Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2025-03-09...er.exe

windows7-x64

10

2025-03-09...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-03-09_87912357fbb9a6c364e6bcd19c4a18a3_globeimposter

  • Size

    56KB

  • Sample

    250309-t4a88avrv8

  • MD5

    87912357fbb9a6c364e6bcd19c4a18a3

  • SHA1

    95e29b3707f52e95cb0fd70a8da55316c5531acf

  • SHA256

    3e0fb8b5ebfa831551eb3c713fe69ca4bca935716877693aab5cba444439cec8

  • SHA512

    ceadd7f42a89f66f9a8a24b29d9f6ad8464ed9e17c7d99ea0dc38e7dbd5b8a3ed180dae9cb77c527eea5c7d057e32c26b355aaa8b84674f951b73dda890c2620

  • SSDEEP

    1536:z6sjkfV+KJolntwrbDSTWvTwhQMhmpdLz0:z6s4fIKJolntGDT5qm3L

Score
10/10
globeimposterdiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>���������������8D 57 34 4C 81 AF 1D 0B C9 29 D8 D7 D9 74 8A 91 3D ED 36 E6 27 AD D4 C6 FB 82 23 29 F9 4C AE E8 EA 35 DD E6 D8 24 61 7B 04 FE 3E F0 3D 5A 74 07 0A 05 58 06 AF 58 67 2A 87 EF CE 45 DC 90 D7 05 00 19 71 0A A5 F8 2F B2 69 FE C3 96 CE 54 FC B1 B5 67 18 B7 B0 F0 E2 F6 3D 2A BF 34 37 AC FB 00 A4 62 F2 69 72 14 68 47 3C 32 C8 4D 17 FE 6F CA 8F 74 A4 A7 8E A8 ED A9 A8 5C AD E3 0E B6 E7 20 D9 D5 E9 7E 37 10 84 C3 49 71 B6 4B D3 F1 68 18 EE DF 9E F0 F1 5E 8B D9 B8 D8 09 22 F7 56 47 7D 30 43 1D 8B 37 C9 F3 36 15 4E 7A 74 96 9A B3 A9 94 36 92 E2 AA 0C 27 0D 57 3C 98 9C 3E 62 58 B9 F8 E2 BB 92 28 60 48 6D F2 B8 DA E6 BF AE 85 33 83 90 7B 9F 22 1D 32 1E B4 3B 1C EA B3 B0 18 03 4C FA 41 B9 1D 26 82 4E EC 06 11 76 E7 BD 16 A1 83 77 9A 8A 20 77 B5 D2 34 0A A2 40 8F 61 E2 CA </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your corporate network locked! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> <h3>To restore files you will need a decryptor!</h3> <center>To get the decryptor you should:</center></br> <center>Pay for decrypt your network - 0.5 BTC </center></br> <div align="left"> <strong>Buy BTC on one of these sites</strong> </div> <div align="left"> <ol> <li><strong>https://binance.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>Any site you trust</strong></li> </ol> </div> <div align="left"> <h1><br> </h1> </div> <div align="left"> &#10004; Bitcoin Wallet: 3FmLKtBZB435pwa8BTknPKXsUeYkRu4u82 <center> </center></br> &#10004; Send $1000 usd in BTC for decrypt <center> </center></br> &#10004; Our contacts: <center> </center></br> &#128386; email: [email protected] <center> </center></br> &#9998; ToxID: 9CDB535E2DFE3DFAFF17A2263A03A684B816FC9E69F159301D25E56C8EB47C32468D0F8129BD <center> </center></br> &#9998; You can download TOXChat here : <a href=>https://tox.chat/download.html</a> <center> </center></br> The message must contain your Personal ID! it is at top of this document. <center> </center></br> <center> </center></br> <center> <span style="color: #FF4500;"> Never pay to any other addresse BTC than those listed here! We do not use any other messengers except TOX and the contact listed here! Remember! Turning to an intermediary - you risk losing your money, always ask for help yourself using the contacts indicated in this document.</span></p> </center></br> <center>----------------------------------------------------------------------------- <center> </center></br> <center> </center></br> <center> </center></br> <center> &#169; 2025 Suffering Corporation | All Rights Reserved.</center></br> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ���������
Wallets

3FmLKtBZB435pwa8BTknPKXsUeYkRu4u82

Extracted

Path

C:\Users\Public\Pictures\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>���������������8B 8B 99 B3 81 3D 7C A1 5E A1 B3 B5 95 C7 67 8D DB E3 0D 24 53 9D 16 E3 33 4F 6D 15 91 CA 00 F8 63 E1 C6 BE 47 1D 3F 4B BB 46 BC 8F C4 E3 A7 49 EA DA 95 4D 8A 45 66 0E 07 9F 0B 1B 6B 5A 68 EC EE 02 B7 FE 34 79 73 83 78 38 02 56 86 D2 5C AC 66 55 69 90 9C C5 98 AD 3B 1B 83 5E EC 5A C5 40 01 DF A3 AC A0 9B C8 FC 52 C1 5D 4B 78 16 B5 DA F4 07 20 D3 78 A7 44 8F E0 B4 D7 DB 62 BC BB 94 AD 1C 10 79 A0 DB C0 A5 2B 80 BF 8B C4 51 5A 9D 02 0D 93 29 A6 52 B5 A3 C8 33 36 E2 AE 37 F3 CF 49 CB C9 F6 CF E3 C8 2E EA DE E8 12 CD D4 BC 9D 7D 68 16 27 78 9D 93 5A 23 52 0B E7 40 44 C1 C4 2E AC 60 58 6B 0F 00 88 99 57 9D 2F 99 6B C8 D0 C7 3B 1C 51 15 10 94 6A F0 D0 39 C2 E2 5B 64 B8 86 12 8F 4D 65 8A 3A 60 3D 4F 97 B2 71 79 07 09 B0 C1 E3 0C 87 54 E4 F1 32 42 03 53 11 23 24 1B </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your corporate network locked! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> <h3>To restore files you will need a decryptor!</h3> <center>To get the decryptor you should:</center></br> <center>Pay for decrypt your network - 0.5 BTC </center></br> <div align="left"> <strong>Buy BTC on one of these sites</strong> </div> <div align="left"> <ol> <li><strong>https://binance.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>Any site you trust</strong></li> </ol> </div> <div align="left"> <h1><br> </h1> </div> <div align="left"> &#10004; Bitcoin Wallet: 3FmLKtBZB435pwa8BTknPKXsUeYkRu4u82 <center> </center></br> &#10004; Send $1000 usd in BTC for decrypt <center> </center></br> &#10004; Our contacts: <center> </center></br> &#128386; email: [email protected] <center> </center></br> &#9998; ToxID: 9CDB535E2DFE3DFAFF17A2263A03A684B816FC9E69F159301D25E56C8EB47C32468D0F8129BD <center> </center></br> &#9998; You can download TOXChat here : <a href=>https://tox.chat/download.html</a> <center> </center></br> The message must contain your Personal ID! it is at top of this document. <center> </center></br> <center> </center></br> <center> <span style="color: #FF4500;"> Never pay to any other addresse BTC than those listed here! We do not use any other messengers except TOX and the contact listed here! Remember! Turning to an intermediary - you risk losing your money, always ask for help yourself using the contacts indicated in this document.</span></p> </center></br> <center>----------------------------------------------------------------------------- <center> </center></br> <center> </center></br> <center> </center></br> <center> &#169; 2025 Suffering Corporation | All Rights Reserved.</center></br> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ���������
Wallets

3FmLKtBZB435pwa8BTknPKXsUeYkRu4u82

Targets

    • Target

      2025-03-09_87912357fbb9a6c364e6bcd19c4a18a3_globeimposter

    • Size

      56KB

    • MD5

      87912357fbb9a6c364e6bcd19c4a18a3

    • SHA1

      95e29b3707f52e95cb0fd70a8da55316c5531acf

    • SHA256

      3e0fb8b5ebfa831551eb3c713fe69ca4bca935716877693aab5cba444439cec8

    • SHA512

      ceadd7f42a89f66f9a8a24b29d9f6ad8464ed9e17c7d99ea0dc38e7dbd5b8a3ed180dae9cb77c527eea5c7d057e32c26b355aaa8b84674f951b73dda890c2620

    • SSDEEP

      1536:z6sjkfV+KJolntwrbDSTWvTwhQMhmpdLz0:z6s4fIKJolntGDT5qm3L

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealerdiscovery

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Globeimposter family

      globeimposter

    • Renames multiple (6065) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks