General
-
Target
2025-04-06_c68fae1bc0f9c1258fa63c42401ef194_globeimposter
-
Size
53KB
-
Sample
250406-bkyw3a1qx9
-
MD5
c68fae1bc0f9c1258fa63c42401ef194
-
SHA1
e019a08ea29e2124a336bd9ba57ff34a0da10183
-
SHA256
80de97c40e0f1a1fe2577494fd58f950333f38429501a6a0091ac5073f04b841
-
SHA512
13d37fb9b01db9d44381ebbfa512a4f612d29ca403e266b453fc7e87fc4b7ff3bcd7ea745be0e4e57e6a4e1ca0a97ff6fd07818756585e9479da3641e2470725
-
SSDEEP
1536:KjkfV+KJolntwrbDSTWvTwhQMhmpdLZTh:K4fIKJolntGDT5qm3LZTh
Malware Config
Targets
-
-
Target
2025-04-06_c68fae1bc0f9c1258fa63c42401ef194_globeimposter
-
Size
53KB
-
MD5
c68fae1bc0f9c1258fa63c42401ef194
-
SHA1
e019a08ea29e2124a336bd9ba57ff34a0da10183
-
SHA256
80de97c40e0f1a1fe2577494fd58f950333f38429501a6a0091ac5073f04b841
-
SHA512
13d37fb9b01db9d44381ebbfa512a4f612d29ca403e266b453fc7e87fc4b7ff3bcd7ea745be0e4e57e6a4e1ca0a97ff6fd07818756585e9479da3641e2470725
-
SSDEEP
1536:KjkfV+KJolntwrbDSTWvTwhQMhmpdLZTh:K4fIKJolntGDT5qm3LZTh
Score10/10-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Globeimposter family
-
Renames multiple (9147) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1