Overview

overview

10

Static

static

3

2025-03-09...er.exe

windows7-x64

10

2025-03-09...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2025, 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-09_87912357fbb9a6c364e6bcd19c4a18a3_globeimposter.exe

  • Size

    56KB

  • MD5

    87912357fbb9a6c364e6bcd19c4a18a3

  • SHA1

    95e29b3707f52e95cb0fd70a8da55316c5531acf

  • SHA256

    3e0fb8b5ebfa831551eb3c713fe69ca4bca935716877693aab5cba444439cec8

  • SHA512

    ceadd7f42a89f66f9a8a24b29d9f6ad8464ed9e17c7d99ea0dc38e7dbd5b8a3ed180dae9cb77c527eea5c7d057e32c26b355aaa8b84674f951b73dda890c2620

  • SSDEEP

    1536:z6sjkfV+KJolntwrbDSTWvTwhQMhmpdLz0:z6s4fIKJolntGDT5qm3L

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>���������������8D 57 34 4C 81 AF 1D 0B C9 29 D8 D7 D9 74 8A 91 3D ED 36 E6 27 AD D4 C6 FB 82 23 29 F9 4C AE E8 EA 35 DD E6 D8 24 61 7B 04 FE 3E F0 3D 5A 74 07 0A 05 58 06 AF 58 67 2A 87 EF CE 45 DC 90 D7 05 00 19 71 0A A5 F8 2F B2 69 FE C3 96 CE 54 FC B1 B5 67 18 B7 B0 F0 E2 F6 3D 2A BF 34 37 AC FB 00 A4 62 F2 69 72 14 68 47 3C 32 C8 4D 17 FE 6F CA 8F 74 A4 A7 8E A8 ED A9 A8 5C AD E3 0E B6 E7 20 D9 D5 E9 7E 37 10 84 C3 49 71 B6 4B D3 F1 68 18 EE DF 9E F0 F1 5E 8B D9 B8 D8 09 22 F7 56 47 7D 30 43 1D 8B 37 C9 F3 36 15 4E 7A 74 96 9A B3 A9 94 36 92 E2 AA 0C 27 0D 57 3C 98 9C 3E 62 58 B9 F8 E2 BB 92 28 60 48 6D F2 B8 DA E6 BF AE 85 33 83 90 7B 9F 22 1D 32 1E B4 3B 1C EA B3 B0 18 03 4C FA 41 B9 1D 26 82 4E EC 06 11 76 E7 BD 16 A1 83 77 9A 8A 20 77 B5 D2 34 0A A2 40 8F 61 E2 CA </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your corporate network locked! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> <h3>To restore files you will need a decryptor!</h3> <center>To get the decryptor you should:</center></br> <center>Pay for decrypt your network - 0.5 BTC </center></br> <div align="left"> <strong>Buy BTC on one of these sites</strong> </div> <div align="left"> <ol> <li><strong>https://binance.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>Any site you trust</strong></li> </ol> </div> <div align="left"> <h1><br> </h1> </div> <div align="left"> &#10004; Bitcoin Wallet: 3FmLKtBZB435pwa8BTknPKXsUeYkRu4u82 <center> </center></br> &#10004; Send $1000 usd in BTC for decrypt <center> </center></br> &#10004; Our contacts: <center> </center></br> &#128386; email: [email protected] <center> </center></br> &#9998; ToxID: 9CDB535E2DFE3DFAFF17A2263A03A684B816FC9E69F159301D25E56C8EB47C32468D0F8129BD <center> </center></br> &#9998; You can download TOXChat here : <a href=>https://tox.chat/download.html</a> <center> </center></br> The message must contain your Personal ID! it is at top of this document. <center> </center></br> <center> </center></br> <center> <span style="color: #FF4500;"> Never pay to any other addresse BTC than those listed here! We do not use any other messengers except TOX and the contact listed here! Remember! Turning to an intermediary - you risk losing your money, always ask for help yourself using the contacts indicated in this document.</span></p> </center></br> <center>----------------------------------------------------------------------------- <center> </center></br> <center> </center></br> <center> </center></br> <center> &#169; 2025 Suffering Corporation | All Rights Reserved.</center></br> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ���������
Wallets

3FmLKtBZB435pwa8BTknPKXsUeYkRu4u82

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Globeimposter family
    globeimposter
  • Renames multiple (6065) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 37 IoCs
  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-09_87912357fbb9a6c364e6bcd19c4a18a3_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-09_87912357fbb9a6c364e6bcd19c4a18a3_globeimposter.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:2128

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Videos\how_to_back_files.html
    Filesize

    5KB

    MD5

    0238100dd38c3da16bb5098857fa14af

    SHA1

    52cd046a75d86d2eb79b43ef4116f40944f0b578

    SHA256

    bfe176a95189e25206feb6d41c81820e52450e300c36cb2ee0937fbfbbd827f4

    SHA512

    fb312f76c43c8d5b7c7a65501b570d6e44c1f6ed3ab79f56a85d8a74d7e3db08f61a11ff0a6424bcaa823152f1e8e0df1c95e353b58ed5223dcb5c638a9cb887

    Download Submit

  • memory/2128-0-0x0000000000400000-0x000000000040EE00-memory.dmp

    Filesize

    59KB

    Download

  • memory/2128-519-0x0000000000400000-0x000000000040EE00-memory.dmp

    Filesize

    59KB

    Download