General
-
Target
2024-11-24_cafbacc31cdd3ecece60d7128cf8bc90_globeimposter_neshta
-
Size
93KB
-
Sample
241124-q4dgsssla1
-
MD5
cafbacc31cdd3ecece60d7128cf8bc90
-
SHA1
ab73f8a73bf1df39143e55e0c49a61238bf6cbca
-
SHA256
58a4ab673e72f1ea429d520a6d204ab43e6e3539ecd124b197ec92d50cb8079e
-
SHA512
2d3a20a496abd456b5732d8a119cc3b73bbd5bdaf7c79943c7c6c7a98254c0f6a2b017acc75ff894e06086206734841e740b1b47a864c0b1a2935c692d0457fc
-
SSDEEP
1536:JxqjQ+P04wsmJC5LpeytM3alnawrRIwxVSHMweio:sr85C5Lpey23alnaEIN/
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Music\Sample Music\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
word-break: break-all;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">��������������6F 05 45 01 CA 6D 4E 3C 4E B6 9B 2F A1 23 F4 55
D2 1A 8D FC 7F D1 C9 89 59 1C 73 CF BC 5D 55 FC
11 7A 64 B5 71 57 29 4A 7F 50 50 D4 CB 40 62 2A
3D 7D 96 02 2B 38 B2 7A AB B6 D1 9D A3 47 B7 7A
5A E1 91 94 13 56 19 AD 88 D6 13 A7 F0 1B 08 29
89 56 DF D1 13 B4 4E 97 E1 82 0C ED 4F 44 5E D9
B1 EF DD F3 02 52 31 98 CF 3B EA B7 49 22 C1 33
4E 14 3B 10 52 61 D2 1A 60 A5 C4 46 54 F7 9C 9F
BA F9 41 13 C2 F5 26 DE 97 5E A4 29 9D E0 5B 51
F3 5F 34 88 9B 7B CF 10 B8 1C 62 C5 A5 22 C6 50
0B 58 DF 52 8C AC 05 1A DA FC 94 2E C8 3B 12 EF
E6 A3 C6 63 13 ED FE 03 9B D0 26 19 F3 6B F8 52
1B 52 98 EB 8F 8F 7A FD 1F 39 9F 72 A6 AB EF 49
87 AF 64 B9 50 A4 5D F4 22 4B 90 D9 A5 AB 6D 39
B9 27 7A 53 9C D5 CF 6E 83 23 CA 0E 87 18 81 B0
FB 4C 1B A6 52 39 73 19 F8 03 5E 20 68 B4 5C 27
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<hr>
<b>email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
<p>* Tor-chat to always be in touch: <a href<a href<b>
</div>
</div>
</div>
<!--tab-->
<b>
<b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span>
</b><br><br> </b><br>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>��������������
Emails
Extracted
Path
C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
word-break: break-all;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">��������������14 EF 6D 56 B9 10 A6 E8 5F 7E 6A 22 42 DD 7A B5
94 E4 15 3C 7E B7 FE ED B6 E0 31 23 08 BB BF 17
3F BF DB 68 60 11 BE 98 4B B3 0B B6 E3 38 7E A7
08 B0 29 F5 4F 44 83 A4 A6 E7 F0 15 EC 97 BB 54
30 79 9A 07 C9 02 00 A8 8C 6D 57 BA 0E BB C2 B6
02 9A 7C FC E3 EA EA D0 16 38 3F 7E E4 2C 9C B3
FB 48 8D 81 95 A9 46 81 C2 5B 4E 5F 0E 8F 22 FD
0A A4 06 17 F4 79 7D B6 63 E3 6B 11 26 10 9B F2
EA F6 CA 4B 60 AA 46 9F DE 3D F5 A0 5D 55 71 18
A4 F1 93 98 D5 15 29 89 59 6A 62 C2 66 87 0A B5
2F DC 1D 20 1C FE 57 4F 34 96 B7 76 2B 9F 57 1E
2E EB 39 19 AA 6D 98 21 E6 D2 BE 50 49 E3 B2 90
8A 05 36 50 B4 53 87 D9 A3 9C 57 39 AB 42 08 89
E1 7F 2D 51 45 D8 77 04 B6 B3 21 39 E4 73 ED 50
D4 88 7E B3 0A 89 12 0E 33 98 40 8D 9E 3C 1D 1B
E2 52 8E 5E 0A 66 87 7D 96 29 DE 8A 11 0B 29 86
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<hr>
<b>email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
<p>* Tor-chat to always be in touch: <a href<a href<b>
</div>
</div>
</div>
<!--tab-->
<b>
<b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span>
</b><br><br> </b><br>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>��������������
Emails
Targets
-
-
Target
2024-11-24_cafbacc31cdd3ecece60d7128cf8bc90_globeimposter_neshta
-
Size
93KB
-
MD5
cafbacc31cdd3ecece60d7128cf8bc90
-
SHA1
ab73f8a73bf1df39143e55e0c49a61238bf6cbca
-
SHA256
58a4ab673e72f1ea429d520a6d204ab43e6e3539ecd124b197ec92d50cb8079e
-
SHA512
2d3a20a496abd456b5732d8a119cc3b73bbd5bdaf7c79943c7c6c7a98254c0f6a2b017acc75ff894e06086206734841e740b1b47a864c0b1a2935c692d0457fc
-
SSDEEP
1536:JxqjQ+P04wsmJC5LpeytM3alnawrRIwxVSHMweio:sr85C5Lpey23alnaEIN/
Score10/10-
Detect Neshta payload
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Globeimposter family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Renames multiple (7527) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1