2017-09-04 - GLOBEIMPOSTER RANSOMWARE (..TXT FILE EXTENSIONS)
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-09-04-GlobeImposter-ransomware-infection.pcap.zip 256.3 kB (256,302 bytes)
- 2017-09-04-GlobeImposter-malspam-tracker.csv.zip 1.2 kB (1,229 bytes)
- 2017-09-04-GlobeImposter-ransomware-emails-and-malware.zip 406.3 kB (406,297 bytes)
NOTES:
- Gather here are 10 examples of malicious spam (malspam) from Monday 2017-09-04 pushing GlobeImposter ransomware.
- Many have already seen examples and tweeted about this.
EMAILS
Shown above: Screenshot from one of today's emails in the first wave.
Shown above: Screenshot from one of today's emails in the second wave.
FIRST WAVE:
- From: [random first and last name] <messaging-service@post.xero[.]com>
- Subject: Invoice INV-00031 from Property Lagoon Limited for Gleneagles Equestrian Centre
- Subject: Invoice INV-00024 from Property Lagoon Limited for Gleneagles Equestrian Centre
- Subject: Invoice INV-00011 from Property Lagoon Limited for Gleneagles Equestrian Centre
- Subject: Invoice INV-000757 from Property Lagoon Limited for Gleneagles Equestrian Centre
- Subject: Invoice INV-00077 from Property Lagoon Limited for Gleneagles Equestrian Centre
SECOND WAVE:
- From: billing@true-telecom[.]com
- Subject: 62403078 - True Telecom Invoice for August 2017
- Subject: 52838405 - True Telecom Invoice for August 2017
- Subject: 46483802 - True Telecom Invoice for August 2017
- Subject: 75117968 - True Telecom Invoice for August 2017
- Subject: 46483802 - True Telecom Invoice for August 2017
Shown above: An attachment from one of today's emails in the first wave.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS FROM THE EMAILS TO DOWNLOAD 7-ZIP ARCHIVE:
- aac-autoecole[.]com - GET /2017-08-42007004-Bill.7z
- activ-conduite[.]eu - GET /2017-08-42007004-Bill.7z
- allsexfinder[.]com - GET /INV-00022.7z
- autoecolecarnot[.]com - GET /2017-08-42007004-Bill.7z
- brandingforbuyout[.]com - GET /INV-00022.7z
- dev.lowndespartnership[.]co[.]uk - GET /INV-00022.7z
- montessibooks[.]com - GET /2017-08-42007004-Bill.7z
- ostiavolleyclub[.]it - GET /INV-00022.7z
- rogames[.]ro - GET /2017-08-42007004-Bill.7z
- studiotoscanosrl[.]it - GET /2017-08-42007004-Bill.7z
- weekendjevliegen[.]nl - GET /2017-08-42007004-Bill.7z
- yamanashi-jyujin[.]jp - GET /INV-00022.7z
URLS TO DOWNLOAD GLOBEIMPOSTER RANSOMWARE:
- animatoon[.]be - GET /JIKJHgft?
- aquavista[.]org[.]nz - GET /JIKJHgft?
- awholeblueworld[.]com - GET /JIKJHgft?
- brownpa[.]net - GET /JIKJHgft?
- cabbiemail[.]com - GET /JIKJHgft?
- clubdeautores[.]es - GET /JIKJHgft?
- dueeffepromotion[.]com - GET /JIKJHgft?
- hellonwheelsthemovie[.]com - GET /JIKJHgft?
- jimaylor[.]net - GET /JIKJHgft?
- m-tensou[.]net - GET /JIKJHgft?
- naturofind[.]org/p66 - GET /JIKJHgft
- n1xua[.]com - GET /JIKJHgft?
- prescottinternet[.]net - GET /JIKJHgft?
- qxr33qxr[.]com - GET /JIKJHgft?
- uvitacr[.]com - GET /JIKJHgft?
- world-tour2000[.]com - GET /JIKJHgft?
DOMAINS/URLS ASSOCIATED WITH THE POST-INFECTION TRAFFIC:
- summi[.]space
- n224ezvhg4sgyamb[.]onion - GET /sup.php
SHA256 HASHES
tATTACHMENTS OR FILES DOWNLOADED FROM EMAIL LINKS (7-ZIP ARCHIVES):
- d37a63c7aae785fb712ffe3b449493f103730b28b40b693dac383407bcfea715 - 2017-08-42007004-Bill.7z
- 46b565c7c71e97d78d8a386dbcc9a5fea9fcd00580ae6a36e0ac819aa882a7f6 - 2017-08-46483802-Bill.7z
- 7bb4204d103eafd78402f6c2574c7db4ecc0508fbcc07425912827f4721458a9 - 2017-08-49668113-Bill.7z
- 60b6f8dade147659b677373a0ac4397df0e20399d2f15ed4a8a507810ebab1e9 - 2017-08-52838405-Bill.7z
- 8173a961cce2022ab961d2915dc6e520868bc5dc6708b0028ebe5e1b8a1b6ca9 - 2017-08-62403078-Bill.7z
- 654c207016188074ed6087b9c03c678437855418166d488f87210407715d4c1b - 2017-08-75117968-Bill.7z
- 133ea29b57557971961634ae8e478c475b7fae796607a88b100f014d9ad53888 - INV-00022.7z
- dc015e4d0677fabf508f34db3dd1c3f7a8a21b9646f1d2da37a2c2ef14cc6441 - Invoice INV-00011.7z
- d9c2b465d78843894f47a800146acbe90b68fc3baae2f0ae29a9ef0030806d72 - Invoice INV-00024.7z
- c72623f685d4b8a9495d9dacb25cd8cdf702a6bb84b5f95392c0c34a8c4b4e3f - Invoice INV-00031.7z
- b8cb0014419bd473aeaa365ac057ab9c5e196d44ea3601630d3177346f46b627 - Invoice INV-000757.7z
- e33624b52f8c3e9bab0debf9a204189fe16368837063472766387d2381ecfa35 - Invoice INV-00077.7z
EXTRACTED VBS FILES:
- 02d21039f8a1ffe8788edca8d01acd1f6d0561826322089ce64d37ee173bcfe2 - 2017-08-22312958-Bill.vbs
- 5c6df934315ae00fd743316bb7fb9eaa6d92d4eebf6c2143cdc2ec104d66b111 - 2017-08-38858815-Bill.vbs
- 39256f126bba17770310c2115586b9f22b858cf15c43ab36bd7cfb18ad63a0c2 - 2017-08-42007004-Bill.vbs
- a93b0a27fb994d3ad87fd86b0a43c93544b6b19fbad7a168ffa5106281a53532 - 2017-08-57344042-Bill.vbs
- 14f4aeedf83280c6ae57300e88c30f1594f9f4a3062cf6d757ff0a527a5fe28c - 2017-08-62810134-Bill.vbs
- c7a9b86a4d0c4e8771e07c04acd7cdb919e7942c6a4591a80d14c10044a80c6c - 2017-08-66176566-Bill.vbs
- 544ee491d507cef91c68e3cd71ff5201a3b57b98fe3b4fa5191e78e6984cd754 - INV-000176.vbs
- 6324a66785b164fa41fc43d7fb181d45a1d63de706eb78b1fde83904015db3fc - INV-000202.vbs
- 0f6ae637a9d15503a0af42be649388f01f8637ca16b15526e318a94b7f34bf6e - INV-00022.vbs
- 2d2412670ad4e59dc67fdfaa4c37e93f5c71ba4c8ed0b4dfabae032e939cdb99 - INV-000471.vbs
- ff86b878d7a458fb54c67aad2bb3eea0fa688992bf9e756670483a704669f1d9 - INV-000751.vbs
- be16144c57d8161b93551bf73b39ad03d43c0139ab2040b84fe0318504ec166e - INV-000913.vbs
GLOBEIMPOSTER EXE SAMPLE DOWNLOADED BY VBS FILES:
- SHA256 hash: bb1df4a93fc27c54c78f84323e0ea7bb2b54469893150e3ea991826c81b56f47
File size: 253,440 bytes
File description: GlobeImposter sample from 2017-09-04
IMAGES
Shown above: All encrypted files ended with ..txt.
Shown above: Tor URL from the decryption instructions.
Shown above: Freshdesk support ticket the criminals are using, so you can send them a sample to decrypt.
Click here to return to the main page.