General
-
Target
58a4ab673e72f1ea429d520a6d204ab43e6e3539ecd124b197ec92d50cb8079eN.exe
-
Size
93KB
-
Sample
241129-tr7fwsvmhv
-
MD5
cafbacc31cdd3ecece60d7128cf8bc90
-
SHA1
ab73f8a73bf1df39143e55e0c49a61238bf6cbca
-
SHA256
58a4ab673e72f1ea429d520a6d204ab43e6e3539ecd124b197ec92d50cb8079e
-
SHA512
2d3a20a496abd456b5732d8a119cc3b73bbd5bdaf7c79943c7c6c7a98254c0f6a2b017acc75ff894e06086206734841e740b1b47a864c0b1a2935c692d0457fc
-
SSDEEP
1536:JxqjQ+P04wsmJC5LpeytM3alnawrRIwxVSHMweio:sr85C5Lpey23alnaEIN/
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Music\Sample Music\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
word-break: break-all;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">��������������7F 6D 0B A9 16 36 7E A7 B6 F2 C7 9A 17 60 3B 4C
07 2C 71 F9 BA 27 C2 E7 FA C7 2C E5 26 6B C9 8B
D0 23 29 66 44 F0 AD B3 5C 20 16 57 C5 1B A5 89
DA 8D 3A 19 FC 15 91 F8 0B DB DB 8A B1 9F 54 A3
65 69 35 D9 72 04 60 DB 5C C9 96 05 F4 F5 62 87
C1 87 47 96 8F 52 57 AF 6F C6 26 17 81 A2 85 0C
38 03 38 F2 7B 5B F2 2F F2 D0 56 5B E0 D4 A6 EE
64 42 E9 CF A1 EB 26 47 C7 79 3D 17 B9 A7 65 5E
8D A2 FB 33 01 4D 4B 2E 7C 9D 2A 5A 91 4E C1 66
A1 6C 95 41 F2 DA 22 E0 F2 54 4D 8C B1 21 38 1E
BF 92 6C FE 59 40 5E 1C 1C 55 3C 2C 19 9A 2C F4
77 39 D3 65 DB 46 50 82 C7 76 F1 28 0A 94 FE AE
16 00 C9 D6 79 8E 44 8E A8 07 00 C1 47 DA C7 91
0C 9D 7D 31 79 1A 5B FF 27 C3 1F C3 59 28 DD 14
35 BB 08 FC 1F 46 9B D9 1B 13 43 2D 28 88 FF D1
3B DC 7A 56 CE C4 16 F0 15 10 BE 2D 6A 4F E2 43
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<hr>
<b>email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
<p>* Tor-chat to always be in touch: <a href<a href<b>
</div>
</div>
</div>
<!--tab-->
<b>
<b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span>
</b><br><br> </b><br>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>��������������
Emails
Extracted
Path
C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
word-break: break-all;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">��������������3C 9D CD B0 66 CD 99 3F 79 78 2A F5 21 28 4F ED
B2 E3 D2 14 90 D3 B6 56 1A 64 12 A0 F4 C4 21 80
38 2F 3E C7 3F D6 99 BE 2A 95 80 23 F9 FC 84 1A
A0 A8 3E 51 19 B3 9B EF 10 D1 1C 57 94 70 83 7E
99 F3 1F 1E 7A 7C 33 3B 6D 47 A0 D9 F4 17 21 FB
B0 7E 94 7B D1 A2 51 B6 C6 C7 D7 F5 1F 30 36 88
E2 88 94 6F 89 57 BD 7C 57 0A 09 6B 99 5E AF 91
EB C7 61 AD 45 D6 B3 7A 19 D3 24 05 77 6E A6 BF
4D 8C AB 1B EC F4 70 30 97 B1 64 54 A7 97 D9 0F
D2 01 2D BA 21 9F 43 DE 16 91 5F 7E CE F4 A3 AA
78 87 E1 28 03 E6 91 0D 5A 64 C3 1E 14 80 DA E2
80 F8 A8 6F 4B ED CA C9 29 69 7C 95 6B 01 AD 62
C2 D9 D4 DE AA 2C FB BA 5F 1A E9 35 0A 4F 6B 92
0A EB B2 6F B2 5E 41 C5 43 56 DA 99 8B 40 6E FA
AF 08 AA F1 46 E8 F1 5A A0 02 01 B3 C4 42 69 44
95 22 DD 7C 63 31 11 2A 83 12 AD 19 28 75 92 D4
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<hr>
<b>email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
<p>* Tor-chat to always be in touch: <a href<a href<b>
</div>
</div>
</div>
<!--tab-->
<b>
<b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span>
</b><br><br> </b><br>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>��������������
Emails
Targets
-
-
Target
58a4ab673e72f1ea429d520a6d204ab43e6e3539ecd124b197ec92d50cb8079eN.exe
-
Size
93KB
-
MD5
cafbacc31cdd3ecece60d7128cf8bc90
-
SHA1
ab73f8a73bf1df39143e55e0c49a61238bf6cbca
-
SHA256
58a4ab673e72f1ea429d520a6d204ab43e6e3539ecd124b197ec92d50cb8079e
-
SHA512
2d3a20a496abd456b5732d8a119cc3b73bbd5bdaf7c79943c7c6c7a98254c0f6a2b017acc75ff894e06086206734841e740b1b47a864c0b1a2935c692d0457fc
-
SSDEEP
1536:JxqjQ+P04wsmJC5LpeytM3alnawrRIwxVSHMweio:sr85C5Lpey23alnaEIN/
Score10/10-
Detect Neshta payload
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Globeimposter family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Renames multiple (7521) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1