2017-08-02 - MALSPAM PUSHING GLOBEIMPOSTER RANSOMWARE (726 FILE EXTENSION)

ASSOCIATED FILES:

 

NOTES:

 

EMAILS


Shown above:  Screenshot from one of today's emails.

6 SAMPLES FROM TODAY'S MALSPAM:

(Read: Date/Time   --   sending address (spoofed)   --   Subject   --   Attachment name)

 

6 ATTACHMENTS FROM TODAY'S MALSPAM:

(Read: Attachment name   --   Extracted script file)

 

TRAFFIC

URLS GENERATED BY THE EXTRACTED SCRIPT FILES TO GET THE RANSOMWARE:

 

POST-INFECTION TRAFFIC WHEN CHECKING THE DECRYPTION INSTRUCTIONS:

 

SHA256 HASHES

FILE ATTACHMENTS (ZIP ARCHIVES):

 

EXTRACTED SCRIPT FILES:

 

GLOBEIMPOSTER EXE BINARY DOWNLOADED BY SCRIPT FILES:

 

IMAGES


Shown above:  Screenshot from the spreadsheet tracker.

 


Shown above:  Example of the attached zip archives containing a VBS file.

 


Shown above:  Example of the attached zip archives containing a JavaScript (.js) file.

 


Shown above:  Traffic seen during one of today's GlobeImposter infections.

 


Shown above:  Encrypted files all have a ..726 file extension on an infected Windows host.

 


Shown above:  GlobeImposter decryption instructions.

 


Shown above:  GlobeImposter decryptor.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.