MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GlobeImposter


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde
SHA3-384 hash: 4cb3f843f22c404178756f34a0b97e44767bc15bdc66afa2a6f0a9e8b30445297ffe3631b4d3e8cfb7672fb30d17fb67
SHA1 hash: d4b3b403b95d50a2feefa046441600e488b941f4
MD5 hash: e4e439fc5ade188ba2c69367ba6731b6
humanhash: cardinal-mango-michigan-princess
File name:39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.bin
Download: download sample
Signature GlobeImposter
Create hunting rule
File size:52'224 bytes
First seen:2021-12-23 23:35:08 UTC
Last seen:2021-12-23 23:35:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ba2ce247fa49357770ce28f139e2f1ab (17 x GlobeImposter)
ssdeep 768:CJvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5mGg:ieytM3alnawrRIwxVSHMweio3MGg
Threatray 9 similar samples on MalwareBazaar
TLSH T162336C83B98346F1F7E3117D5A2B370EA295FB2C0469DA6BC7950C47DE3024362396E5
Reporter Arkbird_SOLG
Tags:exe GlobeImposter Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
904
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.bin
Verdict:
Malicious activity
Analysis date:
2021-12-23 23:37:29 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/5ff9f359-6416-4f92-8cef-8d8c974bb654

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216050/
Detection(s):
Win.Ransomware.Globeimposter-6991673-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Changing a file
Moving a recently created file
Modifying an executable file
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Sending a custom TCP request
DNS request
Moving a file to the %temp% directory
Setting a single autorun event
Creating a file in the mass storage device
Stealing user critical data
Encrypting user's files
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3047/overview
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Link:
https://www.filescan.io/uploads/61c507e6ec6c6c14a9ed9ddb/reports/b9d7e3c0-8c5c-4e19-a60a-d6538580b287/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Globeimposter
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf6599c1-51eb-4228-882b-694c8b379ba5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/912235
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Behaviour
Behavior Graph:
Download SVG
Detection:
globeimposter
Create hunting rule
Link:
https://mwdb.cert.pl/sample/39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde/
Threat name:
Win32.Ransomware.FileCoder
Create hunting rule
Status:
Malicious
First seen:
2021-12-23 23:36:16 UTC
File Type:
PE (Exe)
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hh23mami2siznzwbajy2bbfhkx4vkmmqrgcdrmkra7g3sufexppa._file
Verdict:
malicious
Similar samples:
15e8c986c4602c61a474b51d250e03d5bb178eabc8c5a82a242c1a0fa2227704
GlobeImposter
21766e51afd193a59b8b32f38d7f852022ee58348537be2fa7620773df237f77
GlobeImposter
37ff5b1492fe4e1083bdc87df3524d4ac7b5b604e71dfca3730a6527d3bb7d2a
GlobeImposter
60b28ad78be40bbc9d08b91b21c5d4e07c6952f5be5e32eacee6d055e0279b12
GlobeImposter
70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d
GlobeImposter
9add64c3f617392ec57bb083513237bdb50113bf908883aaa40894d6499ba8db
GlobeImposter
d03c843490124f40cf12e9cf9ceb3435d564b4b58ad6eecc04046476dc27d29a
GlobeImposter
daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e
GlobeImposter
Result
Malware family:
globeimposter
Create hunting rule
Score:
  10/10
Tags:
family:globeimposter persistence ransomware spyware stealer
Link:
https://tria.ge/reports/211223-3lk55sbgh8/
Behaviour
Drops file in Program Files directory
Adds Run key to start application
Drops desktop.ini file(s)
Reads user/profile data of web browsers
Modifies extensions of user files
GlobeImposter
Unpacked files
SH256 hash:
211a55ca6335d09ff783df33effab1066115152e903c851286ee12ad76556773
MD5 hash:
9008feac02909a1ecf8714a73d961b08
SHA1 hash:
33378171fedbe881f787f7156962738c9131bc69
Link:
https://www.unpac.me/results/c297e54c-6dcc-42a6-95ee-2413a534f31b/
SH256 hash:
39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde
MD5 hash:
e4e439fc5ade188ba2c69367ba6731b6
SHA1 hash:
d4b3b403b95d50a2feefa046441600e488b941f4
Detections:
win_globeimposter_auto
Create hunting rule
Link:
https://www.unpac.me/results/c297e54c-6dcc-42a6-95ee-2413a534f31b/
Parent samples :
36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd
39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/39f5b60188d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
Link:
https://yomi.yoroi.company/submissions/39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_globeimposter_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.globeimposter.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GlobeImposter

Executable exe 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd

GlobeImposter

Executable exe 39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde

(this sample)

  
Dropped by
SHA256 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd
  
URLhaus
https://urlhaus.abuse.ch/url/1874086/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/216050/

Comments