Overview

overview

10

Static

static

3

2025-03-09...er.exe

windows7-x64

10

2025-03-09...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2025, 16:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-09_87912357fbb9a6c364e6bcd19c4a18a3_globeimposter.exe

  • Size

    56KB

  • MD5

    87912357fbb9a6c364e6bcd19c4a18a3

  • SHA1

    95e29b3707f52e95cb0fd70a8da55316c5531acf

  • SHA256

    3e0fb8b5ebfa831551eb3c713fe69ca4bca935716877693aab5cba444439cec8

  • SHA512

    ceadd7f42a89f66f9a8a24b29d9f6ad8464ed9e17c7d99ea0dc38e7dbd5b8a3ed180dae9cb77c527eea5c7d057e32c26b355aaa8b84674f951b73dda890c2620

  • SSDEEP

    1536:z6sjkfV+KJolntwrbDSTWvTwhQMhmpdLz0:z6s4fIKJolntGDT5qm3L

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>���������������A2 3C F5 A9 74 EB 19 57 0B 45 CC AE EA C3 E7 A0 D6 5B FD 2B B0 1C 9E 5B 64 FA 97 13 F9 47 D7 20 92 10 D1 34 D6 7E FF 71 75 6E 15 AE D0 31 4B 45 6D 29 86 9F C8 F3 54 EE 3E A7 BC 0E 61 80 A2 0A 4F 52 72 2A D2 75 81 D5 01 74 F9 19 A8 85 B9 63 C4 BF FE A2 75 C0 6A FB FC DC F9 95 7E 12 A4 22 3E 59 51 7C 04 78 58 E3 C6 CA 16 16 7B E7 99 5D 36 78 A4 3B 43 AF 91 A7 96 5F 2C 49 79 EC 43 1D B8 B6 38 2E 13 DD 4A 0C B8 71 8F ED 1F 67 F3 8B 6F 75 B3 C6 80 E5 6A 8E 6A 4F AD FD EE 4B B6 38 06 1B E0 52 1E 1B E4 82 56 1D DD CD 31 33 13 0B D3 96 CF BC 32 C4 94 D8 8E 3A EB 0F 6C A5 17 CA 85 33 4B FD 80 4A 42 FA 34 65 1C B3 B3 87 EF DF 10 34 B8 AD 6C BE E9 11 43 CE 22 F3 AE 48 78 92 DC 7B C2 D8 DD 0F A7 5E B0 F7 77 2E A1 4E 0A 0A 7F 57 AD 8B AF 49 6D 81 7D 0A 95 C3 CC A2 5E 7A </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your corporate network locked! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> <h3>To restore files you will need a decryptor!</h3> <center>To get the decryptor you should:</center></br> <center>Pay for decrypt your network - 0.5 BTC </center></br> <div align="left"> <strong>Buy BTC on one of these sites</strong> </div> <div align="left"> <ol> <li><strong>https://binance.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>Any site you trust</strong></li> </ol> </div> <div align="left"> <h1><br> </h1> </div> <div align="left"> &#10004; Bitcoin Wallet: 3FmLKtBZB435pwa8BTknPKXsUeYkRu4u82 <center> </center></br> &#10004; Send $1000 usd in BTC for decrypt <center> </center></br> &#10004; Our contacts: <center> </center></br> &#128386; email: [email protected] <center> </center></br> &#9998; ToxID: 9CDB535E2DFE3DFAFF17A2263A03A684B816FC9E69F159301D25E56C8EB47C32468D0F8129BD <center> </center></br> &#9998; You can download TOXChat here : <a href=>https://tox.chat/download.html</a> <center> </center></br> The message must contain your Personal ID! it is at top of this document. <center> </center></br> <center> </center></br> <center> <span style="color: #FF4500;"> Never pay to any other addresse BTC than those listed here! We do not use any other messengers except TOX and the contact listed here! Remember! Turning to an intermediary - you risk losing your money, always ask for help yourself using the contacts indicated in this document.</span></p> </center></br> <center>----------------------------------------------------------------------------- <center> </center></br> <center> </center></br> <center> </center></br> <center> &#169; 2025 Suffering Corporation | All Rights Reserved.</center></br> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ���������
Wallets

3FmLKtBZB435pwa8BTknPKXsUeYkRu4u82

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Globeimposter family
    globeimposter
  • Renames multiple (7409) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 37 IoCs
  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-09_87912357fbb9a6c364e6bcd19c4a18a3_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-09_87912357fbb9a6c364e6bcd19c4a18a3_globeimposter.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Videos\how_to_back_files.html
    Filesize

    5KB

    MD5

    05352038c4ad1b8526494ac84a85cc14

    SHA1

    85578c0ee9deb92e41b518621072ead8d2ff55c1

    SHA256

    fa2758ca83140ef680eae2a8ce4692c3185142e879aef3bbbf8a959a6d16a2b1

    SHA512

    f6c87ffd9bdf194acd6765920a239c9f1a34b2c56b6ede94ec32824b917e0c797bed9d533ef22387bb21b076b7d99581c268d64d594ac506b820e63813ab72f1

    Download Submit

  • memory/2420-0-0x0000000000400000-0x000000000040EE00-memory.dmp

    Filesize

    59KB

    Download

  • memory/2420-670-0x0000000000400000-0x000000000040EE00-memory.dmp

    Filesize

    59KB

    Download