General

  • Target

    22690936904.zip

  • Size

    34KB

  • Sample

    250605-ankm6syve1

  • MD5

    5a2f950bf5262330d50636c42af4fcd2

  • SHA1

    849ad09e2823fdfbe7d990ea5ab1d8786825e484

  • SHA256

    2a803e948cdc5d3122b59f4421b77d059e14a577b8b56570c9ba472992adf184

  • SHA512

    300787d1c7253249d985407bb02a1a62d6813d849119da06ce87dcf816da48c9f9555e82442380414a042224c5c6d2e7c35adc804885e52b16931dcca1b94312

  • SSDEEP

    768:eAB5CDMEqPc35+EnrEaBzocaW0Rta9poxdVff/7WGT6CznBV0amKjDa:ezwPkpPTpaxsorVXjWGThznP0amKjDa

Malware Config

Extracted

Path

C:\Users\Public\Pictures\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>�������������82 7C 18 71 5A EE 35 8D 78 1C A1 30 51 4D 59 58 A9 E6 A4 62 83 95 54 C8 FD 35 D0 A1 1E 60 4B 28 C6 EF C0 61 2F 86 7E 62 DC 64 C5 C3 58 33 2C 12 6E B5 3E 10 94 8A E4 15 D5 DB 05 DC F6 EC 0F 69 12 D0 03 A9 85 D1 D7 68 33 8B 3B 3F 89 CF 49 F5 7C BF 7C C9 D7 B3 96 3B 50 31 3A FF F5 AA 4B FA CB E3 8F 86 7D 71 E8 F5 8A D3 16 48 1E 02 56 D4 DB 2C 4C 5C 19 94 D4 8F 93 6F FA 57 83 77 FA 19 8D 0D C5 D4 51 D5 F0 A4 0A 15 8B 2D 11 C4 AF 43 87 EC 54 6C 4B C9 DB AB A3 37 EE 76 BC 05 37 88 7E F0 CE ED 08 99 E5 F3 4C 2A 39 C3 2D CB E5 FE A7 AD 33 09 77 6D 5F 5F 42 6E 57 27 C6 9A C3 03 6E D6 58 C4 C5 40 6D C3 77 26 4F C9 59 C1 6D E1 9B EE CD 6E FF 7F 3B E4 68 0E 51 97 80 56 50 B8 88 24 4A F2 D1 04 43 AC A3 C9 73 9F F2 FB 71 65 43 9C CA 23 BB D5 1E 25 7A 0A 7E AA A8 75 53 72 </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your corporate network locked! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> <h3>To restore files you will need a decryptor!</h3> <center>To get the decryptor you should:</center></br> <center>Pay for decrypt your network - 0.15 BTC </center></br> <div align="left"> <strong>Buy BTC on one of these sites</strong> </div> <div align="left"> <ol> <li><strong>https://binance.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>Any site you trust</strong></li> </ol> </div> <div align="left"> <h1><br> </h1> </div> <div align="left"> &#10004; Bitcoin Wallet: 3Pvn*************MLA5 <center> </center></br> <center> </center></br> &#10004; Our contacts: <center> </center></br> &#128386; email: [email protected] <center> </center></br> &#9998; ToxID: CA04B61C320C50D12A2C1B95B5062474B5C00B995B588D0B3781DC052CBF9A354CD10F96C84D <center> </center></br> &#9998; You can download TOXChat here : https://tox.chat/download.html <center> </center></br> The message must contain your Personal ID! it is at top of this document. <center> </center></br> <center> </center></br> <center> <span style="color: #FF4500;"> HOW IT WORKS.</span></p> </center></br> <div align="left"> <li> If you need a decrypter or return information, please contact us directly ! The guarantee of successful deals is only a direct contact! Don't shy... It's just business for us and we are always ready for polite and mutually beneficial communication. <center> </center></br> <center> <span style="color: #FF4500;">What's problem with intermediaries?!</span></p> </center></br> <div align="left"> <li> Very often intermediaries take money for themselves, it looks something like this: You turn to an intermediary for help, who promises you huge discounts and professional solutions to problems. Afterwards, intermediary contacts us to conduct a decrypt test, receives decrypted files, and then asks you to transfer money to a wallet not related to us. Having received money, intermediary assures client in every possible way that he did not receive decrypter or simply disappears with money. REMEMBER! - We only have wallet that is indicated in this html (first and last 4 characters) When transferring money to any other wallet, you are not transferring it to us. <div align="left"> <li> deception using various Universal Decryptors for 30% of cost or at a fixed price has become very common. With beautiful pictures or enticing videos on YouTube, where they will show you how it works "Universal Software" - which in reality does not work, but is a Trojan for stealing bitcoin or another cryptolocker, before installing something like that - test it on an isolated network computer and you can see that it is useless. Globeimposter 2.0 namely, this is what you see on your network :) can't be deciphered by anything! Besides original key... only one who created Build has key!- this is us. Contact real professionals like - https://www.bleepingcomputer.com/forums/, or any large anti-virus companies - - they can tell you all horror of situation. <div align="left"> <li> Considering above, we reserve right to request KYC confirmation. For example, send us a message from your corporate email on behalf of Company Director or IT department. We know their original emails - since we carefully study network before work :) By contacting directly, you can count on a friendly conversation, a business-like approach... and possibly a good discount (discount depends on many circumstances, size of company,size of ransom, our checks of your accounting, phase of the Moon, etc.) </center></br> <center> <span style="color: #FF4500;">WHAT HAPPENS IF YOU DON'T PAY</span></p> </center></br> <div align="left"> <li> In case of non-payment, we organize an auction on various sites in DarkNet and try to sell files leaked from your network to interested parties. <div align="left"> <li> Next, we use mail + any other contacts of your clients, and notify them of what happened, perhaps they will be interested so that information does not get into public domain and will be ready to buy out information separately. <div align="left"> <li> -If there are no willing to buy, we simply publish everything that we have in the public resources. </center></br> <center> <center> </center></br> <center>----------------------------------------------------------------------------- <center> </center></br> <center> </center></br> <center> </center></br> <center> &#169; 2024 Nacugunder Corporation | All Rights Reserved.</center></br> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>��������������
URLs

https://tox.chat/download.html

https://www.bleepingcomputer.com/forums/

Extracted

Path

C:\Users\Public\Pictures\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>�������������01 B0 FF AC 41 EC 43 AE A0 8A BE 74 E4 03 F5 A8 47 31 DA 3A 4B B2 98 D6 82 F6 9C B1 F3 82 4B B6 41 65 E2 8D 4A 81 29 72 CC 8A AE 42 B1 29 B6 83 3E 52 F9 7F 87 2D 30 B9 86 1D 02 27 0A EC AD CF 13 F8 C9 D9 5F B6 FF 68 7F FB 45 66 DC 51 7D 95 C5 19 3D B8 C1 73 9A C4 A0 F5 DD 5B 26 57 A4 B2 1D FD A5 AC EE B9 0C EC 9B CA CB B5 B7 71 2E D9 64 72 49 18 1D 34 3E 08 7A A9 D7 A2 CA 39 8F 53 A3 C5 8B F3 A8 26 56 DF 31 84 83 24 56 C8 F3 27 C6 64 D7 50 5D 55 BA 0A 69 21 6C E6 6F 59 13 C6 31 AC EB 3D A3 FE 69 24 A0 2F 93 FB 59 8B D1 D0 52 E1 BD 7A DF 27 6D 62 46 65 80 1A 4A 72 10 8E 3D 97 23 91 F0 1D C5 89 EB 5E 35 F5 FA 60 C4 54 FE 01 EE 04 C0 04 51 E9 9F 7C 92 01 21 76 BE 65 23 E8 CF 0A FA DB 50 0D 08 C4 F7 BD DE 0E 5A 4E B2 CD EC B1 F3 2A 49 D9 3A F4 C3 CE C6 31 84 EB </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your corporate network locked! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> <h3>To restore files you will need a decryptor!</h3> <center>To get the decryptor you should:</center></br> <center>Pay for decrypt your network - 0.15 BTC </center></br> <div align="left"> <strong>Buy BTC on one of these sites</strong> </div> <div align="left"> <ol> <li><strong>https://binance.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>Any site you trust</strong></li> </ol> </div> <div align="left"> <h1><br> </h1> </div> <div align="left"> &#10004; Bitcoin Wallet: 3Pvn*************MLA5 <center> </center></br> <center> </center></br> &#10004; Our contacts: <center> </center></br> &#128386; email: [email protected] <center> </center></br> &#9998; ToxID: CA04B61C320C50D12A2C1B95B5062474B5C00B995B588D0B3781DC052CBF9A354CD10F96C84D <center> </center></br> &#9998; You can download TOXChat here : https://tox.chat/download.html <center> </center></br> The message must contain your Personal ID! it is at top of this document. <center> </center></br> <center> </center></br> <center> <span style="color: #FF4500;"> HOW IT WORKS.</span></p> </center></br> <div align="left"> <li> If you need a decrypter or return information, please contact us directly ! The guarantee of successful deals is only a direct contact! Don't shy... It's just business for us and we are always ready for polite and mutually beneficial communication. <center> </center></br> <center> <span style="color: #FF4500;">What's problem with intermediaries?!</span></p> </center></br> <div align="left"> <li> Very often intermediaries take money for themselves, it looks something like this: You turn to an intermediary for help, who promises you huge discounts and professional solutions to problems. Afterwards, intermediary contacts us to conduct a decrypt test, receives decrypted files, and then asks you to transfer money to a wallet not related to us. Having received money, intermediary assures client in every possible way that he did not receive decrypter or simply disappears with money. REMEMBER! - We only have wallet that is indicated in this html (first and last 4 characters) When transferring money to any other wallet, you are not transferring it to us. <div align="left"> <li> deception using various Universal Decryptors for 30% of cost or at a fixed price has become very common. With beautiful pictures or enticing videos on YouTube, where they will show you how it works "Universal Software" - which in reality does not work, but is a Trojan for stealing bitcoin or another cryptolocker, before installing something like that - test it on an isolated network computer and you can see that it is useless. Globeimposter 2.0 namely, this is what you see on your network :) can't be deciphered by anything! Besides original key... only one who created Build has key!- this is us. Contact real professionals like - https://www.bleepingcomputer.com/forums/, or any large anti-virus companies - - they can tell you all horror of situation. <div align="left"> <li> Considering above, we reserve right to request KYC confirmation. For example, send us a message from your corporate email on behalf of Company Director or IT department. We know their original emails - since we carefully study network before work :) By contacting directly, you can count on a friendly conversation, a business-like approach... and possibly a good discount (discount depends on many circumstances, size of company,size of ransom, our checks of your accounting, phase of the Moon, etc.) </center></br> <center> <span style="color: #FF4500;">WHAT HAPPENS IF YOU DON'T PAY</span></p> </center></br> <div align="left"> <li> In case of non-payment, we organize an auction on various sites in DarkNet and try to sell files leaked from your network to interested parties. <div align="left"> <li> Next, we use mail + any other contacts of your clients, and notify them of what happened, perhaps they will be interested so that information does not get into public domain and will be ready to buy out information separately. <div align="left"> <li> -If there are no willing to buy, we simply publish everything that we have in the public resources. </center></br> <center> <center> </center></br> <center>----------------------------------------------------------------------------- <center> </center></br> <center> </center></br> <center> </center></br> <center> &#169; 2024 Nacugunder Corporation | All Rights Reserved.</center></br> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>��������������
URLs

https://tox.chat/download.html

https://www.bleepingcomputer.com/forums/

Targets

    • Target

      446d6a5e6a87c510bd81e0cad36038a52c5314d0645d2442f2800e7fa4234607

    • Size

      58KB

    • MD5

      0fca1caea4c61d7c3f05ab8352a92e2e

    • SHA1

      2025242ebb4550134b34809faa3c0a9ecd8bf46e

    • SHA256

      446d6a5e6a87c510bd81e0cad36038a52c5314d0645d2442f2800e7fa4234607

    • SHA512

      0d9da9b042074dd1de16b2235160ed3ab77e347897a9c8859473b0ef6e117a585eef369c14f664145166fa7ac2bbf11253dd7e309b296b463157a639bfdbd334

    • SSDEEP

      1536:esljkfV+KJolntwrbDSTWvTwhQMhmpdLriLmZZhi:T4fIKJolntGDT5qm3LeLYhi

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Globeimposter family

    • Renames multiple (9034) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

MITRE ATT&CK Enterprise v16

Tasks