General
-
Target
2024-11-24_cafbacc31cdd3ecece60d7128cf8bc90_globeimposter_neshta
-
Size
93KB
-
Sample
241124-qvheds1rbs
-
MD5
cafbacc31cdd3ecece60d7128cf8bc90
-
SHA1
ab73f8a73bf1df39143e55e0c49a61238bf6cbca
-
SHA256
58a4ab673e72f1ea429d520a6d204ab43e6e3539ecd124b197ec92d50cb8079e
-
SHA512
2d3a20a496abd456b5732d8a119cc3b73bbd5bdaf7c79943c7c6c7a98254c0f6a2b017acc75ff894e06086206734841e740b1b47a864c0b1a2935c692d0457fc
-
SSDEEP
1536:JxqjQ+P04wsmJC5LpeytM3alnawrRIwxVSHMweio:sr85C5Lpey23alnaEIN/
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Music\Sample Music\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
word-break: break-all;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">��������������57 5B F7 D3 64 26 F7 9A 58 B2 78 F5 9B 15 12 93
6A 59 F7 1A FB 74 77 27 FD DA 0C 3D 11 0E 13 3E
7C D6 F4 C0 65 30 6D 24 AD F7 99 35 BB D4 B3 00
F9 C4 94 7C 4F 26 0F 9D 3A 22 87 27 98 FF A7 F2
96 1D D9 43 CF C4 B2 4C 11 95 F0 02 B8 1E D4 16
DF 30 DF FC 81 B8 1C 17 97 C5 96 41 6D F8 9D 7F
E9 69 C9 AA 5A 11 1B 12 F6 42 96 DD F0 2D 17 BA
1C 9E BD 6B CC EC 01 77 38 A3 3C 42 97 F1 6D 52
6E D3 26 4E 62 2F BD 70 42 80 68 DD 84 98 FE AA
06 92 4C C2 D0 94 85 23 F6 CE 49 F2 29 B0 96 59
F5 AA 90 B8 A2 29 9D 85 06 88 4A C2 37 1A 42 99
51 13 63 43 DF FB E7 EF 1C 2B 4E 41 C1 66 3A 8A
4D E8 10 5D CA EC 79 82 45 87 A6 DE 6F B7 48 32
96 98 7F 1A 78 A0 50 6F E9 CC F0 59 10 97 F8 20
34 53 A1 FF BB 34 1A F4 E3 4B 06 D8 10 C7 83 87
5E 82 8F AE 0E 4A 58 67 0E 70 95 FF E7 1D C2 3E
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<hr>
<b>email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
<p>* Tor-chat to always be in touch: <a href<a href<b>
</div>
</div>
</div>
<!--tab-->
<b>
<b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span>
</b><br><br> </b><br>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>��������������
Emails
Extracted
Path
C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
word-break: break-all;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">��������������0F 8C B3 D5 41 9A 6A E3 3D 3D A3 7B 70 76 2B 4E
F1 84 4A 02 16 DC 05 6F 69 BC 11 0E DE C7 A8 5E
17 11 11 4F AB CF F7 B7 81 5B 32 A5 80 40 18 A2
AC 5B 22 78 C5 D1 FC CB 69 C9 B9 34 91 C6 10 62
CE C4 D1 26 C2 98 C7 A0 37 5F 3D F8 55 C6 FD 4F
3C DD 21 5E 05 E7 52 2A 03 1A 47 B6 8D ED 14 37
27 E2 D7 FA FD 42 CD 12 24 29 62 66 79 13 60 81
C8 AF 0E 01 6B C2 A1 6A 83 55 13 01 58 3A BE FE
FE DE D2 05 0C EA BF B6 83 EC 5E B9 2F 76 45 45
65 F2 53 88 20 E1 AE B3 55 CF E2 BC 39 72 33 B2
1C 8F 0F 66 CE DF 17 5A AC 83 A3 BE BC 61 19 15
AD 16 3C FF CE FB 26 A1 0A 7E 4B 01 C7 C7 FC C3
F3 50 25 5B B5 69 16 B0 8E 84 51 36 3C F2 FC 96
5C CA 3C CB 5C D4 4B DE 92 62 4D 3B 13 DB 03 F9
7D 23 13 B6 91 2C C0 F0 92 A3 C8 BC 37 02 F8 2C
10 F0 E9 3E AB 06 5D 91 15 F2 24 BD 31 B8 29 20
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<hr>
<b>email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
<p>* Tor-chat to always be in touch: <a href<a href<b>
</div>
</div>
</div>
<!--tab-->
<b>
<b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span>
</b><br><br> </b><br>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>��������������
Emails
Targets
-
-
Target
2024-11-24_cafbacc31cdd3ecece60d7128cf8bc90_globeimposter_neshta
-
Size
93KB
-
MD5
cafbacc31cdd3ecece60d7128cf8bc90
-
SHA1
ab73f8a73bf1df39143e55e0c49a61238bf6cbca
-
SHA256
58a4ab673e72f1ea429d520a6d204ab43e6e3539ecd124b197ec92d50cb8079e
-
SHA512
2d3a20a496abd456b5732d8a119cc3b73bbd5bdaf7c79943c7c6c7a98254c0f6a2b017acc75ff894e06086206734841e740b1b47a864c0b1a2935c692d0457fc
-
SSDEEP
1536:JxqjQ+P04wsmJC5LpeytM3alnawrRIwxVSHMweio:sr85C5Lpey23alnaEIN/
Score10/10-
Detect Neshta payload
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Globeimposter family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Renames multiple (7513) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1