2017-08-02 - GLOBEIMPOSTER RANSOMWARE (.726 FILE EXTENSION)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-08-02-GlobeImposter-ransomware-traffic.pcap.zip   185.6 kB (185,553 bytes)
• 2017-08-02-GlobeImposter-email-tracker.csv.zip   0.9 kB (884 bytes)
• 2017-08-02-GlobeImposter-ransomware-emails-and-malware.zip   249.6 kB (249,590 bytes)

 

NOTES:

• Several people tweeting about this today on Twitter.
• Saw this malspam throughout the day, so I grabbed a few examples to document it.
• The malspam switched sometime on 2017-08-02 from VBS files to JavaScript (.js) files to download GlobeImposter.

 

EMAILS

Shown above:  Screenshot from one of today's emails.

6 SAMPLES FROM TODAY'S MALSPAM:

(Read: Date/Time   --   sending address (spoofed)   --   Subject   --   Attachment name)

• 2017-08-02 12:51:55 UTC   --   Tisha.698@gmail[.]com   --   Invoice NIC768729   --   nic768729.zip
• 2017-08-02 13:10:48 UTC   --   Lacy.655@gmail[.]com   --   Invoice NIC935097   --   nic935097.zip
• 2017-08-02 13:31:22 UTC   --   Tia.764@gmail[.]com   --   Invoice NIC068752   --   nic068752.zip
• 2017-08-02 16:50:46 UTC   --   Claire.205@gmail[.]com   --   Invoice NIC390643   --   nic390643.zip
• 2017-08-02 21:51:19 UTC   --   Kimberly.6759@gmail[.]com   --   Invoice NIC201542   --   nic201542.zip
• 2017-08-02 22:41:47 UTC   --   Molly.18@gmail[.]com   --   Invoice NIC396748   --   nic396748.zip

 

6 ATTACHMENTS FROM TODAY'S MALSPAM:

(Read: Attachment name   --   Extracted script file)

• nic768729.zip   --   VM977387632_20170802.vbs
• nic935097.zip   --   VM6921313254_20170802.vbs
• nic068752.zip   --   VM9160399795_20170802.vbs
• nic390643.zip   --   NIC423519.js
• nic201542.zip   --   NIC423520.js
• nic396748.zip   --   NIC423527.js

 

TRAFFIC

URLS GENERATED BY THE EXTRACTED SCRIPT FILES TO GET THE RANSOMWARE:

• akuboweb[.]com - GET /nv44f33f?
• benjamindiggles[.]com - GET/nv44f33f?
• conlin-boats[.]com - GET /nv44f33f?
• expeditiontiger[.]com - GET/nv44f33f?
• fly2[.]com.tw - GET /nv44f33f
• infinityscottsbluff[.]com - GET /nv44f33f?
• leapfrog-designs[.]com - GET /nv44f33f
• saborplus[.]pt - GET/nv44f33f?
• scoot-mail[.]net - GET /nv44f33f?
• trredfcjrottrdtwwq[.]net - GET /af/nv44f33f
• twi-emailer[.]nl - GET /nv44f33f?
• yourlocalsearch[.]ca - GET /nv44f33f?

 

POST-INFECTION TRAFFIC WHEN CHECKING THE DECRYPTION INSTRUCTIONS:

• n224ezvhg4sgyamb[.]onion - GET /efwdaq.php
• 198.23.241[.]227 – serv1[.]xyz - GET /counter.php?nu=105&fb=726

 

SHA256 HASHES

FILE ATTACHMENTS (ZIP ARCHIVES):

• 63a87bbae7cec32e50b78b295831b18ef2cea67054ea3589d3a2dd874bcbeb95 - nic068752.zip
• 0f61d20cfd80cebb4495287bab04f879032630f8362505fbf7cc5a066327d360 - nic201542.zip
• 1ee14afbc027fa411b928b460db7376f0d507fd0da7b9544cec0681cefc46bdd - nic390643.zip
• 9c46df61ae78552af6f2f30385a54c54a8bb365ec3ac1a858f21243268f5ca22 - nic396748.zip
• 21b6a8acc8a8a95a3ebc4ccab06d87c86490a350029f623542b5ea560abf988b - nic768729.zip
• 76d81cd85bfd6d7a52cf456355f15e7094c0ef1f900664e658f4c8d7feb8973c - nic935097.zip

 

EXTRACTED SCRIPT FILES:

• cfd408fbcf00a5b37f4f7db711d8fc79c0fe81b8c8ccc4a4fec223e2305d6ba2 - NIC423519.js
• 00283ed12058969b05b1aac755775a7cfe5c140b5d225c650e4eb1654e4bf22c - NIC423520.js
• 58ef6e7f5b02a1f3e486f9c8be5c70303564aea2a52d0b4d04103bbb28a4ad1f - NIC423527.js
• b58561530eef94c20edf210d4aac5fcdc36c4722656b649317f40cbc366d6a24 - VM6921313254_20170802.vbs
• 94f22e8a4ca1ff0d3382816715297e6898074d7c7744a1818590491ae7b5241f - VM9160399795_20170802.vbs
• 3b5f00e1a6fd80fc990ba1f086034fcaae099d4963785d71458fec5aa25a2c72 - VM977387632_20170802.vbs

 

GLOBEIMPOSTER EXE BINARY DOWNLOADED BY SCRIPT FILES:

• SHA256 hash:  fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504
  File size:  293,888 bytes
  File description:  GlobeImposter sample from 2017-08-02 (caused .726 file extension)

 

IMAGES

Shown above:  Screenshot from the spreadsheet tracker.

 

Shown above:  Example of the attached zip archives containing a VBS file.

 

Shown above:  Example of the attached zip archives containing a JavaScript (.js) file.

 

Shown above:  Traffic seen during one of today's GlobeImposter ransomware infections.

 

Shown above:  Encrypted files all have a .726 file extension on an infected Windows host.

 

Shown above:  GlobeImposter decryption instructions.

 

Shown above:  GlobeImposter decryptor.

 

Click here to return to the main page.