SYMBOLCOMMON_NAMEaka. SYNONYMS
win.globeimposter (Back to overview)

GlobeImposter

aka: Fake Globe
VTCollection     URLhaus      

GlobeImposter is a ransomware application which is mainly distributed via "blank slate" spam (the spam has no message content and an attached ZIP file), exploits, malicious advertising, fake updates, and repacked installers. GlobeImposter mimics the Globe ransomware family.
This malware may prevent execution of Anti-Virus solutions and other OS related security features and may prevent system restoration.

References
2023-03-08AhnLabASEC
GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP
GlobeImposter MedusaLocker
2023-02-15SentinelOneJim Walter
Recent TZW Campaigns Revealed As Part of GlobeImposter Malware Family
GlobeImposter
2021-12-28AhnLabASEC Analysis Team
Cases of Lockis ransomware infection
GlobeImposter
2021-04-27CrowdStrikeEben Kaplan, Josh Dalman, Kamil Janton
Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER
2020-06-22CERT-FRCERT-FR
Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-05-21Intel 471Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-25RSA ConferenceJoel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-17SecureworksKeita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020-01-01SecureworksSecureWorks
GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2018-08-30360 Total SecurityElley
GlobeImposter which has more than 20 variants, is still wildly growing
GlobeImposter
2018-03-07InfoSec Handlers Diary BlogBrad Duncan
Ransomware news: GlobeImposter gets a facelift, GandCrab is still out there
Gandcrab GlobeImposter
2018-01-16enSiloAlon Hadar
GlobeImposter Ransomware
GlobeImposter
2018-01-15AcronisAcronis Security
GlobeImposter ransomware: A holiday gift from the Necurs botnet
GlobeImposter
2018-01-12ProofpointProofpoint Staff
Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER
2018-01-01Group-IBGroup-IB
The evolution of ransomware and its distribution methods
GlobeImposter
2017-12-22Bleeping ComputerLawrence Abrams
New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway
GlobeImposter
2017-08-10PhishLabsAmanda Kline
Globe Imposter Ransomware Makes a New Run
GlobeImposter
2017-08-05FortinetXiaopeng Zhang
Analysis of New GlobeImposter Ransomware Variant
GlobeImposter
2016-12-23Emsisoft
Emsisoft Decryptor for GlobeImposter
GlobeImposter
Yara Rules
[TLP:WHITE] win_globeimposter_auto (20230808 | Detects win.globeimposter.)
rule win_globeimposter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.globeimposter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c1e810 8bca c1e908 23c7 23cf }
            // n = 5, score = 700
            //   c1e810               | shr                 eax, 0x10
            //   8bca                 | mov                 ecx, edx
            //   c1e908               | shr                 ecx, 8
            //   23c7                 | and                 eax, edi
            //   23cf                 | and                 ecx, edi

        $sequence_1 = { 6a0c 5f eb0d 3d96000000 1bff }
            // n = 5, score = 700
            //   6a0c                 | push                0xc
            //   5f                   | pop                 edi
            //   eb0d                 | jmp                 0xf
            //   3d96000000           | cmp                 eax, 0x96
            //   1bff                 | sbb                 edi, edi

        $sequence_2 = { 8b4508 8b4e08 89442418 85ff 7452 }
            // n = 5, score = 700
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   85ff                 | test                edi, edi
            //   7452                 | je                  0x54

        $sequence_3 = { 0fd4cd 0f6e6f10 0fd4d5 0f7e4f08 0f73d120 0fd4cf 0f6e6f14 }
            // n = 7, score = 700
            //   0fd4cd               | paddq               mm1, mm5
            //   0f6e6f10             | movd                mm5, dword ptr [edi + 0x10]
            //   0fd4d5               | paddq               mm2, mm5
            //   0f7e4f08             | movd                dword ptr [edi + 8], mm1
            //   0f73d120             | psrlq               mm1, 0x20
            //   0fd4cf               | paddq               mm1, mm7
            //   0f6e6f14             | movd                mm5, dword ptr [edi + 0x14]

        $sequence_4 = { 6a02 57 57 6800000040 8d85fcefffff }
            // n = 5, score = 700
            //   6a02                 | push                2
            //   57                   | push                edi
            //   57                   | push                edi
            //   6800000040           | push                0x40000000
            //   8d85fcefffff         | lea                 eax, [ebp - 0x1004]

        $sequence_5 = { 0fd4cb 0f6e16 0ff4d0 0f6e6604 }
            // n = 4, score = 700
            //   0fd4cb               | paddq               mm1, mm3
            //   0f6e16               | movd                mm2, dword ptr [esi]
            //   0ff4d0               | pmuludq             mm2, mm0
            //   0f6e6604             | movd                mm4, dword ptr [esi + 4]

        $sequence_6 = { 83c0fc 3918 7506 83e804 4f 75f6 }
            // n = 6, score = 700
            //   83c0fc               | add                 eax, -4
            //   3918                 | cmp                 dword ptr [eax], ebx
            //   7506                 | jne                 8
            //   83e804               | sub                 eax, 4
            //   4f                   | dec                 edi
            //   75f6                 | jne                 0xfffffff8

        $sequence_7 = { 83c104 f7db 75d7 5f 5b }
            // n = 5, score = 700
            //   83c104               | add                 ecx, 4
            //   f7db                 | neg                 ebx
            //   75d7                 | jne                 0xffffffd9
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx

        $sequence_8 = { 8bf0 8b06 8d7604 0119 3919 }
            // n = 5, score = 700
            //   8bf0                 | mov                 esi, eax
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8d7604               | lea                 esi, [esi + 4]
            //   0119                 | add                 dword ptr [ecx], ebx
            //   3919                 | cmp                 dword ptr [ecx], ebx

        $sequence_9 = { 8bc7 f7f6 33d2 0fafc6 2bf8 }
            // n = 5, score = 700
            //   8bc7                 | mov                 eax, edi
            //   f7f6                 | div                 esi
            //   33d2                 | xor                 edx, edx
            //   0fafc6               | imul                eax, esi
            //   2bf8                 | sub                 edi, eax

    condition:
        7 of them and filesize < 327680
}
Download all Yara Rules