General
-
Target
2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter
-
Size
55KB
-
Sample
250122-stf62stnbk
-
MD5
1748fc9c3457f6102469044a18a67095
-
SHA1
ff7a2abf8f53c2cac4d2d7d8c70b1784362414bb
-
SHA256
aec151ab1896489a13e03e2897d3facc8678ffdbd53bd08a01a2d3837f792adc
-
SHA512
3b2baccde64139657ba2cfcb17398078956b8302f32347ff344861ade61f26496e61a8f913df02ce56d7628ee58381b695fd58f92500cd0f9d0c00a9bd6d3463
-
SSDEEP
1536:3ibgutzZi79QlgTHf4tq6KhxXwr3+mG3Kk:3itz479QlOWWXKNGak
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Videos\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #303030;
}
.letter {
color: #DC143C;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>63 13 AF C0 94 1C 4D 6C E9 33 21 3E 98 8D CE 47
21 99 7A 31 FC AB 19 0F DC 71 07 6D 1C DD 8C 0F
EF AE 89 7F 2F 2A 80 15 2A D5 86 6C FC 65 EC 59
41 B1 D7 A3 6D 0A D1 C6 CC 3A 2F C5 DB 10 3D 66
61 AF 0A 64 7E 7C 77 3B 76 A3 09 00 74 AA DB B6
B4 C2 44 DD 6D D3 43 BF 79 2B E3 9F A8 0D 22 E2
CF E2 0C CE CB 32 D0 20 BF EB EC 16 5F 90 62 61
B2 9D 54 50 D2 2F 38 AF 75 16 33 04 AB A1 CB D4
88 20 EA 89 77 F5 6F 87 63 E1 34 95 49 61 F6 4B
8A B3 FB 8A 65 9F 9D 20 11 6F DE 15 A6 00 CC CD
E8 B5 50 4C 4C CF 1A 28 84 9C B0 F3 0D FE A1 85
05 78 44 33 B9 D6 71 47 A0 CF 70 9D 2B 21 71 C5
5F E6 AA 54 53 6E 39 47 A9 63 E9 EF 28 25 A5 54
5A B4 40 6E 39 C8 BE 74 58 55 C3 D4 C6 EE F0 0C
DD C1 D4 A8 70 E1 B3 D4 FF A9 68 63 74 67 A8 5C
64 BA 3C 03 F2 11 E5 24 D4 95 C9 04 3F AC F1 70
</p>
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☣ Your files are encrypted! ☣</h1>
<hr/>
<h3> To decrypt, follow the instructions below. </h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span></br>
(Or alternate mail <span class="letter"> [email protected]</span>)<p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.</br>
<hr color=red>
<center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center>
<center><p style="color:#FF0000"> You can not decrypt your files cheaper than we offer you.
You can refer to other services that promise to decrypt you, BUT IT WILL BE MORE EXPENSIVE.
No one, except [email protected], will decrypt your files with a guarantee 100%. </p></center>
<hr color=red>
<ul>
<li>Only [email protected] can with a guarantee decrypt your files </li>
<li>Do not trust anyone besides [email protected]</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Extracted
Path
C:\Users\Public\Videos\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #303030;
}
.letter {
color: #DC143C;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>59 5A 51 CE 76 7B E7 86 AD E7 AF D5 FB 05 50 0E
E9 71 86 89 42 78 8D 44 5C 1B 47 FA 41 9E 55 91
CC A2 8F 5E D7 85 15 ED E8 94 8A A1 72 C1 74 2E
AE AE B0 6D F6 FF 95 7D DA 00 3A DF D2 2D 43 D9
49 52 5A 40 A5 2D F8 2F 02 4A 88 A7 6F 09 E3 16
08 23 AA 89 0B C2 44 48 3E 20 33 9C 4F C4 4A C1
8B 81 D9 17 1C C2 D8 18 62 A3 48 B8 15 04 13 E1
DE 92 11 39 1B B5 FA 73 89 32 61 D4 AD 37 82 68
31 AD C1 64 C5 16 AC 2C D9 98 25 86 70 61 70 AD
7B 59 88 C3 39 E4 5C 88 A7 45 3A BF 1F FD C5 8E
39 CD 2B DF 96 E3 37 C3 FD 35 5F 58 D4 88 CB 1F
F1 57 88 B7 72 1E 2F 13 45 F1 FF B9 2F A1 EE 56
4D F3 1D 14 9B 15 4D 6B 10 92 78 4B 9D 7B 73 BE
37 0F 47 5A 04 EF F2 D0 A4 07 2A 40 81 97 16 AD
BC FE FA 39 35 0B CF 6D B2 A8 20 8A 7D 76 A0 7A
F7 A5 E4 93 55 42 F2 A8 C6 49 A7 EC 0C 74 0E 86
</p>
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☣ Your files are encrypted! ☣</h1>
<hr/>
<h3> To decrypt, follow the instructions below. </h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span></br>
(Or alternate mail <span class="letter"> [email protected]</span>)<p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.</br>
<hr color=red>
<center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center>
<center><p style="color:#FF0000"> You can not decrypt your files cheaper than we offer you.
You can refer to other services that promise to decrypt you, BUT IT WILL BE MORE EXPENSIVE.
No one, except [email protected], will decrypt your files with a guarantee 100%. </p></center>
<hr color=red>
<ul>
<li>Only [email protected] can with a guarantee decrypt your files </li>
<li>Do not trust anyone besides [email protected]</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Targets
-
-
Target
2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter
-
Size
55KB
-
MD5
1748fc9c3457f6102469044a18a67095
-
SHA1
ff7a2abf8f53c2cac4d2d7d8c70b1784362414bb
-
SHA256
aec151ab1896489a13e03e2897d3facc8678ffdbd53bd08a01a2d3837f792adc
-
SHA512
3b2baccde64139657ba2cfcb17398078956b8302f32347ff344861ade61f26496e61a8f913df02ce56d7628ee58381b695fd58f92500cd0f9d0c00a9bd6d3463
-
SSDEEP
1536:3ibgutzZi79QlgTHf4tq6KhxXwr3+mG3Kk:3itz479QlOWWXKNGak
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Globeimposter family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8652) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Clears Network RDP Connection History and Configurations
Remove evidence of malicious network connections to clean up operations traces.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
4Clear Network Connection History and Configurations
1File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1