<span class='mark'>[email protected]</span></li><li>The crypter person username :<span class='mark'>002enmrs</span></li><li>your SYSTEM ID is :<span class='mark'>F1A57932</span></li></ul></div></div><div class='note alert'><div class='title'> Attention!</div><ul><li><u><b>DO NOT</b> pay any money before decrypting the test files.</u></li><li><u><b>DO NOT</b> trust any intermediary.</u> they wont help you and you may be victim of scam. just email us , we help you in any steps.</li><li><u><b>DO NOT</b> reply to other emails.</u> ONLY this two emails can help you.</li><li>Do not rename encrypted files.</li><li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li></ul></div><div class='note info'><div class='title'> What is our decryption guarantee?</div><ul><li> Before paying you can send us up to <u>3 test files</u> for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)</li></ul></div><div class='note alert'><div class='title'>You only have LIMITED time to get back your files!</div><ul><li>if timer runs out and you dont pay us , all of files will be DELETED and yuor hard disk will be seriously DAMAGED.</li><li>you will lose some of your data on day 2 in the timer.</li><li>you can buy more time for pay. Just email us .</li><li>THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :)</li></ul></div><div><b>Regards-FonixTeam</b></div></body></html>

Emails

class='mark'>[email protected]</span></div></li></ul></div><div

class='mark'>[email protected]</span></li><li>The

Targets

- Target
  
  RNSM00417.7z
- Size
  
  26.6MB
- MD5
  
  3827bb44108eb019f3d69ec7c9a4c85b
- SHA1
  
  3cc6563e65ff0618cee4bcbb8637db128af32c0a
- SHA256
  
  0c05113830f590ea0e628c188bf2b0d9554c6e6bb3bb80178b193caf5bb41c96
- SHA512
  
  2e575b82c5f1d25233f5ef8ec2042a54a0b21127e73bea1720e8189f57d709879be7c693456217c8d65bc55ba89e51370c3f3fe603fbd3ff07e247c8da5e6caa
- SSDEEP
  
  786432:bFe9AF5zQqfplDfrIxRMmGBN63q8bv5ceUPt/q:bFVpjlDfrIxRMzw3lme
Score

10^/10

globeimposter locky mafiaware666 modiloader bootkit defense_evasion discovery evasion persistence privilege_escalation ransomware spyware stealer trojan upx
- Detect MafiaWare666 ransomware
- GlobeImposter
  GlobeImposter is a ransomware first seen in 2017.
  ransomware globeimposter
- Globeimposter family
  globeimposter
- Locky
  Ransomware strain released in 2016, with advanced features like anti-analysis.
  ransomware locky
- Locky family
  locky
- MafiaWare666 Ransomware
  MafiaWare666 is ransomware written in C# with multiple variants.
  ransomware mafiaware666
- Mafiaware666 family
  mafiaware666
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- Modiloader family
  modiloader
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- ModiLoader First Stage
- Renames multiple (1663) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Blocklisted process makes network request
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Server Software Component: Terminal Services DLL
  persistence
- Allows Network login with blank passwords
  Allows local user accounts with blank passwords to access device from the network.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Hijack Execution Flow: Executable Installer File Permissions Weakness
  Possible Turn off User Account Control's privilege elevation for standard users.
  defense_evasion persistence privilege_escalation
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1