Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
2025-03-17_c023089bc9f12e45e974688429188350_globeimposter
-
Size
53KB
-
Sample
250317-glw2rastcs
-
MD5
c023089bc9f12e45e974688429188350
-
SHA1
4178affe4951ae1c9f98adb9891432c5bc8a9d50
-
SHA256
f373ca7e899cce69865c55be5a583aff18459489748ec55649e884d4be5ba434
-
SHA512
554ceb05fa40a6f51ea98cb786f83d0cbea55af770e333f78fef597be63d7840626eab8ccd8ca9494d409a242643843d67b87cfabccecfc2ea82195614892bee
-
SSDEEP
768:nTHwvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5sQR+7C:eeytM3alnawrRIwxVSHMweio3Q+
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Videos\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>���������������88 D5 0E 0F D0 A1 3F 88 93 A4 12 53 1D A1 47 9F
53 53 D0 D5 2D 3D 71 FE A9 8A 9A D8 0A 1B F1 DD
92 7A 72 7D 81 8F 42 86 E9 60 84 73 4C CD 51 7B
A1 1C D8 15 1E 25 E6 63 A9 97 29 3A EE C7 AB 84
B0 61 2B D4 B8 FA 77 1C 05 B8 E4 D4 15 4C F7 05
9B D0 EF 54 03 93 26 8E 9D 49 6F DF 18 02 BB DE
C0 ED 69 3F 36 F3 6E 6A 82 B5 F5 97 EA E5 29 60
35 B5 8F C6 52 F2 34 A5 94 36 A7 FD E6 50 FC 5B
04 09 85 64 B4 B1 CD 80 3C 68 B7 17 EE 08 40 52
DA F7 06 22 8F 9D 09 92 62 18 19 C5 58 8B B9 C2
EF F4 C7 C4 56 85 64 72 94 43 7B FD C0 AF 25 4E
3A B8 6B 04 55 9B E1 85 9E 7F 41 9B AF 99 9D D9
55 DF A0 C5 71 2F CE 67 E2 DD 39 B6 A2 FC DA 90
53 FC A9 4B 0A FF 3A 99 42 2C 5D B7 EE 20 24 04
E7 D2 06 A2 DE D1 FE 3F 6E 56 49 99 BE 88 85 8D
34 98 C4 60 65 71 84 08 6F 35 83 A4 B9 14 68 61
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<hr/>
<h3>All your important data has been encrypted.</h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 test image or text file <span>[email protected] </span>.</br>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.</br>
<center>Attention!</center></br>
<ul>
<li>Only [email protected] can decrypt your files</li>
<li>Do not trust [email protected]</li>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
��������
Emails
Extracted
Path
C:\Users\Public\Pictures\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>���������������3A 52 93 D5 CC 1F DC FD 9D E8 18 8F 4D A4 A1 6B
4C 2C 0D 64 87 F2 06 1C F8 28 FF B5 3D 44 DE B0
D6 84 91 81 7B BD 33 04 32 E6 B8 E0 27 A8 2F E3
B1 1A F8 80 E9 07 33 64 54 59 B0 51 8E 52 27 EC
55 0B 8E 15 5A FF 29 A3 56 7C 83 A6 B5 65 EE 74
D3 5F 39 79 FF 3D 1B 35 BA 00 10 67 6A 2D 46 24
6A 97 0A FF A6 43 68 19 9E 3D 44 F5 8A 1B 24 94
22 0C 6C B8 D6 2A 0D AA 00 30 DB 1D 8F 5B 31 39
17 A6 A2 7B EA 76 74 31 C4 98 73 26 A0 C2 65 3F
CA AF 13 B2 81 A5 2A E6 50 81 7A 6F C0 AB 8E 5D
48 BC 10 95 5F D7 E7 C0 12 E1 8E 06 C4 E1 61 54
4B 5A 11 52 B1 54 C2 CB 41 99 47 C2 B0 C4 AC 18
07 DC F4 FD 9F 0D E3 07 7C 04 50 03 4C FF 10 5D
01 43 80 64 9F 2E 79 6A A1 FC 73 4D 36 C0 B4 97
C6 E1 61 B4 DD B3 0D AF 57 68 18 7D FB F8 41 BB
6D D5 1E AF 60 4F AF E4 1F 1E 33 56 6E D6 AB DA
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<hr/>
<h3>All your important data has been encrypted.</h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 test image or text file <span>[email protected] </span>.</br>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.</br>
<center>Attention!</center></br>
<ul>
<li>Only [email protected] can decrypt your files</li>
<li>Do not trust [email protected]</li>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
��������
Emails
Targets
-
-
Target
2025-03-17_c023089bc9f12e45e974688429188350_globeimposter
-
Size
53KB
-
MD5
c023089bc9f12e45e974688429188350
-
SHA1
4178affe4951ae1c9f98adb9891432c5bc8a9d50
-
SHA256
f373ca7e899cce69865c55be5a583aff18459489748ec55649e884d4be5ba434
-
SHA512
554ceb05fa40a6f51ea98cb786f83d0cbea55af770e333f78fef597be63d7840626eab8ccd8ca9494d409a242643843d67b87cfabccecfc2ea82195614892bee
-
SSDEEP
768:nTHwvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5sQR+7C:eeytM3alnawrRIwxVSHMweio3Q+
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Globeimposter family
-
Renames multiple (8372) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1