Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
2025-03-21_40bf68ccfd6cc1e938c30faff5ea82eb_globeimposter
-
Size
55KB
-
Sample
250321-rt82dsvkv5
-
MD5
40bf68ccfd6cc1e938c30faff5ea82eb
-
SHA1
47cecf43767573b747dbd90eb867309b317a1f31
-
SHA256
f097296a2299a5647911101d715f20a718124729114cd20c451354d653fbee11
-
SHA512
ce754158c6ed422959b221cc0099ece44f45de8c34e92dfa9b8c5c739f262d604f8b6439a965ca24c72b2ac80a4a6f0df7e1858daf2cd62a6a27f4bce9380da0
-
SSDEEP
1536:8bgutzZi79QlgTHf4tq6KhxXwr3+i/EM:8tz479QlOWWXKpf
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Videos\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #303030;
}
.letter {
color: #DC143C;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>41 AA 23 1F 3D 88 CC BD DA 68 27 07 52 98 E0 47
CF 59 3E 6C 00 53 77 B3 AB 78 EF 26 69 6D D9 8E
AD 2D 06 6A 2D 14 99 10 38 61 8A 56 60 C8 22 EF
2B 59 0E 7E CF DD FE 65 88 55 6E 3C BF FD E6 49
3D 4F 11 E5 75 5C 33 B6 89 E0 95 33 6F 55 09 A3
6D 35 10 96 D2 EC E8 EC F9 BA 9C E9 35 49 D4 78
2B D1 86 D0 81 53 97 87 7D B1 AE 5B 22 5D 50 49
03 D3 16 6C 43 39 4E B0 08 C5 5D CA FD A3 BE E5
4D F3 1B 12 97 4E AE 49 48 81 D7 67 C8 17 5D 07
3E A8 55 C6 12 2F 70 B6 75 66 FD 50 AA 0D 55 44
C9 8A A3 EF 12 44 7A F8 DE 1C 12 93 6A A5 1A A1
68 A2 2C 39 B3 80 98 42 B2 11 B2 82 9B D4 A6 D8
E5 6A 4A 2A BF AE B0 E0 69 53 F7 00 7A 81 66 B3
6F 1D 07 AC 20 49 15 EB CE 51 A9 0E 60 C5 95 20
AD 7F 91 46 E3 5A 18 17 E2 B3 DF 21 60 76 48 70
3C 6C 0B C7 AC 16 0A C6 AF ED C4 81 D6 EF 08 11
</p>
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☣ Your files are encrypted! ☣</h1>
<hr/>
<h3> To decrypt, follow the instructions below. </h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span></br>
(Or alternate mail <span class="letter"> [email protected]</span>)<p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.</br>
<hr color=red>
<center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center>
<center><p style="color:#FF0000"> You can not decrypt your files cheaper than we offer you.
You can refer to other services that promise to decrypt you, BUT IT WILL BE MORE EXPENSIVE.
No one, except [email protected], will decrypt your files with a guarantee 100%. </p></center>
<hr color=red>
<ul>
<li>Only [email protected] can with a guarantee decrypt your files </li>
<li>Do not trust anyone besides [email protected]</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Extracted
Path
C:\Users\Public\Pictures\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #303030;
}
.letter {
color: #DC143C;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>47 0A A3 FD 04 59 79 C7 C7 A9 13 BF B1 5D BE F9
72 D3 A4 E6 17 A7 71 1C BF 8D 25 FE BD 97 83 BE
FF AE 58 B1 83 B8 26 7B E9 05 1B B7 D3 54 69 5D
32 F8 C6 4B 40 76 EC 3D D1 07 0E 78 78 74 D2 7C
F5 38 02 02 3D 33 71 83 E1 48 E0 9C 12 6A 4B 1F
27 77 DA E9 93 9A 9C 5F AA B1 EF 1C 10 D8 A8 ED
4A C3 7C 1A FD CB B6 E0 60 FA 3D 8D 4B 03 1F 3E
85 88 BB B4 D4 53 D9 20 48 C7 8B AB 1F C8 2D F3
9D 46 35 DE 2E F7 C9 E4 14 B1 76 BD 2C 6E BE B6
D9 CE 14 12 59 3B A1 4B AC BF 29 74 DC 73 10 DC
D3 C0 D5 3B FD DC 45 AF A0 1B 5F B3 DE 30 43 6F
25 45 C0 92 11 B4 1F 70 54 14 48 19 08 FF 20 49
BF 59 E1 D5 99 BD 6F 67 35 BD 75 37 22 FC A1 AB
6F 37 D5 F8 2B C8 11 B8 E7 6C 59 39 B6 3F 47 97
4D 1D 86 0C 8C 1A A7 30 26 84 79 98 9A 65 1D AC
72 BF EE 13 C8 60 FF F5 E5 90 7E 92 10 09 DC B4
</p>
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☣ Your files are encrypted! ☣</h1>
<hr/>
<h3> To decrypt, follow the instructions below. </h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span></br>
(Or alternate mail <span class="letter"> [email protected]</span>)<p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.</br>
<hr color=red>
<center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center>
<center><p style="color:#FF0000"> You can not decrypt your files cheaper than we offer you.
You can refer to other services that promise to decrypt you, BUT IT WILL BE MORE EXPENSIVE.
No one, except [email protected], will decrypt your files with a guarantee 100%. </p></center>
<hr color=red>
<ul>
<li>Only [email protected] can with a guarantee decrypt your files </li>
<li>Do not trust anyone besides [email protected]</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Targets
-
-
Target
2025-03-21_40bf68ccfd6cc1e938c30faff5ea82eb_globeimposter
-
Size
55KB
-
MD5
40bf68ccfd6cc1e938c30faff5ea82eb
-
SHA1
47cecf43767573b747dbd90eb867309b317a1f31
-
SHA256
f097296a2299a5647911101d715f20a718124729114cd20c451354d653fbee11
-
SHA512
ce754158c6ed422959b221cc0099ece44f45de8c34e92dfa9b8c5c739f262d604f8b6439a965ca24c72b2ac80a4a6f0df7e1858daf2cd62a6a27f4bce9380da0
-
SSDEEP
1536:8bgutzZi79QlgTHf4tq6KhxXwr3+i/EM:8tz479QlOWWXKpf
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Globeimposter family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8706) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Clears Network RDP Connection History and Configurations
Remove evidence of malicious network connections to clean up operations traces.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
4Clear Network Connection History and Configurations
1File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1